System Decomposition Report — Generated 2026-03-27 — UHT Journal / universalhex.org
This report was generated autonomously by the UHT Journal systems engineering loop. An AI agent decomposed the system into subsystems and components, classified each using the Universal Hex Taxonomy (a 32-bit ontological classification system), generated traced requirements in AIRGen, and built architecture diagrams — all without human intervention.
Every component and subsystem is assigned an 8-character hex code representing its ontological profile across 32 binary traits organised in four layers: Physical (bits 1–8), Functional (9–16), Abstract (17–24), and Social (25–32). These codes enable cross-domain comparison — components from unrelated systems that share a hex code or high Jaccard similarity are ontological twins, meaning they occupy the same structural niche despite belonging to different domains.
Duplicate hex codes are informative, not errors. When two components share the same code, it means UHT classifies them as the same kind of thing — they have identical trait profiles. This reveals architectural patterns: for example, a fire control computer and a sensor fusion engine may share the same hex because both are powered, synthetic, signal-processing, state-transforming, system-essential components. The duplication signals that requirements, interfaces, and verification approaches from one may transfer to the other.
Requirements follow the EARS pattern (Easy Approach to Requirements Syntax) and are traced through a derivation chain: Stakeholder Needs (STK) → System Requirements (SYS) → Subsystem Requirements (SUB) / Interface Requirements (IFC) → Verification Plan (VER). The traceability matrices at the end of this report show every link in that chain.
| Standard | Title |
|---|---|
| EN 14034 | — |
| IEC 61508 | Functional safety of electrical/electronic/programmable electronic safety-related systems |
| IEC 61508-4 | Functional safety of electrical/electronic/programmable electronic safety-related systems |
| IEC 61511 | Functional safety — Safety instrumented systems for the process industry sector |
| IEC 62061 | — |
| IEC 62443-3-3 | System security requirements and security levels |
| IEC 62443-4-2 | Industrial communication networks — Network and system security |
| ISO 10993 | — |
| ISO 13320 | — |
| ISO 13849-1 | — |
| ISO 13850 | — |
| ISO 14644-1 | — |
| ISO 14644-2 | — |
| ISO 17025-accredited | — |
| ISO 19005 | — |
| ISO 7 | — |
| ISO 7-classified | — |
| ISO 7/8 | — |
| ISO 7/Grade | — |
| ISO 7731 | — |
| ISO 8 | — |
| ISO 8/Grade | — |
| Acronym | Expansion |
|---|---|
| ARC | Architecture Decisions |
| CCCS | Completeness, Consistency, Correctness, Stability |
| COSHH | Control of Substances Hazardous to Health |
| DSCSA | Drug Supply Chain Security Act |
| EARS | Easy Approach to Requirements Syntax |
| EMA | European Medicines Agency |
| EU | Equipment and protective systems intended for use in potentially explosive atmospheres |
| FMD | Falsified Medicines Directive |
| HFT | Hardware Fault Tolerance |
| IFC | Interface Requirements |
| IQ | Installation Qualification |
| LEL | Lower Explosion Limit |
| LIMS | The Laboratory Information Management System |
| OEE | Overall Equipment Effectiveness |
| OEL | Occupational Exposure Limit |
| PAT | Process Analytical Technology |
| PCS | The Process Control System |
| STK | Stakeholder Requirements |
| SUB | Subsystem Requirements |
| SYS | System Requirements |
| UHT | Universal Hex Taxonomy |
| VER | Verification Plan |
| Stakeholder | Relationship | Hex Code |
|---|---|---|
| Production Supervisor | primary line operator, initiates/manages batch records, authorises production decisions (from Normal Production and Degraded scenarios) | 018D5AF9 |
| Quality Control Analyst | monitors PAT data, performs lab testing, sampling, cleaning validation analysis (from all production and changeover scenarios) | 008D3AF9 |
| Maintenance Technician | performs equipment repair, tooling changes, calibration, LOTO procedures (from Tablet Press Jam and Maintenance scenarios) | — |
| Regulatory Inspector (FDA/EMA) | audits manufacturing compliance, reviews data integrity, batch records, validation — not in daily operations but drives all design requirements | — |
| Patient | ultimate beneficiary, no direct system interaction but drives all quality/safety requirements — product quality specifications are proxies for patient safety | — |
| EHS Officer | manages occupational safety, containment strategy, exposure monitoring, emergency response (from Containment Breach Emergency scenario) | — |
| Material Handler | receives, verifies, and dispenses raw materials to production line (from Normal Production scenario) | — |
| Category | Constraint |
|---|---|
| Physical | ISO Class 7/8 cleanroom, 18-25°C ±2°C, 30-65% RH, +15Pa differential pressure, 20 ACH with HEPA filtration, continuous particle/environmental monitoring |
| Regulatory | FDA 21 CFR 210/211/11, EU GMP Annex 15, ICH Q8-Q12, ISPE GAMP 5, ATEX Directive 2014/34/EU for dust explosion zones, IEC 62443 for industrial cybersecurity |
| Power | 480V 3-phase for major equipment (tablet press 30kW, coating pan 50kW, HVAC 200kW), UPS for SCADA/MES/PAT systems (30min ride-through minimum), emergency generator for HVAC and containment systems |
| Network | segregated OT network (ISA/IEC 62443 zones and conduits), air-gapped PLC networks, MES/ERP integration via DMZ, 21 CFR Part 11 compliant user authentication, audit trail on all GxP systems |
| Operational | 16-24 hour production days, 2-3 shift operation, campaign length 3-14 days, changeover 8-24 hours, annual shutdown 2-4 weeks for major maintenance, target OEE >70% |
| System | Interface | Hex Code |
|---|---|---|
| ERP System (SAP/Oracle) | production orders and BOM inbound, batch records and consumption outbound, OPC-UA/REST via DMZ, owned by corporate IT, 99.5% availability | — |
| LIMS | sample requests outbound, test results and disposition inbound, HL7/REST API, owned by QC laboratory, critical for batch release decisions | — |
| Building Utilities | HVAC (conditioned air supply/return), purified water (USP), compressed air (ISO 8573-1 Class 1.2.1), nitrogen, clean steam — shared infrastructure, utility department owned | — |
| Serialisation System | serial number requests outbound, unique identifiers inbound, EPCIS events uploaded to national registries, EU FMD/US DSCSA compliance, supply chain owned | — |
| Hazard | Severity | Frequency | SIL | Safe State |
|---|---|---|---|---|
| H-001: Airborne potent compound exposure from containment breach during tablet compression, material transfer, or cleaning | critical | low | SIL 2 | all material transfer stopped, containment isolators sealed, HVAC switched to full exhaust with HEPA filtration, operators evacuate to clean zone |
| H-002: Cross-contamination of drug product with residual API from previous campaign | catastrophic | low | SIL 3 | batch quarantined, line locked out pending full cleaning validation with HPLC confirmation below acceptance limit |
| H-003: Dust explosion from fine pharmaceutical powder exceeding LEL in enclosed equipment with ignition source present | catastrophic | rare | SIL 2 | equipment de-energised, nitrogen inerting activated, explosion vents open, dust extraction at maximum flow |
| H-004: Out-of-specification product released due to PAT system failure or calibration drift | catastrophic | low | SIL 3 | batch quarantined for offline laboratory testing, real-time release suspended, production continues only with traditional QC release until PAT recalibrated and verified |
| H-005: Loss of cleanroom environmental control (pressure cascade, temperature, humidity) causing microbial contamination or product degradation | major | medium | SIL 1 | product exposure points sealed, HVAC alarm initiates automatic damper closure, exposed product quarantined, production halted until environmental conditions restored and verified |
| H-006: Electronic batch record data integrity failure — corrupted, incomplete, or falsified manufacturing records | critical | medium | SIL 2 | system switches to verified paper backup records, electronic system locked for forensic investigation, affected batches quarantined pending data integrity review |
| H-007: Operator mechanical entrapment in tablet press turret, compression rollers, or granulator impeller | critical | low | SIL 2 | all rotating equipment de-energised and mechanically braked, safety interlocks prevent restart until guards closed and confirmed, LOTO applied for maintenance access |
flowchart TB n0["system<br>Pharmaceutical Manufacturing Line"] n1["actor<br>Production Supervisor"] n2["actor<br>QC Analyst"] n3["actor<br>Maintenance Technician"] n4["actor<br>EHS Officer"] n5["actor<br>Material Handler"] n6["actor<br>Regulatory Inspector"] n7["system<br>ERP System"] n8["system<br>LIMS"] n9["system<br>Building Utilities"] n10["system<br>Serialisation System"] n11["actor<br>Patient"] n0 -->|batch records and consumption outbound| n7 n7 -->|production orders and BOM inbound| n0 n0 -->|sample requests outbound| n8 n8 -->|test results and disposition inbound| n0 n9 -->|HVAC purified water compressed air nitrogen| n0 n0 -->|EPCIS events and serial number requests| n10 n10 -->|unique identifiers inbound| n0 n1 -->|batch release decisions and production control| n0 n2 -->|in-process and release testing| n0 n3 -->|maintenance and LOTO procedures| n0 n4 -->|EHS oversight and incident reporting| n0 n5 -->|raw material dispensing and transfer| n0 n6 -->|GMP audit and 21 CFR Part 11 inspection| n0 n0 -->|finished pharmaceutical product| n11
Pharmaceutical Manufacturing Line — Context
flowchart TB n0["system<br>Pharmaceutical Manufacturing Line"] n1["subsystem<br>Material Handling and Dispensing"] n2["subsystem<br>Granulation and Blending"] n3["subsystem<br>Tablet Compression"] n4["subsystem<br>Film Coating"] n5["subsystem<br>Packaging and Serialisation"] n6["subsystem<br>Process Analytical Technology"] n7["subsystem<br>Manufacturing Execution System"] n8["subsystem<br>Containment and Environmental Control"] n9["subsystem<br>Material Handling and Dispensing Subsystem"] n10["subsystem<br>Granulation and Blending Subsystem"] n11["subsystem<br>Tablet Compression Subsystem"] n12["subsystem<br>Process Analytical Technology Subsystem"] n13["subsystem<br>Film Coating Subsystem"] n14["subsystem<br>Containment and Environmental Control Subsystem"] n15["subsystem<br>Packaging and Serialisation Subsystem"] n0 --> n1 n0 --> n2 n0 --> n3 n0 --> n4 n0 --> n5 n0 --> n6 n0 --> n7 n0 --> n8 n1 -->|powder| n2 n2 -->|granules| n3 n3 -->|tablets| n4 n4 -->|coated tablets| n5 n9 -->|weighed API and excipients| n10 n10 -->|dried granulate target PSD| n11 n11 -->|tablet cores| n13 n13 -->|coated tablets| n15 n10 -->|in-process samples NIR/Raman| n12 n14 -->|conditioned air and pressure differential| n10 n0 -->|CONTAINS| n9 n0 -->|CONTAINS| n10 n0 -->|CONTAINS| n11 n0 -->|CONTAINS| n12 n0 -->|CONTAINS| n13 n0 -->|CONTAINS| n14 n0 -->|CONTAINS| n15
Pharmaceutical Manufacturing Line Decomposition
| Subsystem | Diagram | SIL | Status |
|---|---|---|---|
| Process Analytical Technology Subsystem | diagram-1774435062520 | SIL 3 | complete |
| Manufacturing Execution System | diagram-1774435062963 | SIL 2 | complete |
| Granulation and Blending Subsystem | diagram-1774438734122 | SIL 2 | complete |
| Tablet Compression Subsystem | diagram-1774451064357 | SIL 2 | complete |
| Material Handling and Dispensing Subsystem | pending | — | pending |
| Film Coating Subsystem | pending | — | pending |
| Packaging and Serialisation Subsystem | pending | — | pending |
| Containment and Environmental Control Subsystem | diagram-1774480118684 | SIL 2 | complete |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| STK-REQ-001 | The manufacturing line SHALL achieve a minimum Overall Equipment Effectiveness (OEE) of 75% during Normal Production mode, measured over a rolling 30-day production period. Rationale: Production Supervisor and Plant Manager stakeholder need: 75% OEE is the pharmaceutical industry minimum acceptable threshold for commercial viability; falling below this threshold jeopardises product supply continuity and plant economics. Derived from Normal Production Campaign scenario (300,000 tablets/day ibuprofen campaign). | Test | idempotency:stk-pharma-oee-001 |
| STK-REQ-002 | The manufacturing line SHALL maintain electronic batch records (EBRs) that fully comply with FDA 21 CFR Part 11 and EU Annex 11, providing a complete, unbroken audit trail for every production batch from material receipt to product release. Rationale: FDA/EMA Regulatory Inspector stakeholder need: 21 CFR Part 11 and Annex 11 are mandatory legal requirements for electronic records in pharmaceutical manufacturing. An incomplete audit trail constitutes a critical GMP deficiency that can trigger a warning letter, consent decree, or product recall. Derived from Electronic batch record data integrity failure hazard. | Inspection | idempotency:stk-pharma-ebr-002 |
| STK-REQ-003 | The manufacturing line SHALL perform continuous real-time in-process quality monitoring using Process Analytical Technology (PAT) instruments, with automatic batch diversion when any critical quality attribute (CQA) exceeds its acceptance limit. Rationale: QC Analyst stakeholder need: real-time PAT monitoring prevents out-of-specification product from reaching patients. Automatic diversion on CQA breach eliminates the latency of offline laboratory testing. Derived from Out-of-specification dosage form released to market hazard and PAT Sensor Drift Degraded Operation scenario. | Test | idempotency:stk-pharma-pat-003 |
| STK-REQ-004 | The manufacturing line SHALL maintain containment integrity for potent compounds with Occupational Exposure Limit (OEL) below 1 µg/m³, achieving an airborne concentration at operator breathing zone of less than 10% of OEL during all production, maintenance, and changeover operations. Rationale: EHS Officer stakeholder need: potent compound airborne exposure is the primary occupational health risk in pharmaceutical manufacturing. MoP basis: OEB 1-5 classification scale is the industry-standard banding system defined in ISPE Risk-MaPP Baseline Guide and referenced in EMA (European Medicines Agency) Guideline on Setting Health Based Exposure Limits; OEL banding requires corresponding containment strategy per COSHH Regulation 7 engineering controls hierarchy. | Test | reqs-eng-session-566 |
| STK-REQ-005 | When an emergency condition is detected, the manufacturing line SHALL achieve a full controlled stop of all process equipment within 10 seconds, isolating energy sources and securing product-contact surfaces. Rationale: EHS Officer and Production Supervisor stakeholder need: 10-second emergency stop time is consistent with machinery safety directive EN ISO 13850 performance level requirements for pharmaceutical equipment in GMP environments. Slow emergency stop risks operator injury and product contamination. Derived from Emergency Stop mode and Tablet Press Mechanical Jam Failure scenario. | Test | idempotency:stk-pharma-estop-005 |
| STK-REQ-006 | The manufacturing line SHALL comply with EU GMP Annex 1 (for sterile areas if applicable), EU GMP Annex 15 (validation), FDA Guidance on Process Validation, and ICH Q10 pharmaceutical quality system requirements throughout its operational lifecycle. Rationale: FDA/EMA Regulatory Inspector stakeholder need: compliance with GMP regulations is a legal prerequisite for product release; non-compliance results in regulatory action up to facility closure. Derived from Pharmaceutical regulatory compliance framework entity. | Inspection | idempotency:stk-pharma-gmp-006 |
| STK-REQ-007 | The manufacturing line SHALL support validated product changeover procedures that achieve cross-contamination residue levels below 10 ppm (API to API) or the toxicological threshold of 0.1% of minimum daily therapeutic dose of the previous product, whichever is lower. Rationale: QC Analyst and Production Supervisor stakeholder need: cross-contamination limits are defined by MACO (Maximum Allowable Carry-Over) calculations per EMA cleaning validation guideline. Exceeding these limits causes drug product adulteration. Derived from Cross-contamination between drug products hazard and Product Changeover Cleaning Validation scenario. | Test | idempotency:stk-pharma-changeover-007 |
| STK-REQ-008 | The manufacturing line SHALL integrate with the external drug serialisation system to apply unique identifiers to 100% of saleable units and report serialisation data compliant with EU FMD (Delegated Regulation 2016/161) and US DSCSA (21 USC 360eee) within 24 hours of packaging completion. Rationale: FDA/EMA Regulatory Inspector stakeholder need: serialization is a legal requirement for drug traceability and anti-counterfeiting. Failure to serialize 100% of units within 24 hours creates regulatory violations and prevents product distribution. Derived from Drug serialization and track-and-trace system external entity. | Test | idempotency:stk-pharma-serial-008 |
| STK-REQ-009 | When a non-critical equipment fault or PAT sensor degradation is detected, the manufacturing line SHALL maintain production capability at a minimum of 50% nominal throughput while operating under enhanced manual in-process testing protocols, until the fault is rectified. Rationale: Production Supervisor stakeholder need: partial production capability prevents complete supply chain disruption during minor equipment faults. 50% minimum throughput is the commercial viability threshold for continued manufacturing against urgent patient supply orders. Derived from Degraded Production mode and PAT Sensor Drift scenario. | Test | idempotency:stk-pharma-degraded-009 |
| STK-REQ-010 | The manufacturing line SHALL maintain bidirectional traceability of all raw materials, intermediates, and finished product, enabling complete batch genealogy reconstruction — identifying all equipment, operators, and materials involved in any given batch — within 4 hours of a recall investigation request. Rationale: GMP Material Handler and Regulatory Inspector stakeholder need: bidirectional traceability is required by FDA 21 CFR 211.188 and EU GMP Chapter 4. The 4-hour reconstruction requirement aligns with FDA CDER recall assessment timelines; failure to produce genealogy delays field corrections and increases recall scope. | Test | idempotency:stk-pharma-traceability-010 |
| STK-REQ-011 | While operating in Normal Production mode, the manufacturing line SHALL maintain cleanroom conditions at ISO Class 7 (EU GMP Grade C, ≤352,000 particles ≥0.5µm/m³) with positive pressure differential of at least 15 Pa relative to adjacent unclassified areas. Rationale: QC Analyst and EHS Officer stakeholder need: ISO Class 7 is the minimum cleanroom classification required for tablet and capsule manufacturing under EU GMP. Positive pressure prevents particulate ingress. Loss of pressure differential is a critical GMP excursion requiring batch investigation. Derived from Cleanroom environmental control failure hazard. | Test | idempotency:stk-pharma-cleanroom-011 |
| STK-REQ-012 | The manufacturing line SHALL provide documented lockout/tagout (LOTO) procedures and physical isolation points for all energy sources on every equipment unit, achieving a machinery safety performance level of PLd per EN ISO 13849-1 for guard interlocking circuits. Rationale: Equipment Maintenance Technician and EHS Officer stakeholder need: LOTO is required by OSHA 29 CFR 1910.147 and EU Machinery Directive 2006/42/EC. PLd is the minimum performance level for pharmaceutical equipment with medium frequency use and moderate injury severity. Derived from Tablet press mechanical entrapment hazard. | Inspection | idempotency:stk-pharma-loto-012 |
| STK-REQ-013 | The manufacturing line SHALL produce finished drug products that comply with pharmacopoeial specifications for tablet hardness, disintegration, dissolution, content uniformity (AV ≤ 15.0 for L1 per Ph.Eur./USP), and potency (98.0–102.0% label claim) for 100% of released batches. Rationale: Patient stakeholder need: pharmacopoeial compliance directly ensures patient safety and therapeutic efficacy. AV ≤ 15.0 at Stage 1 and potency 98-102% are USP/Ph.Eur. release criteria; out-of-range product poses direct patient harm risk including under-dosing and over-dosing. This is the terminal quality gate for all manufactured product. | Test | idempotency:stk-pharma-product-quality-013 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| SYS-REQ-001 | The system SHALL operate the production sequence — from raw material dispense through granulation, blending, compression, and packaging — at a nominal throughput of 300,000 tablets per shift (12-hour shift), with OEE tracked continuously by the MES and reported hourly. Rationale: Derived from STK-001 (OEE ≥ 75%). 300,000 tablets/12-hour shift is the system design capacity from the Normal Production Campaign scenario; OEE tracking is the mechanism by which compliance with the 75% OEE threshold is measured and demonstrated. | Test | idempotency:sys-pharma-throughput-001 |
| SYS-REQ-002 | The system SHALL generate, execute, and archive electronic batch records (EBRs) with electronic signatures, access controls, audit trails, and backup intervals not exceeding 15 minutes, with record integrity verified by cryptographic hash on every write operation. Rationale: Derived from STK-002 (21 CFR Part 11 / EU Annex 11 EBR compliance). Cryptographic hashing on every write and 15-minute backup intervals are the technical controls that satisfy data integrity requirements. 15-minute interval ensures a maximum of 15 minutes of data loss in a catastrophic failure, meeting typical GMP data recovery expectations. | Test | session-564, validation, ver-method-upgraded, ebr, 21cfr11, sil-2, h-006 |
| SYS-REQ-003 | The system SHALL acquire PAT sensor data (NIR, Raman, laser diffraction) at a minimum sample interval of 30 seconds, evaluate CQA models within 5 seconds of acquisition, and actuate automatic batch diversion valves within 2 seconds of a CQA limit exceedance. Rationale: Derived from STK-003 (real-time PAT with automatic diversion). 30-second sampling ensures sufficient time resolution for blend uniformity and granule size monitoring. 5-second model evaluation and 2-second actuation give a total response latency of 7 seconds, which is within the 10-second diversion window before the affected material exits the process vessel. | Test | idempotency:sys-pharma-pat-003 |
| SYS-REQ-004 | The system SHALL maintain negative pressure isolation in potent compound processing enclosures (OEB 4/5 compounds, OEL < 1 µg/m³) with a minimum inward airflow velocity of 0.5 m/s at all open access points, continuous real-time airborne particle monitoring at operator breathing zone, and automatic enclosure lockdown when particle concentration exceeds 20% of OEL alarm threshold. Rationale: Derived from STK-REQ-004 (OEL containment integrity) and H-001 airborne potent compound exposure hazard. MoP basis: 0.5 m/s inward airflow specification derived from EU GMP Annex 1 (2022) Section 4.6 (negative pressure room design for hazardous substances) and COSHH (Control of Substances Hazardous to Health) Regulation 7 engineering control hierarchy; -50 Pa minimum pressure differential consistent with ISPE Risk-MaPP (Baseline Guide for Risk-Based Manufacture of Pharmaceutical Products) OEB 4 containment strategy. | Test | reqs-eng-session-566, h-001 |
| SYS-REQ-005 | When an emergency stop is triggered (by operator actuator, interlock, or automatic safety function), the system SHALL de-energise all drive systems within 3 seconds, close all product-transfer valves within 5 seconds, and achieve full equipment standstill within 10 seconds. Rationale: Derived from STK-005 (emergency stop ≤ 10 seconds) and EN ISO 13850. 3-second drive de-energisation and 5-second valve closure are the subsystem-level allocations of the 10-second total emergency stop time budget. These values are achievable with standard pneumatic valve actuators and safety-rated drive modules. | Test | idempotency:sys-pharma-estop-005 |
| SYS-REQ-006 | While in Normal Production mode, the system SHALL continuously monitor cleanroom differential pressure, temperature (20±2°C), and relative humidity (45±5% RH), generating an alarm within 60 seconds of any parameter exceeding its alert limit, and a production halt within 120 seconds of any parameter exceeding its action limit. Rationale: Derived from STK-011 (ISO Class 7 cleanroom maintenance) and Cleanroom environmental control failure hazard. 60-second alert and 120-second action response times align with EU GMP Annex 1 environmental monitoring expectations. Temperature and humidity affect granule moisture content and tablet hardness; action limits require production halt to protect batch quality. | Test | lint-ack-ontological-mismatch, session-565, lint-ack-normal-production-mode-not-physical, session-567, h-005 |
| SYS-REQ-007 | The system SHALL record and maintain a full batch genealogy database linking every finished product unit to its input raw material lot numbers, equipment IDs, process parameter logs, and operator IDs, enabling recall scope determination for any batch within 4 hours. Rationale: Derived from STK-010 (material traceability). The genealogy database is the technical implementation of bidirectional traceability; it must be queryable to reconstruct batch history within FDA CDER 4-hour recall assessment window. All equipment IDs, operator IDs, and material lot numbers must be captured in real-time during processing. | Test | idempotency:sys-pharma-genealogy-007 |
| SYS-REQ-008 | The system SHALL guide operators through validated cleaning procedures during product changeover, verify cleaning completion via rinse water TOC analysis (≤ 500 µg/L TOC) and swab sampling, and prevent restart of the next production campaign until all cleaning verification steps are electronically signed and recorded in the EBR. Rationale: Derived from STK-007 (cross-contamination limits) and Product Changeover Cleaning Validation scenario. TOC ≤ 500 µg/L is the ICH Q3C Class 2 solvent threshold used as a surrogate for cleaning verification; electronic sign-off lock prevents operator bypass. The EBR lock is the enforcement mechanism ensuring cleaning validation is never skipped. | Test | idempotency:sys-pharma-changeover-008 |
| SYS-REQ-009 | When the PAT subsystem enters sensor-degraded mode, the system SHALL automatically switch to manual in-process testing mode with sampling every 15 minutes, maintain production at ≥ 50% nominal throughput, and alert the Production Supervisor with a prominent EBR annotation, within 30 seconds of sensor degradation detection. Rationale: Derived from STK-009 (degraded production at ≥ 50% throughput) and PAT Sensor Drift Degraded Operation scenario. 15-minute manual sampling interval is the maximum interval consistent with EU GMP in-process testing requirements in the absence of continuous PAT monitoring. 30-second notification ensures operator awareness before manual testing regime begins. | Test | idempotency:sys-pharma-degraded-009 |
| SYS-REQ-010 | The system SHALL apply 2D DataMatrix barcodes encoding a unique serial number, GTIN, lot number, and expiry date to 100% of saleable units at the packaging line, with a barcode verification reject rate of less than 0.5% and aggregation data uploaded to the external serialization system within 2 hours of packaging lot completion. Rationale: Derived from STK-008 (EU FMD / US DSCSA serialization). GS1 DataMatrix is the mandated barcode standard under EU FMD Delegated Regulation 2016/161. 0.5% reject rate is the equipment supplier performance specification; 2-hour upload window satisfies the 24-hour regulatory reporting window with margin for data review. | Test | idempotency:sys-pharma-serialization-010 |
| SYS-REQ-011 | The system SHALL enforce electronic lockout verification for maintenance activities, preventing equipment restart while any active lockout device is registered, and logging all LOTO events with operator ID, timestamp, and equipment ID in the EBR. Rationale: Derived from STK-012 (LOTO PLd) and Tablet press mechanical entrapment hazard. Electronic lockout verification adds a software layer to physical LOTO that prevents inadvertent restart by a second operator; EBR logging creates the GMP evidence trail required for OSHA compliance and incident investigation. | Test | idempotency:sys-pharma-loto-011 |
| SYS-REQ-012 | The system SHALL enforce an automated in-process rejection of any tablet with weight outside ±5% of target, hardness outside specification range, or thickness outside ±2% of target, and shall reject the entire production segment when content uniformity AV exceeds 15.0 on L1 sampling. Rationale: Derived from STK-013 (pharmacopoeial specification compliance). Weight ±5%, hardness, and thickness ±2% are in-process control (IPC) limits defined in the product master batch record; automated rejection eliminates human judgment errors in OOS handling. AV > 15.0 triggers mandatory L2 retest or batch rejection per USP 905. | Test | idempotency:sys-pharma-product-quality-012 |
| SYS-REQ-013 | The system SHALL maintain worker occupational exposure below the compound-specific Occupational Exposure Limit (OEL) by enforcing the OEB containment strategy defined in the compound safety data sheet, and generating an alarm when airborne monitoring exceeds 80% of the OEL action limit. Rationale: Worker protection from potent compound exposure is a primary stakeholder requirement (H-001, H-003). OEL compliance is mandated by COSHH (Control of Substances Hazardous to Health Regulations 2002) and OSHA 29 CFR 1910.1000 PEL requirements. The 80 percent alarm threshold provides a response window before the OEL action limit is breached. | Test | reqs-eng-session-566, h-001 |
| SYS-REQ-014 | The system SHALL support process validation per ICH Q8 (Pharmaceutical Development) and ICH Q11 (Development and Manufacture of Drug Substances) by recording all critical process parameters (CPPs), critical quality attributes (CQAs), and key process indicators (KPIs) for every batch in a retrievable electronic format suitable for prospective and concurrent validation programmes. Rationale: ICH Q8 requires that CPPs and CQAs be identified, monitored, and documented as part of the validated design space. This system-level requirement ensures the manufacturing line generates the data required for regulatory filings (NDA, MAA). Analysis verification is appropriate because compliance with data completeness and format requirements can be demonstrated by reviewing the EBR data structure against ICH Q8 guidance. | Analysis | session-562, validation, process-validation, ich-q8, idempotency:session562-sys-process-validation-014 |
| SYS-REQ-015 | The system SHALL comply with EU Delegated Regulation 2016/161 (Falsified Medicines Directive) requirements for unique identifier placement, tamper-evident device application, and verification and decommissioning of unique identifiers at point of supply, and SHALL integrate with national medicines verification systems via the EMVO EMVS API. Rationale: EU Delegated Regulation 2016/161 is a legal requirement for all prescription medicines placed on the EU market from 9 February 2019. Non-compliance results in inability to sell product in EU. Test verification requires a connection to the EMVS test repository to confirm that serialisation data is correctly formatted and accepted by the external system. | Test | session-562, validation, serialisation, eu-fmd, regulatory, idempotency:session562-sys-eu-delegated-regulation-015 |
| SYS-REQ-016 | The system SHALL implement machine safety controls compliant with EN ISO 13849-1 (Safety of machinery — Safety-related parts of control systems) for all rotating and moving equipment, achieving a minimum Performance Level d (PLd) for guard interlocks, emergency stops, and LOTO verification functions, with proof test intervals documented in the safety case. Rationale: SIL-2 IEC 61508 requirements mandate that safety functions — not just their design documents — be verified by test. EN ISO 13849-1 (Safety of machinery: safety-related parts of control systems) compliance analysis (PLr, MTTFd, DC calculations) establishes the design meets the required performance level, but the safety functions themselves (E-stop response, guard interlock, brake engagement) must be tested under realistic operating conditions to demonstrate the actual realised performance level. Verification by Analysis alone is insufficient for SIL-2 functional safety claims. | Test | session-562, validation, machine-safety, en-iso-13849, sil-2, idempotency:session562-sys-en-iso-13849-016, h-007 |
| SYS-REQ-017 | The system SHALL calculate and display Overall Equipment Effectiveness (OEE) per the SEMI E10 equipment productivity standard, updated at least every 4 hours, decomposed into Availability, Performance, and Quality components, and SHALL generate an alert when OEE for any subsystem falls below 75 percent for more than one production shift. Rationale: OEE tracking is a primary stakeholder requirement for production efficiency. The SEMI E10 standard provides an unambiguous OEE calculation methodology. The 75 percent threshold is the industry benchmark for world-class pharmaceutical manufacturing. Test verification is required because OEE calculation accuracy depends on the integration of downtime, speed loss, and quality rejection data streams from multiple subsystems. | Test | session-562, validation, oee, production-efficiency, idempotency:session562-sys-oee-tracking-017 |
| SYS-REQ-018 | The system SHALL enforce PAT qualification procedures per FDA Process Analytical Technology Guidance (2004) and ICH Q8, requiring calibration verification of all PAT instruments against certified reference materials before each campaign, with calibration status logged in the EBR and any out-of-calibration instrument triggering automatic suspension of real-time release. Rationale: FDA PAT Guidance requires that PAT instruments be calibrated and their performance verified before use. An out-of-calibration PAT instrument that continues to drive real-time release decisions would constitute a data integrity failure (H-004). Test verification confirms that the calibration check workflow triggers correctly and that real-time release is actually suspended when calibration status is invalid. | Test | session-562, validation, pat, calibration, sil-3, h-004, idempotency:session562-sys-pat-qualification-018 |
| SYS-REQ-019 | The system SHALL generate an automatic deviation record in the EBR whenever any critical process parameter exceeds its validated specification limit, linking the deviation to the affected batch, the out-of-specification measurement, the subsystem responsible, and the time of occurrence, with the record available for QA Manager review within 10 minutes of the exceedance event. Rationale: Automatic deviation record generation at the point of CPP exceedance is required by ICH Q10 (Pharmaceutical Quality System) to ensure no exceedances are missed in manual batch review. The 10-minute availability target ensures the QA Manager can make a real-time batch hold decision before additional product is produced under the exceedance conditions. | Test | session-562, validation, mes, deviation, sil-2, idempotency:session562-sys-auto-deviation-record |
| SYS-REQ-020 | The system SHALL maintain a cleaning status registry for every product-contact equipment item, updated in real-time as cleaning activities are performed, and SHALL prevent assignment of any equipment with an expired or unconfirmed clean status to a new batch record, providing an explicit status reason to the operator when assignment is blocked. Rationale: Equipment cleaning status control is a primary H-002 cross-contamination mitigation. An equipment item with expired clean status that is inadvertently assigned to a new batch would result in potential cross-contamination without detection. Test verification confirms the assignment block is enforced across all equipment status states and the reason is communicated clearly. | Test | session-562, validation, mes, changeover, sil-3, h-002, idempotency:session562-sys-cleaning-registry |
| SYS-REQ-021 | The system SHALL provide a production supervisor handover capability in the MES, enabling the outgoing supervisor to formally close their shift in the EBR with an electronic signature, documenting any in-progress deviations, out-of-specification results, and equipment status, and preventing the next shift from starting new operations until the incoming supervisor has reviewed and acknowledged the handover record. Rationale: Structured shift handover with EBR documentation prevents loss of critical operational context between shifts. The Tablet Press Jam ConOps scenario occurs on night shift — unresolved deviations from the previous shift that are not formally documented at handover could result in incorrect batch disposition decisions. | Test | session-562, validation, mes, handover, 21cfr11, idempotency:session562-sys-shift-handover |
| SYS-REQ-022 | The Pharmaceutical Manufacturing Line SHALL be installed in a GMP-compliant facility comprising a minimum of four classified cleanrooms: a weigh booth (ISO 7 / Grade C), a granulation and compression area (ISO 8 / Grade D), a coating and packaging area (ISO 8 / Grade D), and a quality control laboratory; with an equipment footprint not exceeding 800 m² and physical access controlled by HVAC pressure cascade and electronic interlocks. Rationale: Physical facility and layout constraints for the manufacturing line are required by EU GMP Annex 1 and FDA 21 CFR Part 211 to ensure product quality, containment, and cleanroom classification are maintained. The specification of classified rooms and controlled access is not derivable from functional requirements alone and must be explicitly stated to support facility qualification activities. | Inspection | session-565, facility, physical-layout, lint-fix-lh3, idempotency:ses565-mfg-line-physical-layout, idempotency:ses565-mfg-line-physical-layout |
| SYS-REQ-023 | While in Normal Production mode, the system SHALL provide an operator override capability allowing a qualified Production Supervisor or QC Analyst to suspend automated batch diversion, IPC rejection, or PAT-triggered alarms, subject to mandatory electronic signature per 21 CFR Part 11, a maximum override duration of 60 minutes before automatic restoration, and audit trail entry recording the operator identity, override reason, and duration. Rationale: Normal production mode executes batch logic semi-autonomously; any autonomous control system operating in a regulated pharmaceutical environment must have a defined human-in-the-loop override per FDA guidance on computer-aided manufacturing and IEC 61508 requirements for Functionally Autonomous systems with SIL classification. The 60-minute limit prevents indefinite bypass of safety functions while allowing short-term operational decisions. | Test | session-565, normal-production, override, functionally-autonomous, lint-fix-lh4, lint-fix-lh8, idempotency:ses565-np-mode-override, idempotency:ses565-np-mode-override |
| SYS-REQ-025 | The physical sensors and instruments implementing environmental monitoring during normal production SHALL be mounted within the manufacturing line cleanroom bays, with differential pressure transmitters installed at each controlled room boundary, temperature and humidity probes at product exposure height, and all sensor housings constructed from 316L stainless steel meeting ISO 8 cleanroom installation standards. Rationale: Specifying the physical location and construction of sensors implementing the normal production environmental monitoring requirement (SYS-REQ-006) is needed to support facility qualification documentation. Physical embodiment of the monitoring function during normal production must be defined separately from the functional monitoring requirement. | Inspection | session-565, normal-production, sensors, physical-embodiment, idempotency:ses565-np-sensors-v2, idempotency:ses565-np-sensors-v2 |
| SYS-REQ-026 | The system SHALL provide a dedicated physical cleanroom monitoring network comprising calibrated differential pressure transmitters (range 0–100 Pa, accuracy ±1 Pa), temperature transmitters (range 15–30°C, accuracy ±0.3°C), and relative humidity transmitters (range 30–70% RH, accuracy ±2% RH), wired to the Environmental Control Subsystem PLC via 4–20 mA loops, with all instruments calibrated against ISO 17025-accredited standards at intervals not exceeding 12 months. Rationale: SYS-REQ-006 requires continuous monitoring of cleanroom differential pressure, temperature, and humidity during Normal Production mode. This requirement defines the physical sensor infrastructure required to fulfil that monitoring obligation. EU GMP Annex 1 (Manufacture of Sterile Medicinal Products) and ISO 14644-2 (Cleanrooms and associated controlled environments — Monitoring) specify instrument accuracy requirements. The 12-month calibration interval is consistent with GMP instrument qualification norms. Resolves lint finding: 'normal production lacks Physical Object trait but has physical embodiment'. | Test | session-, validation, cleanroom, environmental, physical-embodiment, lint-fix, idempotency:ses566-sys-cleanroom-physical-embodiment |
| SYS-REQ-027 | The Process Control System SHALL provide a hardware-enforced manual override capability at each equipment control panel that allows an operator to de-energise any individual equipment actuator independently of software state, and SHALL accept Emergency Stop commands from any safety relay input within 250 milliseconds regardless of software execution state or PLC program mode. Rationale: The PCS is classified as Functionally Autonomous (controlling equipment without continuous human input) per EN ISO 13849-1 (Safety of machinery — Safety-related parts of control systems). Autonomous control systems require hardware-level safety overrides that cannot be defeated by software failure — IEC 61508 (Functional safety of E/E/PE safety-related systems) clause 7.4.2 requires manual overrides for SIL-2 systems. The 250ms E-stop response is the maximum reaction time that limits rundown energy in tablet press and granulator applications. This resolves the lint finding: 'process control system is Functionally Autonomous but has no safety/override constraints'. | Test | session-566, validation, process-control-system, safety-override, lint-fix, sil-2, idempotency:ses566-sys-pcs-manual-override |
| SYS-REQ-028 | While in Normal Production mode, the system SHALL be housed within a GMP-compliant equipment rack or panel enclosure (IP54 or better, stainless steel housing) that physically integrates the Environmental Monitoring System controller, the SCADA PCS I/O modules, and the 4-20mA signal conditioning hardware for at least three differential pressure transmitters (weigh booth, granulation bay, coating/packaging bay boundaries), RTD temperature probes, and capacitive humidity sensors at 0.8–1.2 m above finished floor level in each classified bay; the rack SHALL be installed within the manufacturing line classified area and connected to the clean power UPS supply specified in SYS-REQ-007. Rationale: Lint finding: 'normal production' concept (hex 40B53A50) lacks Physical Object trait but SYS-REQ-006 imposes physical monitoring constraints. This requirement provides the physical embodiment specification for the environmental monitoring infrastructure that executes during Normal Production mode, resolving the ontological mismatch. Derived from SYS-REQ-006 (cleanroom monitoring parameters and response times) and consistent with SYS-REQ-025 (sensor mounting) and SYS-REQ-026 (4-20mA loop infrastructure). EU GMP Annex 1 mandates continuous environmental monitoring in classified zones during production. | Inspection | session-567, validation, lint-fix-lintHigh, normal-production, physical-embodiment, idempotency:session567-sys-normal-production-physical-embodiment |
| SYS-REQ-029 | The system SHALL implement dust explosion prevention measures compliant with ATEX Directive 2014/34/EU (Equipment and protective systems intended for use in potentially explosive atmospheres) for all enclosed powder processing equipment (granulator, mill, blender, tablet press hopper, dust extraction ducting), including continuous LEL monitoring with automatic equipment de-energisation at 25% LEL, nitrogen inerting capability for high-risk enclosures, and explosion venting or suppression on all vessels exceeding 0.1 m³ volume. Rationale: H-003: Fine pharmaceutical powder (API and excipient particles <100um) in enclosed equipment with ignition sources (motors, static discharge, hot surfaces) creates a dust explosion hazard. ATEX Directive 2014/34/EU mandates equipment classification and protection measures. The 25% LEL trigger provides a 4:1 safety margin per EN 14034. Nitrogen inerting reduces oxygen below the Limiting Oxygen Concentration. SIL 2 allocation reflects catastrophic severity with rare frequency. | Test | system, sil-2, h-003, safety, session-2, idempotency:sys-pharma-dust-explosion-h003-2 |
| SYS-REQ-030 | The Process Control System (PCS) network SHALL be isolated from enterprise IT networks by a firewall or unidirectional security gateway, implementing network segmentation per IEC 62443-3-3 (Industrial communication networks — IT security) Security Level 2, with no direct internet connectivity, and SHALL enforce role-based access control with individual user authentication for all HMI and engineering workstation access. Rationale: The PCS executes SIL-2 safety functions (LOTO enforcement per SYS-REQ-016) and controls potent compound containment (SYS-REQ-004). Cyber intrusion could bypass safety interlocks, release hazardous compounds, or corrupt batch records. IEC 62443-3-3 SL-2 provides the minimum mitigations for industrial control systems with potential safety consequences. Network isolation prevents lateral movement from enterprise IT systems, a common OT attack vector. | Inspection | session-549, qc, cybersecurity, pcs, idempotency:sys-pcs-cybersecurity-session-549 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| SUB-REQ-001 | The PAT Subsystem NIR spectrometer SHALL acquire diffuse reflectance spectra (900-1700 nm, minimum 256 wavelength channels, 8 cm-1 resolution) at 30-second intervals from each monitored process point, with signal-to-noise ratio exceeding 5000:1 and automatic dark-current correction between acquisitions. Rationale: NIR is the primary sensor for content uniformity and moisture monitoring. SYS-016 mandates 30-second acquisition. The 5000:1 SNR threshold is the minimum for reliable PLS chemometric model discrimination of API concentration within 2% RSD, derived from ICH Q2(R1) analytical method validation requirements. 8 cm-1 resolution matches pharmaceutical industry standard for solid dosage monitoring. | Test | subsystem, pat, nir, sil-3, session-547, idempotency:sub-pat-nir-acquisition-547 |
| SUB-REQ-002 | The PAT Subsystem Raman spectrometer SHALL acquire spectra (200-3200 cm-1, spectral resolution 4 cm-1) at 30-second intervals using a 785 nm excitation laser at power not exceeding 500 mW, with automatic fluorescence background subtraction and cosmic ray rejection. Rationale: Raman provides polymorphic form identification and API quantification complementary to NIR. SYS-016 mandates 30-second acquisition. 785 nm excitation is the standard for pharmaceutical applications, balancing fluorescence avoidance with Raman cross-section. 500 mW power limit prevents thermal degradation of heat-sensitive APIs. Fluorescence subtraction is essential for excipient-rich formulations. | Test | subsystem, pat, raman, sil-3, session-547, idempotency:sub-pat-raman-acquisition-547 |
| SUB-REQ-003 | The PAT Subsystem SHALL evaluate all CQA chemometric models (content uniformity PLS, blend homogeneity PCA, particle size correlation) within 5 seconds of sensor data acquisition, using cryptographically signed model files with version tracking, and SHALL reject any model file whose SHA-256 checksum does not match the validated model registry. Rationale: SYS-016 mandates CQA model evaluation within 5 seconds. Model integrity is a direct H-004 mitigation: a corrupted or unauthorised model could approve OOS product for release. Cryptographic signing with SHA-256 verification ensures only validated models execute in production, meeting 21 CFR Part 11 requirements for computerised system validation. Version tracking enables post-incident root cause analysis. | Test | subsystem, pat, cqa-model, sil-3, h-004, session-547, idempotency:sub-pat-cqa-model-eval-547 |
| SUB-REQ-004 | When a CQA limit exceedance is detected, the PAT Subsystem SHALL actuate the batch diversion valve to the reject position within 2 seconds, confirm valve position via discrete feedback sensor, and maintain the diversion state until receiving an explicit MES acknowledgment and reset command. Rationale: SYS-016 mandates 2-second diversion actuation. The valve position feedback sensor provides independent confirmation that the diversion physically occurred, critical for SIL 3 integrity of the H-004 mitigation. Latching in divert-state until MES acknowledgment prevents race conditions where PAT could reset before the EBR records the event, ensuring no diversion goes unrecorded. | Test | subsystem, pat, diversion, sil-3, h-004, session-547, idempotency:sub-pat-diversion-valve-547 |
| SUB-REQ-005 | The PAT Subsystem SHALL perform continuous sensor self-diagnostics evaluating signal-to-noise ratio, wavelength calibration accuracy (against internal reference standard), and detector dark-current stability, and SHALL declare sensor-degraded state within 15 seconds when any diagnostic parameter deviates beyond validated operating limits. Rationale: SYS-022 requires degraded-mode transition within 30 seconds. The 15-second detection window allocates half the budget to PAT self-diagnosis and half to MES notification and mode switching. Internal reference standard calibration check (typically polystyrene for NIR, silicon for Raman) is the pharmaceutical industry standard per ASTM E1840. Without continuous self-diagnostics, calibration drift is the primary root cause pathway for H-004. | Test | subsystem, pat, sensor-health, sil-3, h-004, session-547, idempotency:sub-pat-sensor-diagnostics-547 |
| SUB-REQ-006 | While in sensor-degraded state, the PAT Subsystem SHALL suspend real-time CQA model evaluation on the affected sensor channel within 5 seconds of degradation detection, continue acquisition on unaffected channels at ≥70% of nominal per-channel CQA evaluation rate, present manual sampling prompts to operators at 15-minute intervals (±30 seconds) with sample identification barcodes, and record all manual sample submissions with timestamps for MES integration. The PAT Subsystem SHALL maintain a minimum of 1 unaffected sensor channel in active CQA evaluation throughout degraded-mode operation. Rationale: SYS-022 mandates 15-minute manual sampling and 50% throughput maintenance during degraded mode. The 5-second suspension window closes the gap between degradation detection and alert issuance. The ≥70% per-channel evaluation rate on surviving channels ensures that a 3-channel PAT system can sustain meaningful CQA coverage on 2 channels. The ±30-second sampling prompt tolerance accommodates operator workflow without breaching the 15-minute GMPsampling requirement. Minimum 1 active channel requirement prevents total real-time monitoring blackout during multi-sensor degradation. Performance floors added per validation session 566. | Demonstration | pat-subsystem, degraded-mode, superseded-by-session-554, superseded-by:SUB-REQ-024 |
| SUB-REQ-007 | The PAT Subsystem laser diffraction analyser SHALL measure particle size distribution (0.5-2000 micron range, D10/D50/D90 reporting) at 30-second intervals during granulation and blending stages, with measurement repeatability within 2% RSD on D50 for reference standard material. Rationale: SYS-016 lists laser diffraction as a mandated PAT sensor. Particle size distribution is a critical quality attribute for tablet dissolution rate and content uniformity per ICH Q6A. The 2% RSD repeatability on D50 is the ISO 13320 acceptance criterion for pharmaceutical laser diffraction, ensuring the measurement is sufficiently precise to detect granule over-growth that would cause segregation and content uniformity failure. | Test | subsystem, pat, laser-diffraction, session-547, idempotency:sub-pat-laser-diffraction-547 |
| SUB-REQ-008 | The Manufacturing Execution System SHALL enforce 21 CFR Part 11 compliant electronic signatures on all EBR critical entries (batch release, deviation acknowledgment, in-process hold, parameter override), requiring biometric or two-factor authentication, with each signature binding the signer identity, date/time, and signing meaning to the record. Rationale: SYS-015 mandates electronic signatures with access controls. FDA 21 CFR Part 11.50 requires that signed records clearly indicate the printed name, date/time, and meaning of the signature. Two-factor authentication exceeds the minimum Part 11 requirement but is standard practice after FDA warning letters citing weak e-signature controls. H-006 safe state includes system lockout for forensic investigation, making signature integrity the first line of defense. | Test | subsystem, mes, part-11, sil-2, h-006, session-547, idempotency:sub-mes-esig-547 |
| SUB-REQ-009 | The Manufacturing Execution System SHALL maintain a tamper-evident audit trail recording every EBR creation, modification, and deletion event, capturing the original value, new value, operator ID, workstation ID, timestamp (UTC, NTP-synchronised to within 100 ms), and operator-entered reason for change. Rationale: 21 CFR Part 11.10(e) requires complete audit trails; SIL-2 H-006 mandate. Upgraded from Inspection to Test per IEC 61508 (Functional safety of E/E/PE safety-related systems) requirements for SIL-2 safety functions — audit trail completeness must be demonstrated by active test (injection of EBR events and verification of append-only log) not static inspection. Test verification aligns with the VER-REQ-019 which tests audit trail tamper resistance. | Test | subsystem, mes, audit-trail, part-11, sil-2, h-006, session-547, idempotency:sub-mes-audit-trail-547 |
| SUB-REQ-010 | The Manufacturing Execution System SHALL compute and store a SHA-256 cryptographic hash on every EBR write operation, maintain a hash chain linking consecutive writes, and SHALL detect and alert on any hash chain discontinuity within one EBR backup cycle (15 minutes maximum). Rationale: SYS-015 mandates cryptographic hash verification on every write. The hash chain (each hash includes the previous hash) provides tamper evidence stronger than individual hashes, detecting both modification and deletion of intermediate records. Detection within one backup cycle ensures that if H-006 occurs, the maximum exposure window before alert is 15 minutes, aligning with the SYS-015 backup interval. | Test | subsystem, mes, data-integrity, sil-2, h-006, session-547, idempotency:sub-mes-crypto-integrity-547 |
| SUB-REQ-011 | The Manufacturing Execution System SHALL maintain a real-time lockout registry mapping each equipment unit to its lockout state (locked/unlocked), lockout holder (operator ID), lock application timestamp, and lock type (maintenance/cleaning/calibration), and SHALL prevent any equipment start command while at least one active lockout is registered against that equipment. Rationale: SYS-024 mandates electronic lockout verification preventing restart. The lockout registry is the single source of truth for equipment safety state, replacing or augmenting physical padlocks. H-007 (mechanical entrapment) requires that restart prevention is absolute, not advisory. Multiple lock types support concurrent lockout by different disciplines (maintenance LOTO plus cleaning hold), as required in pharmaceutical changeover where cleaning and maintenance overlap. | Test | subsystem, mes, loto, sil-2, h-007, session-547, idempotency:sub-mes-loto-registry-547 |
| SUB-REQ-012 | The Manufacturing Execution System SHALL log every LOTO event (lock application, lock removal, restart attempt while locked, override attempt) in the EBR with operator ID, equipment ID, timestamp, lock type, and event outcome (success/denied), retaining logs for the batch record retention period. Rationale: SYS-024 mandates logging all LOTO events with operator ID, timestamp, and equipment ID. Including restart-attempt-while-locked and override-attempt events provides forensic evidence for H-007 near-miss investigation. Retention for the batch record period (typically 1 year past expiry per 21 CFR 211.180) ensures LOTO records are available for regulatory inspection of any batch produced during the maintenance window. | Inspection | subsystem, mes, loto, audit-trail, session-547, idempotency:sub-mes-loto-logging-547 |
| SUB-REQ-013 | The Manufacturing Execution System SHALL record batch genealogy linking each production batch to raw material lot numbers (via barcode scan at dispensing), equipment IDs (via PLC integration), process parameter time-series (via historian interface), operator IDs (via e-signature at each stage), and PAT CQA results (via OPC UA subscription), enabling recall scope determination within 4 hours of query. Rationale: SYS-020 mandates full batch genealogy with 4-hour recall scope determination. The 4-hour constraint drives the database query architecture: the genealogy must be queryable by any dimension (material lot, equipment, operator, date range) without full table scan. Barcode scan at dispensing is the GMP-standard method for material identity verification, eliminating transcription error that could make genealogy unreliable. | Test | subsystem, mes, batch-genealogy, session-547, idempotency:sub-mes-batch-genealogy-547 |
| SUB-REQ-014 | The Manufacturing Execution System SHALL perform automated EBR database backups at intervals not exceeding 15 minutes, with backup integrity verified by hash comparison, and SHALL restore from the most recent verified backup to a functional state within 30 minutes of a data integrity failure detection. Rationale: SYS-015 mandates backup intervals not exceeding 15 minutes. The 30-minute recovery time objective ensures that H-006 safe state (switch to paper backup) does not persist longer than one production stage. Hash-verified backups prevent restoration of already-corrupted data, which would propagate the H-006 failure mode rather than recovering from it. | Test | subsystem, mes, backup, sil-2, h-006, session-547, idempotency:sub-mes-ebr-backup-547 |
| SUB-REQ-015 | When a data integrity failure is detected (hash chain discontinuity or backup verification failure), the Manufacturing Execution System SHALL switch to verified paper backup record mode within 60 seconds, generating pre-formatted paper batch record forms with the current batch context pre-populated, and SHALL lock the electronic system for forensic investigation. Rationale: H-006 safe state mandates switch to verified paper backup and electronic system lockout. The 60-second switchover ensures no batch recording gap during the transition. Pre-populated paper forms reduce transcription error during the high-stress switchover event. System lockout for forensics preserves the evidence chain for the data integrity investigation required by FDA guidance on data integrity (2018). | Demonstration | subsystem, mes, paper-backup, sil-2, h-006, session-547, idempotency:sub-mes-paper-backup-547 |
| SUB-REQ-016 | When the High Shear Granulator wet mass torque profile or integrated NIR wet-mass spectrum reaches the validated endpoint criterion, the Granulation and Blending Subsystem SHALL stop granulation within 10 seconds and initiate granule discharge transfer to the Fluid Bed Dryer. Rationale: Granulation endpoint detection is the primary process control point ensuring granule size and density are within specification. A 10-second stop-and-transfer limit prevents over-granulation (overwetting increases granule density, reducing tablet compressibility). The dual criterion (torque OR NIR) provides fallback if one sensor is unavailable per the PAT degraded-mode requirement (REQ-SEPHARMAMANUFACTURING-022). | Test | subsystem, granulation-blending, session-549, sil-2, idempotency:sub-gb-hsg-endpoint-549 |
| SUB-REQ-017 | The Fluid Bed Dryer SHALL reduce granule loss-on-drying (LOD) to the target value (product-specific, typically 1.0-3.0% w/w) plus or minus 0.5% w/w within the validated drying time window, as measured by the in-line NIR LOD probe at 60-second intervals. Rationale: LOD at FBD discharge is a CQA because residual moisture directly affects tablet compressibility and chemical stability. Over-drying below 1.0% causes friable granules and poor compaction; under-drying above target increases risk of chemical degradation and sticky blend. The plus or minus 0.5% acceptance band is derived from ICH Q6A tablet dissolution specification tolerance and NIR LOD method validation precision (RSD less than 0.3%). | Test | subsystem, granulation-blending, session-549, sil-2, idempotency:sub-gb-fbd-lod-549 |
| SUB-REQ-018 | The Fluid Bed Dryer SHALL maintain inlet air temperature within plus or minus 2 degrees Celsius of the MES recipe setpoint throughout the drying cycle, and SHALL raise an alarm and suspend drying if the inlet air temperature deviates by more than 5 degrees Celsius for more than 60 seconds. Rationale: Inlet air temperature is a CPP affecting drying rate and product bed temperature. Exceedance beyond plus or minus 5 degrees Celsius risks thermal degradation of heat-sensitive APIs (stability shelf life driven by ICH Q1A). The 60-second tolerance window is derived from the thermal inertia of a 100L product bed — step changes propagate to the product bed within 90 seconds, giving 30 seconds of corrective action margin before product impact. | Test | subsystem, granulation-blending, session-549, sil-2, idempotency:sub-gb-fbd-temp-549 |
| SUB-REQ-019 | The Granule Sizing Mill SHALL reduce post-drying granule agglomerates such that the resulting sized granule D90 is less than 800 micrometres and D50 is between 200 and 600 micrometres, verified by off-line laser diffraction sampling within 15 minutes of mill discharge. Rationale: PSD at sizing mill discharge is a CQA for tablet compression: coarse granules (D90 greater than 800 micrometres) cause tablet weight variation exceeding the REQ-SEPHARMAMANUFACTURING-025 plus or minus 5% rejection limit, and fine granules (D50 less than 200 micrometres) cause hopper segregation in the tablet press feed frame. The 15-minute off-line sampling window is the minimum required by stability and process validation protocols before blend step can proceed. | Test | subsystem, granulation-blending, session-549, sil-2, idempotency:sub-gb-mill-psd-549 |
| SUB-REQ-020 | The IBC Blender SHALL achieve a blend uniformity of API content RSD less than or equal to 5.0% across the blend mass, as measured by the in-IBC NIR probe at each of three blending speed setpoints (6 RPM, 10 RPM, 14 RPM) validated per ICH Q2(R1), before the MES issues blend-complete authorisation. Rationale: Blend uniformity RSD less than or equal to 5.0% is the USP Chapter 905 content uniformity acceptance criterion for tablets. NIR blend endpoint monitoring in the validated IBC geometry is required by the FDA Process Analytical Technology Guidance (2004) as an alternative to destructive sampling. Three-setpoint validation covers the RPM range across product viscosity variants — a single RPM setpoint would fail for high-viscosity batches where blending time increases non-linearly. | Test | subsystem, granulation-blending, session-549, sil-2, idempotency:sub-gb-ibc-blend-endpoint-549 |
| SUB-REQ-021 | The Granulation and Blending Subsystem SHALL record the mass of each material charge and transfer at each process step, and SHALL flag a mass balance error if the cumulative yield from raw material input to IBC discharge is outside the range 97.0% to 101.0% of theoretical batch yield. Rationale: Mass balance tracking from dispensed API weight through granulation, drying, sizing, and blend is a GMP regulatory requirement under 21 CFR 211.182 batch record content. The 97-101% window accounts for expected process losses (dust, sampling, vessel heel) while flagging uncontrolled losses that could indicate material mix-up, spill, or diversion. Values outside this range require investigation per SOPs before batch can proceed. | Test | subsystem, granulation-blending, session-549, sil-2, idempotency:sub-gb-mass-balance-549 |
| SUB-REQ-022 | When the PAT NIR blend-endpoint monitoring is unavailable (sensor fault or communication loss), the Granulation and Blending Subsystem SHALL continue IBC blending for the validated fixed-time blend duration specified in the MES recipe (minimum 20 minutes at validated RPM), require a supervisory operator authorisation before issuing blend-complete, and SHALL log the PAT-unavailable event in the EBR with timestamp and reason. Rationale: Degraded-mode performance floor is required per REQ-SEPHARMAMANUFACTURING-022. Fixed-time blending is the validated manual fallback when PAT NIR is unavailable — the 20-minute minimum time is the validated worst-case blend time from development studies. Supervisory authorisation provides a human check replacing the automated NIR endpoint. Without this requirement, PAT NIR failure would halt production with no recovery path, creating a safety-quality trade-off where operators bypass controls. | Test | subsystem, granulation-blending, session-549, sil-2, idempotency:sub-gb-degraded-blend-549 |
| SUB-REQ-023 | While processing OEB 3 or higher potency compounds (OEL less than 10 micrograms per cubic metre), the Granulation and Blending Subsystem SHALL maintain contained transfer operations at all inter-vessel transfer points, with airborne API concentration in the operator breathing zone not exceeding 1 microgram per cubic metre as verified by personal air sampling during qualification. Rationale: Containment requirement derives from REQ-SEPHARMAMANUFACTURING-004 (OEB containment integrity) and REQ-SEPHARMAMANUFACTURING-017 (negative pressure isolation). The 1 microgram per cubic metre breathing-zone limit is 10% of the OEL, providing a safety factor of 10 per ICH Q11 and ISPE Risk-MaPP guidance. Granulation-to-dryer and dryer-to-mill transfers are the highest exposure risk points in the OSD line because they involve open powder handling of wet and dry API-containing material. | Test | subsystem, granulation-blending, session-549, sil-2, idempotency:sub-gb-containment-549 |
| SUB-REQ-024 | While in sensor-degraded state, the PAT Subsystem SHALL suspend real-time CQA model evaluation on the affected sensor channel within 10 seconds of degradation detection, continue acquisition on all unaffected channels (minimum: 2 of 3 sensor channels must remain operational before a full-system safe-state transition is required), present manual sampling prompts to operators within 60 seconds of each 15-minute interval expiry with sample identification barcodes, and record all manual sample submissions with timestamps and operator ID for MES EBR integration within 30 seconds of submission. Rationale: Derived from SUB-REQ-006. The 10-second suspension window is the maximum acceptable delay before a degraded channel could contribute an erroneous CQA estimate to the diversion model. The 2-of-3 channel floor ensures the PAT subsystem retains meaningful CQA coverage during single-sensor failure without triggering a full production halt; loss of 2+ sensors removes the basis for continued real-time release. The 60-second prompt window is the maximum allowable latency before a manual sampling event is considered missed under the degraded-mode protocol. | Test | pat-subsystem, degraded-mode, session-554, supersedes:SUB-REQ-006, idempotency:sub-pat-degraded-quantified-554 |
| SUB-REQ-025 | The Rotary Tablet Press SHALL monitor upper punch compression force at each station on every rotation and reject tablets where compression force deviates from the target setpoint by more than ±5 kN, using a pneumatic ejector actuating within 200 ms of ejection point detection. Rationale: Compression force is the primary determinant of tablet hardness and dissolution profile. A ±5 kN tolerance corresponds to a ±15% hardness variation (validated per ICH Q8) beyond which dissolution rate changes by >10%, risking sub-therapeutic dosing. Per-station monitoring is required because tooling wear is station-specific — a worn punch on station 14 will not be caught by average-force monitoring. The 200 ms ejection window is derived from the turret geometry at maximum 120 RPM: 500 ms/revolution ÷ 72 stations = 6.9 ms per station; 200 ms allows for the physical distance from detection to diverter. | Test | subsystem, tablet-compression, sil-2, session-556, idempotency:sub-tc-press-force-556 |
| SUB-REQ-026 | The Tablet In-Process Control System SHALL sample every 30th tablet for individual weight, hardness, and thickness measurement, and shall update the press fill-depth servo setpoint within 3 measurement cycles when the running mean weight deviates by more than ±1.5% from the target. Rationale: USP <905> content uniformity requires weight variation <5% RSD. Sampling every 30th tablet at 120 RPM gives one sample every 1.5 seconds, providing trend data fast enough to detect gradual fill-depth drift before it exceeds the 5% USP limit. The ±1.5% control band provides a correction margin 3× narrower than the limit — consistent with ICH Q8 process analytical technology guidance for real-time release. | Test | session-556, idempotency:sub-tc-ipc-weight-556 |
| SUB-REQ-027 | When a guard door on the Rotary Tablet Press is opened, the Tablet Compression Subsystem SHALL de-energise the main drive motor and engage the mechanical turret brake within 500 ms, and SHALL prevent re-energisation until the guard door is confirmed closed and a positive LOTO key removal is electronically verified by the MES LOTO Registry Module. Rationale: Hazard H-007 (mechanical entrapment in rotating turret) is rated severity:critical, SIL-2 per IEC 61508 (Functional safety of electrical/electronic/programmable electronic safety-related systems). The 500 ms stop time is derived from the turret inertia at 120 RPM — stopping within half a revolution ensures no punch station can complete a full stroke after the guard opens. MES LOTO verification creates an electronic record satisfying 21 CFR Part 11 and FDA GMP audit requirements for every maintenance access event. | Test | session-556, idempotency:sub-tc-loto-guard-556 |
| SUB-REQ-028 | The Tablet Compression Containment Housing SHALL maintain negative pressure of -15 Pa (±3 Pa) relative to the surrounding cleanroom at all times during press operation, and SHALL trigger an audible alarm and initiate an automatic press hold within 5 seconds when pressure differential exceeds -10 Pa (loss-of-containment threshold). Rationale: Hazard H-001 (airborne potent compound exposure, OEL 1-10 µg/m³) is rated severity:critical, SIL-2. MoP basis: -15 Pa containment setpoint derived from EU GMP Annex 1 pressure differential specification (≥10 Pa between classified zones); the ±3 Pa tolerance is consistent with ISPE Baseline Guide Vol. 2 (Sterile Manufacturing Facilities) pressure measurement accuracy requirements for unidirectional flow zones. | Test | reqs-eng-session-566 |
| SUB-REQ-029 | The Tablet Compression Subsystem SHALL read the RFID tag on each punch and die station at press startup and shall prevent press operation if any station has accumulated more than 500,000 compressions or if any RFID tag read fails, logging the failed station to the MES batch record. Rationale: Punch tip fracture (failure mode from the H-007 scenario — the 90-minute downtime event) is directly correlated with cumulative compression cycles. The 500,000 compression limit is the manufacturer-validated service life for S7 tool steel at 80 kN maximum force. RFID tracking is required rather than a paper log because 21 CFR Part 11 requires electronic records for all GMP-critical maintenance activities; a failed read treated as an error is a fail-safe — a missing RFID cannot be assumed to be a new punch. | Test | session-556, idempotency:sub-tc-tooling-rfid-556 |
| SUB-REQ-030 | When one of the three Tablet In-Process Control System measurement channels (weight, hardness, or thickness) fails, the Tablet Compression Subsystem SHALL continue press operation at reduced throughput (maximum 60% of nominal RPM) with manual sampling at 5-minute intervals substituting for the failed channel, and SHALL record the degraded-mode start time and reason in the MES batch record. Rationale: A single IPC channel failure (e.g., weight probe jam) does not invalidate product quality if manual sampling is substituted at sufficient frequency. At 60% RPM (maximum 72 RPM), production output is 3,000-4,000 tabs/min; manual sampling every 5 minutes gives a sample of approximately 15,000-20,000 tablets, consistent with the USP <905> sampling plan minimum. Forcing degraded mode to 60% RPM provides headroom for operators to manage the increased manual workload without falling behind. This is consistent with SYS-REQ-009 degraded production mode. | Demonstration | session-556, idempotency:sub-tc-ipc-degraded-556 |
| SUB-REQ-031 | The PAT Subsystem CQA model evaluation and diversion actuation function SHALL be implemented on a hardware architecture achieving at least Hardware Fault Tolerance (HFT) of 1 (IEC 61508 SIL-3 compliant), with the DAC Workstation having a redundant hot-standby instance; the standby instance SHALL assume primary control within 5 seconds of primary failure without loss of the current diversion decision state. Rationale: SIL-3 IEC 61508 (Functional safety of electrical/electronic/programmable electronic safety-related systems): architectural analysis alone (HFT=1 calculation) does not satisfy IEC 61508 SIL-3 requirements. The hardware fault tolerance must be demonstrated by hardware-in-the-loop testing — injecting primary channel failure and confirming the secondary channel takes over within the specified 500ms window. VER-REQ-047 specifies this failover test procedure. Analysis is insufficient as the sole verification method for a SIL-3 safety function. | Test | session-561, validation, pat, sil-3, h-004, architecture, redundancy, idempotency:session561-sub-pat-sil3-hft1-architecture, idempotency:session561-sub-pat-sil3-hft1-architecture |
| SUB-REQ-036 | The Process Analytical Technology Subsystem SHALL operate from a dedicated 230V AC 50Hz UPS-backed power supply providing minimum 4 hours of autonomous operation on battery, with automatic power failure alarm to the MES within 10 seconds of mains loss. Rationale: The PAT subsystem is Powered (UHT trait) and SIL-3 rated. A power failure during active CQA model evaluation must not result in silent loss of diversion control. The 4-hour battery backup ensures continued operation through a typical mains supply incident. The 10-second alarm limit ensures the operator has adequate warning to switch to manual sampling before the UPS is depleted. Addresses lintHigh finding 7. | Test | session-562, validation, pat, power, sil-3, h-004, idempotency:session562-sub-pat-power-supply |
| SUB-REQ-037 | The PAT Subsystem SHALL provide a manual CQA override interface accessible to the QC Analyst role, enabling a qualified operator to override a CQA model limit violation and continue production with enhanced manual sampling, with the override action and justification text recorded in the EBR within 60 seconds of override activation. Rationale: The PAT Subsystem is classified as Functionally Autonomous (UHT trait) and must have a human-in-the-loop override per IEC 61508 SIL-3 requirement for safety-related autonomous systems. This requirement addresses lintHigh finding 16. The QC Analyst role restriction prevents unauthorised overrides. EBR logging within 60 seconds ensures audit trail completeness under 21 CFR Part 11. | Test | session-562, validation, pat, override, sil-3, h-004, autonomy, idempotency:session562-sub-pat-manual-override |
| SUB-REQ-038 | The Manufacturing Execution System SHALL implement a watchdog timer that monitors core EBR processing heartbeat at 30-second intervals, and when three consecutive heartbeats are missed, SHALL log a system health alert to the CMMS, switch the SCADA operator display to a system-unavailable state, and prevent new batch record initiation until the MES health check passes. Rationale: The MES is classified as Functionally Autonomous (UHT trait) and must have a watchdog and fail-safe state per IEC 62443-4-2 (Security for industrial automation and control systems). This requirement addresses lintHigh finding 17. The 30-second heartbeat interval and 3-miss threshold (90 seconds total) provides a balance between false-alarm avoidance and timely failure detection. The fail-safe state prevents new batch records from being initiated on a potentially compromised system. | Test | session-562, validation, mes, watchdog, sil-2, h-006, autonomy, idempotency:session562-sub-mes-watchdog |
| SUB-REQ-039 | The Tablet Compression Subsystem SHALL operate from a dedicated 400V AC 50Hz 3-phase power supply with a soft-starter providing controlled ramp-up to prevent current surge, and SHALL have a monitored emergency power-off (EPO) circuit that de-energises the main drive within 200ms of activation, with EPO status monitored by the MES LOTO registry. Rationale: The Rotary Tablet Press and associated IPC system are Powered (UHT trait) physical components requiring defined power supply parameters for safe operation. The 200ms EPO response directly supports the H-007 safe state (equipment de-energised and mechanically braked) and integrates with the LOTO registry requirement (SUB-REQ-011). Addresses lintHigh finding 8 and 13. | Test | session-562, validation, tablet-compression, power, sil-2, h-007, idempotency:session562-sub-tc-power-epo |
| SUB-REQ-040 | The Granulation and Blending Subsystem SHALL operate from 400V AC 50Hz 3-phase power supply for the High Shear Granulator impeller (rated 37kW) and Fluid Bed Dryer heating element (rated 30kW), with power monitoring that triggers an MES alarm if supply voltage deviates more than 10 percent from nominal, and an EPO that de-energises both machines within 500ms of activation. Rationale: The High Shear Granulator and Fluid Bed Dryer are Powered (UHT trait) physical components. Power deviations exceeding 10 percent affect impeller speed control and heating performance, directly impacting granule LOD CQA. The 500ms EPO supports H-001 and H-003 safe state transitions. Addresses lintHigh findings 9, 12, and 15. | Test | session-562, validation, granulation-blending, power, sil-2, h-001, idempotency:session562-sub-gb-power-supply |
| SUB-REQ-041 | The Film Coating Subsystem SHALL operate from 400V AC 50Hz 3-phase power supply for the pan coater drive (rated 22kW) and inlet air heating system (rated 45kW), with power consumption monitoring that logs actual energy consumption per batch cycle to the MES for OEE calculation, and an EPO that de-energises all drives within 500ms. Rationale: The Film Coating Subsystem is a Powered (UHT trait) physical component requiring defined electrical supply parameters. The power consumption logging supports the OEE and process monitoring requirements of SYS-REQ-017. The 500ms EPO response supports safe-state transition for hazards involving coating materials. Addresses lintHigh finding 11. | Test | session-562, validation, film-coating, power, idempotency:session562-sub-fc-power-supply |
| SUB-REQ-042 | The Containment and Environmental Control Subsystem SHALL operate from a UPS-backed 230V AC power supply providing minimum 2 hours of autonomous operation on battery for all monitoring and alarm functions, and SHALL maintain HVAC damper positions during power interruption (fail-secure to exhaust mode) to preserve containment integrity. Rationale: The Containment Subsystem must remain operational during power failures to maintain H-001 safe state (HVAC switched to full exhaust). The fail-secure exhaust mode on power loss is a SIL-2 safety function. The 2-hour battery runtime covers the maximum expected time for emergency generator activation and transfer. Addresses lintHigh finding indirectly through physical safety system power requirements. | Test | session-562, validation, containment, power, sil-2, h-001, idempotency:session562-sub-cec-power-ups |
| SUB-REQ-043 | The Manufacturing Execution System server hardware SHALL be housed in a dedicated server rack with dual redundant power supplies (each rated for 100 percent load), located in an access-controlled equipment room separate from the production floor, with physical access logged to the CMMS. Rationale: The MES is a software subsystem but requires physical server hardware (Physical Object embodiment). Dual redundant PSUs directly support MES availability for SIL-2 EBR continuity. Physical access control to the server room is a 21 CFR Part 11 data integrity requirement. Inspection is the appropriate verification method for physical installation and access control measures. Addresses lintHigh finding 1. | Inspection | session-562, validation, mes, hardware, physical, 21cfr11, idempotency:session562-sub-mes-server-hardware |
| SUB-REQ-044 | The system SHALL not permit entry to Normal Production mode unless all of the following conditions are met: all equipment IQ/OQ/PQ qualification records are current and QA-approved; all PAT instruments have passed system suitability checks against certified reference materials; all process parameters in the batch record have been reviewed and approved by Production Supervisor; and no active deviation from the previous campaign remains open. Rationale: Startup mode entry criteria are safety-critical controls for product quality and batch release. Undefined or unenforced entry criteria allow production to start on non-qualified equipment, risking OOS product release (H-004). This requirement formalises the Startup/Qualification mode exit condition into a verifiable pre-production gate. Test verification requires a functional check of each pre-production gate in the MES workflow. | Test | session-562, validation, mode-coverage, startup, mes, idempotency:session562-sub-startup-entry-criteria |
| SUB-REQ-045 | When the system transitions from Emergency Stop mode, the Manufacturing Execution System SHALL require explicit QA Manager electronic signature in the EBR, enforce a mandatory 30-minute environmental clearance period with air monitoring below 50% OEL, and generate a deviation record linked to the triggering alarm event, before permitting any production equipment re-energisation. Rationale: Emergency Stop mode exit is a safety-critical transition. Premature re-energisation after a containment breach (H-001) or mechanical jam (H-007) is the primary cause of secondary incidents in pharmaceutical manufacturing. The QA Manager sign-off requirement is mandated by 21 CFR Part 211 supervisory review requirements. The 30-minute clearance period is the minimum time to confirm environmental decontamination by continuous air monitoring. | Test | reqs-eng-session-566 |
| SUB-REQ-046 | While in Maintenance mode, the system SHALL prevent equipment power-on by any means (HMI, PLC, remote command) for any equipment with an active LOTO lock applied, and SHALL display the LOTO status (locked, applied-by, time-applied) on the MES operator display for all maintenance-targeted equipment. Rationale: Maintenance mode requires hardware and software barriers to prevent accidental equipment energisation while personnel are in contact with moving parts (H-007). The LOTO status display requirement supports the operator's situational awareness during multi-person maintenance activities and is a OSHA 29 CFR 1910.147 (Control of Hazardous Energy) compliance requirement. Test verification requires attempting equipment energisation via all three command paths while LOTO is active. | Test | session-562, validation, mode-coverage, maintenance, loto, sil-2, h-007, idempotency:session562-sub-maintenance-loto-display |
| SUB-REQ-047 | While in Degraded Production mode, the system SHALL quarantine all completed batches in MES quarantine status within 60 seconds of batch completion, prevent real-time release of any quarantined batch, and require a QA Manager electronic signature in the EBR before advancing a batch from quarantine following traditional offline QC release (HPLC content uniformity: n≥6, RSD≤2.0%, mean within ±5.0% of label claim). Rationale: Derived from STK-REQ-009 (maintain product quality assurance during PAT sensor degradation) and SYS-REQ-009 (degraded mode production at reduced throughput with traditional QC release). Automatic quarantine within 60 seconds prevents inadvertent real-time release of batches produced without full PAT monitoring. HPLC acceptance criteria (n≥6, RSD≤2.0%) are the validated offline method for content uniformity per USP <905> when real-time PAT release is suspended. | Test | session-562, validation, mode-coverage, degraded, sil-3, h-004, rtrt, idempotency:session562-sub-degraded-rtr-block |
| SUB-REQ-048 | The Containment and Environmental Control Subsystem SHALL detect airborne API concentration above the OEL action limit (80 percent of OEL) and SHALL automatically: (a) activate the Emergency Stop function; (b) close all material transfer valve actuators at the affected station within 5 seconds; (c) switch room HVAC to 100 percent exhaust through HEPA filtration within 15 seconds; and (d) trigger an evacuation alarm audible at 85 dB at 1 metre from the nearest alarm sounder. Rationale: H-001 hazard requires automated response to containment breach without relying on operator action. The 5-second valve closure and 15-second HVAC response times are derived from the airborne dispersion modelling showing that a 20-second response prevents operator dose from exceeding the STEL (Short-Term Exposure Limit). The 85 dB alarm standard meets EN ISO 7731 workplace emergency alarm requirements. | Test | session-562, validation, containment, sil-2, h-001, emergency, idempotency:session562-sub-cec-breach-autoresponse |
| SUB-REQ-049 | The Containment and Environmental Control Subsystem SHALL perform continuous air monitoring at each sampling point at a minimum frequency of 1 sample per 60 seconds during Normal Production and Degraded Production modes, and SHALL maintain air monitoring data in the EBR for a minimum of 10 years for regulatory inspection, with data export in CSV and PDF formats. Rationale: Continuous air monitoring at 1-sample/60-second frequency is required to detect rapid concentration changes before operator exposure reaches the STEL, which is typically measured over 15 minutes. The 10-year data retention requirement derives from 21 CFR Part 211.68 record retention requirements for pharmaceutical manufacturing. Test verification confirms both the monitoring frequency and the data retention/export functionality. | Test | session-562, validation, containment, monitoring, sil-2, h-001, idempotency:session562-sub-cec-air-monitoring-freq |
| SUB-REQ-050 | When the Cleaning Validation results for any swab location exceed the acceptance limit, the Manufacturing Execution System SHALL automatically quarantine the next batch associated with that equipment, alert the QA Manager via SCADA notification and email, and prevent batch record release until the QA Manager reviews the cleaning deviation and signs the EBR for the affected equipment. Rationale: Cleaning validation failure is the primary trigger for H-002 cross-contamination risk. Automatic quarantine prevents accidental release of potentially contaminated product while the cleaning deviation is investigated. This requirement operationalises the Changeover/Cleaning scenario from the ConOps where a first cleaning attempt fails at location 7. The email and SCADA dual notification ensures the QA Manager is alerted even if not actively monitoring the SCADA screen. | Test | session-562, validation, mes, changeover, sil-3, h-002, idempotency:session562-sub-mes-cleaning-fail-quarantine |
| SUB-REQ-051 | The Material Handling and Dispensing Subsystem SHALL enforce a two-person independent check for all API dispensing operations above 1kg, with electronic confirmation from both operators required in the MES before the dispensing step is closed in the EBR, preventing advancement to the next batch step until both confirmations are received. Rationale: Two-person API dispensing check is a 21 CFR Part 211 critical step verification requirement for potent compounds. The EBR workflow gate preventing step advancement until both confirmations are received ensures the check is performed and documented before product enters the manufacturing process. Incorrect API quantity dispensed (H-002) is a catastrophic quality failure mode. | Test | session-562, validation, material-handling, sil-3, h-002, api-dispensing, idempotency:session562-sub-mhd-two-person-api |
| SUB-REQ-052 | The Tablet Compression Subsystem SHALL perform a real-time metal detection check on the tablet stream at the press output, and when a metallic contaminant is detected, SHALL automatically activate the tablet rejection mechanism to divert a minimum of 10 tablets before and after the detection point to the reject stream, and SHALL generate a critical alarm in the MES with the detected fragment size estimate if available. Rationale: Metal detection at the press output is the last automated line of defence against metallic contamination from broken punch tooling (Tablet Press Jam scenario). The 10-tablet pre/post-detection rejection window accounts for the detection zone uncertainty and tablet discharge timing. A single metallic fragment in a batch poses a patient safety risk categorised as a critical defect per FDA 21 CFR Part 211.84. | Test | session-562, validation, tablet-compression, metal-detection, sil-2, idempotency:session562-sub-tc-metal-detection |
| SUB-REQ-053 | The Granulation and Blending Subsystem SHALL monitor for dust explosion risk by measuring dust concentration at the FBD exhaust duct using a continuous dust sensor, and when concentration exceeds 25 percent of the Lower Explosion Limit (LEL), SHALL activate nitrogen inerting flow, reduce FBD airflow to minimum circulation rate, and generate a SIL-2 alarm to the MES within 10 seconds. Rationale: Pharmaceutical powder dust explosion (H-003) is a catastrophic hazard at LEL concentrations. The 25 percent LEL threshold provides a two-fold safety margin below the minimum 50 percent LEL action concentration per ATEX (Directive 2014/34/EU) hazardous area classification. Nitrogen inerting prevents the dust-air mixture from reaching the minimum oxygen concentration required for ignition. The 10-second response time is derived from the maximum dust cloud dispersion rate in the FBD chamber. | Test | session-562, validation, granulation-blending, dust-explosion, sil-2, h-003, atex, idempotency:session562-sub-gb-dust-explosion-inerting |
| SUB-REQ-054 | The Packaging and Serialisation Subsystem SHALL perform 100 percent vision inspection of each blister cavity for correct tablet count, absent tablets, broken tablets, and foreign particles, and SHALL reject any blister pack where the vision system confidence score for any cavity falls below 95 percent, logging rejected pack IDs and rejection reasons to the MES EBR. Rationale: Vision inspection of packaging is the final automated quality gate before product release. Absent or broken tablets in a blister pack constitute a critical defect under 21 CFR Part 211.84 that would require batch recall if released to market. The 95 percent confidence threshold is a conservative limit reflecting the validated detection sensitivity for the smallest tablet size variant in the product range. | Test | session-562, validation, packaging, vision-inspection, sil-2, idempotency:session562-sub-pkg-vision-inspection |
| SUB-REQ-055 | The Laboratory Information Management System (LIMS) interface SHALL receive all QC sample requests from the MES within 30 seconds of sample registration in the EBR, return analytical results to the MES within 5 minutes of result entry in LIMS for samples flagged as time-critical (real-time release), and retain rejected results with the rejection reason in both LIMS and MES audit trails. Rationale: LIMS-MES integration latency directly affects real-time release decision cycle time. The 30-second request receipt and 5-minute result return limits are derived from the maximum allowable hold time for in-process samples awaiting analytical results before product quality degrades. The dual audit trail requirement supports 21 CFR Part 11 data integrity across both systems. | Test | session-562, validation, lims, mes, real-time-release, idempotency:session562-sub-lims-mes-latency |
| SUB-REQ-056 | The Electronic Batch Record Engine within the Manufacturing Execution System SHALL generate a batch review summary report in PDF/A format within 15 minutes of batch completion, including all critical process parameter trends, in-process control results, deviation summary, and a compliance checklist against the approved product specification, available for QA Manager review without additional data queries. Rationale: Batch review report generation within 15 minutes of batch completion is required for same-shift QA review in a 12-hour production schedule. PDF/A format is required for long-term archival per ISO 19005 as mandated by EU GMP Annex 11 electronic record retention requirements. Test verification confirms the report is generated automatically, the 15-minute SLA is met, and the report content matches the EBR data. | Test | session-562, validation, mes, ebr, batch-review, 21cfr11, idempotency:session562-sub-mes-batch-report-gen |
| SUB-REQ-057 | The Process Analytical Technology Subsystem SHALL maintain a rolling 30-day archive of all CQA model inputs, model outputs, diversion decisions, and calibration check results in a tamper-evident audit log, accessible to QA Analyst and QA Manager roles, exportable in CSV format for retrospective trend analysis and regulatory inspection. Rationale: A 30-day retrospective PAT audit log is required to support deviation investigations, regulatory inspections, and real-time release retrospective reviews under 21 CFR Part 211.180 and EU GMP Annex 11. The tamper-evident requirement is mandated by 21 CFR Part 11 audit trail provisions. Test verification confirms the log is populated correctly, exports are accurate, and tamper evidence is detectable. | Test | session-562, validation, pat, audit-log, sil-3, h-004, idempotency:session562-sub-pat-audit-log |
| SUB-REQ-058 | The Process Analytical Technology Subsystem SHALL provide a qualified user override mechanism that enables a QC Analyst or Production Supervisor to suspend automated CQA-based batch diversion, subject to mandatory EBR electronic signature for each override event, a maximum override duration of 60 minutes without re-authorisation, and automatic restoration of autonomous CQA evaluation when the override expires. Rationale: IEC 61508 (Functional safety of E/E/PE safety-related systems) Part 3 requires that functionally autonomous safety systems provide a defined and auditable override mechanism. The PAT subsystem makes autonomous SIL-3 diversion decisions; the override must be bounded in duration and logged to prevent unconstrained bypass of the H-004 safety function while allowing legitimate quality judgement by trained personnel. | Test | session-564, validation, pat, sil-3, h-004, functional-autonomy, override, idempotency:session564-sub-pat-autonomy-override |
| SUB-REQ-059 | The Granulation and Blending Subsystem SHALL be installed within a dedicated ISO 8 (Grade D) cleanroom bay, with all product-contact surfaces constructed from 316L stainless steel, and the equipment train (high-shear granulator, fluid bed dryer, bin blender) enclosed in a shared contained material transfer system using ANSI/ISPE OEB 4-compatible transfer connections. Rationale: Physical installation constraints for the granulation and blending subsystem are set by GMP cleanroom classification requirements and potent compound containment requirements (H-001, OEB 4). The 316L stainless steel and OEB 4 transfer connections are mandated by cGMP and product safety requirements. This requirement defines the physical embodiment of the subsystem to resolve the ontological mismatch with its Substrate classification. | Inspection | session-565, granulation-blending, physical-embodiment, lint-fix-lh2, idempotency:ses565-blend-physical-embodiment, idempotency:ses565-blend-physical-embodiment |
| SUB-REQ-060 | The Process Control System (PCS) SHALL operate from a 24 VDC power supply with a maximum consumption of 500 W per PLC chassis, supported by an uninterruptible power supply (UPS) providing a minimum 30-minute backup at full load, and SHALL annunciate a power failure alarm within 2 seconds of utility power loss. Rationale: PCS power supply and UPS backup requirements are needed to ensure continued operation of safety interlocks and LOTO enforcement logic during utility power failures. The 30-minute UPS duration is derived from the minimum time required to complete a controlled batch shutdown and reach safe state. Without a defined power budget, the PCS cabinet and UPS cannot be correctly specified during detailed design. | Test | session-565, process-control, power-supply, ups, lint-fix-lh6, idempotency:ses565-pcs-power-budget, idempotency:ses565-pcs-power-budget |
| SUB-REQ-061 | The Manufacturing Execution System SHALL implement a hardware watchdog timer with a 30-second timeout that triggers a controlled safe-state transition (suspend batch execution, issue HVAC failsafe command, alert operators) if MES software fails to send a heartbeat signal; and SHALL provide a qualified user emergency override capability enabling a Production Supervisor to halt all MES-controlled automated functions within 10 seconds via a dedicated physical E-STOP button at each operator workstation. Rationale: The MES executes batch recipes autonomously and controls safety-critical equipment interlocks (LOTO, containment). IEC 61508 (Functional safety of E/E/PE safety-related systems) requires that Functionally Autonomous systems at SIL-2 have hardware watchdog supervision and a human-accessible override. The 30-second watchdog timeout is the minimum interval that permits software restart without a spurious safe-state alarm during normal MES operation. | Test | session-565, mes, watchdog, override, functionally-autonomous, sil-2, lint-fix-lh7, idempotency:ses565-mes-watchdog-override, idempotency:ses565-mes-watchdog-override |
| SUB-REQ-062 | The Containment and Environmental Control Subsystem SHALL install differential pressure transmitters at each controlled cleanroom boundary (weigh booth to corridor, granulation bay to corridor, and coating/packaging bay to corridor), temperature probes and humidity sensors at product exposure height (0.8–1.2 m above floor) in each classified bay, with all sensor housings constructed from 316L stainless steel and certified to ISO 8 cleanroom installation standards per EU GMP Annex 1. Rationale: SYS-REQ-025 specifies the physical sensor placement and material standards required for cleanroom environmental monitoring — the SYS requirement is facility-level and needs decomposition to the Containment and Environmental Control Subsystem. The installation positions are defined by EU GMP Annex 1 and ICH Q10 (Pharmaceutical Quality System) requirements for representative environmental monitoring. 316L stainless steel prevents corrosion and microbial harbourage in classified areas. | Inspection | session-565, validation, environmental-control, sensor-installation, sil-1, idempotency:session565-sub-envctl-sensor-installation |
| SUB-REQ-063 | The HVAC Air Handling Unit SHALL maintain cleanroom supply air conditions within the range 20±2°C (temperature), 45±5% RH (humidity), and a minimum of 20 air changes per hour for ISO 7 cleanroom grades, as specified in EU GMP Annex 1 (Manufacture of Sterile Medicinal Products). Rationale: EU GMP Annex 1 and SYS-REQ-022 mandate ISO 7/8 cleanroom classification with specific temperature, humidity, and ACH thresholds. Deviation from these conditions compromises cleanroom classification, product quality (hygroscopic API degradation above 50% RH), and GMP compliance, triggering a batch rejection event under the EBR. | Test | subsystem, containment, hvac, environmental-control, sil-2, session-548, idempotency:sub-cec-hvac-cleanroom-conditions-548 |
| SUB-REQ-064 | The HVAC Air Handling Unit SHALL maintain a minimum differential pressure of +10 Pa between adjacent cleanroom grades and -12.5 Pa inside the Potent Compound Isolator relative to the surrounding cleanroom, with the Differential Pressure Monitoring Controller achieving setpoint within 30 seconds of any disturbance. Rationale: SYS-REQ-004 specifies -12.5 Pa minimum inward pressure in OEB 4/5 containment zones. The +10 Pa cascade for adjacent ISO grades prevents cross-contamination between production areas. 30-second setpoint recovery is derived from the time a cleanroom door can remain open during normal operation without compromising room classification (EU GMP Annex 1 Section 4.4). | Test | subsystem, containment, hvac, pressure-cascade, sil-2, session-548, idempotency:sub-cec-hvac-pressure-cascade-548 |
| SUB-REQ-065 | When the Containment Safety PLC detects a containment integrity failure (isolator pressure above -5 Pa for more than 5 seconds, or airborne API concentration above 80% OEL), the Containment and Environmental Control Subsystem SHALL transition to the safe state — switching HVAC to 100% exhaust mode, sealing supply air dampers, and triggering a Level 1 alarm — within 30 seconds of detection. Rationale: SIL-2 safe state requirement per IEC 61508 (Functional safety of E/E/PE safety-related systems). The H-001 hazard (airborne potent compound exposure) safe state is defined as maximum exhaust to dilute any released API below OEL. 30-second transition time is the maximum allowable period for hazardous concentration build-up before exceeding IDLH limits for OEB 4/5 compounds, based on worst-case room volume and release rate modelling. | Test | subsystem, containment, safe-state, sil-2, h-001, emergency, session-548, idempotency:sub-cec-safe-state-breach-548 |
| SUB-REQ-066 | The Environmental Monitoring System SHALL generate an audible and visual alarm within 60 seconds of any cleanroom environmental parameter (temperature, RH, or differential pressure) exceeding its alarm limit, and SHALL transmit the alarm event to the MES EBR engine via OPC UA within the same 60-second window. Rationale: SYS-REQ-006 specifies 60-second alarm response for environmental excursions. The simultaneous MES notification ensures that the deviation is embedded in the electronic batch record at the time of occurrence, satisfying 21 CFR Part 11 (Electronic records and electronic signatures) audit trail requirements and enabling automatic batch deviation records per SYS-REQ-019. | Test | subsystem, containment, ems, monitoring, alarm, session-548, idempotency:sub-cec-ems-alarm-response-548 |
| SUB-REQ-068 | The Containment and Environmental Control Subsystem SHALL maintain cleanroom particle counts at or below ISO 14644-1 Class 7 limits (352,000 particles per cubic metre at 0.5 µm) in granulation and compression bays during active production, verified by the airborne particle counter network at no less than 1 sample per 30 minutes. Rationale: SYS-REQ-022 requires ISO 7 cleanroom classification in granulation and compression bays. Continuous particle monitoring at 30-minute intervals meets ISO 14644-1 (Cleanrooms and associated controlled environments) statistical sampling requirements and detects filter failure or human incursion events before product contamination occurs. | Test | subsystem, containment, monitoring, cleanroom, session-548, idempotency:sub-cec-particle-count-iso7-548 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| IFC-021 | The interface between the Environmental Monitoring System and the Manufacturing Execution System SHALL transmit environmental data (temperature, RH, differential pressure, particle counts) via OPC UA protocol at a maximum latency of 10 seconds, with each data point carrying a validated timestamp, EU GMP Annex 11 (Computerised Systems) compliant audit trail, and alarm severity classification. Rationale: SYS-REQ-006 requires environmental alarms within 60s; the EMS-to-MES OPC UA interface must be faster than the alarm response time to enable batch record embedding before alarm acknowledgment. 10-second latency provides margin. OPC UA selected over MODBUS for its native security model (encryption, authentication) required for GxP network-connected systems per ISPE GAMP 5. | Test | interface, containment, ems, mes, opcua, session-548, idempotency:ifc-ems-mes-opcua-548 |
| IFC-022 | The interface between the Containment Safety PLC and the HVAC Air Handling Unit SHALL use a hardwired 24 VDC discrete signal bus for safety-critical commands (emergency exhaust mode, E-stop, damper seal), with maximum signal propagation latency of 100 ms and fail-safe open-circuit behaviour triggering exhaust mode. Rationale: SIL-2 safety interface per IEC 61508 requires a hardwired discrete channel rather than a software-mediated fieldbus for the containment breach response, eliminating software common-cause failures. Fail-safe open-circuit behaviour (de-energise to trip) is mandatory for SIL-2 logic per IEC 62061 Section 6.7. 100 ms maximum propagation is within the 30-second safe state transition budget for H-001. | Test | interface, containment, safety-plc, hvac, sil-2, session-548, idempotency:ifc-safetyplc-hvac-hardwire-548 |
| IFC-023 | The interface between the Differential Pressure Monitoring Controller and the HVAC Air Handling Unit VAV damper actuators SHALL use a 4-20 mA analogue control signal, with a closed-loop PID control update cycle of no greater than 1 second, and SHALL report a fault alarm if any actuator position deviates from commanded position by more than 5% for more than 10 seconds. Rationale: 4-20 mA analogue is the pharmaceutical HVAC industry standard for damper control, providing continuous modulation required for pressure cascade maintenance. 1-second PID cycle ensures the controller can detect and correct pressure disturbances (door opening, equipment start) before they propagate beyond the ±15 Pa excursion limit that triggers an alarm per SYS-REQ-006. | Test | interface, containment, dp-controller, hvac, session-548, idempotency:ifc-dp-controller-hvac-dampers-548 |
| IFC-REQ-001 | The interface between the Process Analytical Technology Subsystem and the Manufacturing Execution System SHALL transmit CQA limit exceedance alarms as structured OPC UA event notifications containing sensor ID, CQA parameter name, measured value, limit value, and timestamp, with end-to-end latency not exceeding 500 milliseconds. Rationale: H-004 drives SIL 3 on the CQA diversion path. The 500ms latency budget is derived from SYS-016's 2-second diversion actuation window: 500ms for PAT-to-MES signalling leaves 1500ms for MES processing, EBR annotation, and valve actuation command. OPC UA is mandated by ISA-95 for MES-to-process integration and provides built-in event semantics. | Test | interface, pat, mes, sil-3, cqa-diversion, session-547, idempotency:ifc-pat-mes-cqa-alarm-547 |
| IFC-REQ-002 | The Process Analytical Technology Subsystem SHALL publish sensor health status to the Manufacturing Execution System via OPC UA monitored items at 10-second intervals (±1 second tolerance), including signal-to-noise ratio, calibration deviation percentage, and operational state (nominal/degraded/failed) for each PAT sensor; in degraded state, SNR SHALL be reported as an absolute value (minimum detectable: SNR < 3.0 triggers 'failed' state) and calibration deviation SHALL be reported in percentage drift from last reference standard (>3.0% drift triggers 'degraded' state). Rationale: SYS-022 requires degraded-mode switching within 30 seconds of sensor degradation. A 10-second health reporting interval gives MES three data points before the 30-second deadline. The SNR threshold (< 3.0) and calibration deviation threshold (>3.0% drift) are derived from the PAT Sensor Drift scenario and validated instrument qualification parameters. These thresholds make the 'degraded' and 'failed' state transitions testable — pass criterion for IFC qualification tests requires demonstrated state changes at the defined thresholds. Added quantified criteria per validation session 566. | Test | interface, pat, mes, sensor-health, session-547, idempotency:ifc-pat-mes-sensor-health-547 |
| IFC-REQ-003 | The Manufacturing Execution System SHALL transmit diversion acknowledgment and operating mode commands to the Process Analytical Technology Subsystem via OPC UA method calls, confirming EBR annotation of each CQA diversion event within 1 second and commanding PAT mode transitions (nominal/degraded/calibration) with response confirmation. Rationale: Bidirectional handshake ensures the EBR records every diversion event before PAT resets its alarm state. The 1-second acknowledgment window is the MES share of the 2-second total diversion budget from SYS-016. Mode commands from MES ensure PAT does not autonomously resume real-time release after sensor degradation without MES-verified recalibration, critical for H-004 mitigation. | Test | interface, pat, mes, cqa-diversion, sil-3, session-547, idempotency:ifc-mes-pat-diversion-ack-547 |
| IFC-REQ-004 | The Process Analytical Technology Subsystem SHALL stream CQA measurement results to the Manufacturing Execution System at 30-second intervals via OPC UA data subscriptions, with each measurement record containing batch ID, equipment ID, timestamp, CQA parameter values (content uniformity, blend homogeneity, particle size distribution), model version, and confidence score. Rationale: SYS-020 requires full batch genealogy linking finished product to process parameter logs. Model version and confidence score are essential for post-hoc investigation when H-004 occurs, enabling root cause analysis to determine whether an OOS release resulted from model error versus process excursion. 30-second interval aligns with SYS-016 PAT acquisition rate. | Test | interface, pat, mes, batch-genealogy, session-547, idempotency:ifc-pat-mes-cqa-data-547 |
| IFC-REQ-005 | When the Manufacturing Execution System transitions the production line to degraded mode, the MES SHALL issue a manual sampling schedule command to the Process Analytical Technology Subsystem specifying 15-minute sampling intervals, sample point locations, and CQA parameters to test offline within 30 seconds of mode transition; SHALL receive sample submission confirmations from PAT within 120 seconds of each scheduled sample time; and SHALL generate a deviation record if any sample submission is not confirmed within 120 seconds of its scheduled time. Rationale: SYS-022 specifies manual in-process testing every 15 minutes during sensor-degraded mode. The 30-second command issuance deadline ensures the first manual sample is scheduled before the PAT monitoring gap exceeds the first 15-minute interval. The 120-second sample submission confirmation window accommodates laboratory analysis time and is the maximum acceptable lag before operator intervention is triggered. Both thresholds are measurable acceptance criteria for degraded-mode qualification. Explicit performance thresholds added per validation session 566 to resolve ambiguousReqs blocker. | Test | interface, degraded-mode, superseded-by-session-554, superseded-by:IFC-REQ-009 |
| IFC-REQ-006 | The interface between the Granulation and Blending Subsystem and the Process Analytical Technology Subsystem SHALL provide real-time NIR spectral data to the PAT DAC Workstation at maximum 30-second intervals for both the Fluid Bed Dryer in-line LOD probe (900-1700 nm, 2 nm resolution) and the IBC Blender in-vessel NIR probe (900-1700 nm, 4 nm resolution), with latency less than 5 seconds from acquisition to CQA model evaluation result. Rationale: The 30-second maximum interval and 5-second latency are derived from REQ-SEPHARMAMANUFACTURING-016 (30-second minimum PAT sample interval). The G&B-to-PAT spectral interface must meet this timing because both LOD endpoint and blend endpoint decisions are safety-quality decisions: a delayed LOD result could allow an under-dried batch to proceed to sizing, degrading PSD and tablet compressibility. | Test | interface, granulation-blending, session-549, idempotency:ifc-gb-pat-nir-549 |
| IFC-REQ-007 | The interface between the Manufacturing Execution System and the Granulation and Blending Subsystem SHALL transmit recipe setpoints (temperature, RPM, time, LOD target) to each equipment PLC within 2 seconds of step initiation, and SHALL receive process data feedback (CPP actual values, mass readings, alarm states) from the G&B subsystem at 10-second intervals for EBR recording. Rationale: The 2-second setpoint delivery latency ensures equipment reaches setpoint before material processing begins — derived from the slowest PLC scan cycle (500ms) plus up to 3 MES polling retries. The 10-second EBR feedback interval is the minimum required for regulatory compliance (FDA 21 CFR Part 11) to reconstruct process conditions during a deviations investigation — coarser intervals would prevent reconstruction of CPP excursions shorter than one interval. | Test | interface, granulation-blending, session-549, idempotency:ifc-mes-gb-recipe-549 |
| IFC-REQ-008 | The interface between the Granulation and Blending Subsystem and the Tablet Compression Subsystem SHALL transfer blended granules in a sealed IBC with a tamper-evident seal applied by MES-controlled automated sealing station, with the IBC mass and blend-complete authorisation code recorded in the batch genealogy before transfer is permitted. Rationale: The sealed IBC handoff at G&B-to-compression boundary is the primary batch integrity control point. MES-controlled sealing prevents manual opening or material substitution between blend completion and tablet press charging. The authorisation code links the specific IBC to its blend record, satisfying REQ-020 (batch genealogy) and enabling identification of compression batches affected if an upstream blend deviation is discovered during QC review. | Inspection | interface, granulation-blending, session-549, idempotency:ifc-gb-compression-handoff-549 |
| IFC-REQ-009 | When the Manufacturing Execution System transitions the production line to degraded mode, the MES SHALL issue a manual sampling schedule command to the Process Analytical Technology Subsystem within 30 seconds of mode transition, specifying 15-minute sampling intervals, at minimum 3 CQA parameters (API assay, blend uniformity, moisture content), and all required sample point locations. The MES SHALL receive and EBR-record PAT sample submission confirmations within 5 minutes of each scheduled sampling event; if a confirmation is not received within 5 minutes, the MES SHALL generate a critical alert and log a non-conformance event. Rationale: Derived from IFC-REQ-005. The 30-second command delivery window prevents manual sampling gaps when the PAT system transitions to degraded mode mid-batch. The 5-minute confirmation window is the maximum acceptable sampling latency before a non-conformance event must be logged under 21 CFR 211.192 (batch production records). The minimum 3-CQA-parameter floor ensures that API assay, blend uniformity, and moisture are never deferred, as these are the three attributes that determine batch release or rejection. | Test | interface, degraded-mode, mes, pat-subsystem, session-554, supersedes:IFC-REQ-005, idempotency:ifc-mes-degraded-mode-quantified-554 |
| IFC-REQ-010 | The interface between the Tablet In-Process Control System and the Process Analytical Technology Subsystem SHALL transmit individual tablet weight, hardness, and thickness measurements via OPC-UA at a minimum rate of one dataset per sampled tablet (minimum 2 Hz at 120 RPM with every-30th sampling), with timestamp synchronised to UTC ±1 s. Rationale: The PAT CQA model engine uses IPC data combined with NIR content uniformity to generate composite CQA predictions. Time synchronisation to UTC ±1 s is required to correlate IPC tablet weight with the NIR spectral acquisition window — a NIR scan lasts 30 s and covers ~3,600 tablets at 120 RPM; a 1 s timestamp error spans ~120 tablets, acceptable for the correlation model. | Test | session-556, idempotency:ifc-tc-ipc-pat-556 |
| IFC-REQ-011 | The interface between the Tablet Compression Subsystem and the Manufacturing Execution System SHALL write all in-process tablet rejection events (timestamp, station number, force value, reject reason) to the electronic batch record within 10 seconds of the rejection event, and SHALL write a subsystem status change (normal/degraded/stopped) to the MES within 5 seconds of the state transition. Rationale: 21 CFR Part 11 requires complete electronic batch records with no gaps; individual rejection events must be recorded because each rejected tablet represents an attributed product loss that the batch genealogy must account for. The 10-second write latency is a practical limit derived from MES database write performance at high-throughput compression (up to 500 rejections/min at 5% rejection rate); longer would risk buffer overflow and data loss. | Test | session-556, idempotency:ifc-tc-mes-ebr-556 |
| IFC-REQ-012 | The interface between the Film Coating Subsystem and the Manufacturing Execution System SHALL transmit coating recipe parameters (pan speed, inlet temperature, spray rate, atomisation pressure, target weight gain) from the MES to the coating subsystem and return in-process coating parameters (actual inlet/outlet temperature, spray rate, tablet weight gain) and batch disposition decisions to the MES at a minimum 30-second update interval, with all data writes to the Electronic Batch Record completed within 60 seconds of measurement. Rationale: Film coating is a GMP-controlled operation under 21 CFR Part 211 (Current Good Manufacturing Practice for Finished Pharmaceuticals); recipe execution parameters and in-process measurements are mandatory EBR entries. The 30-second update interval matches the coating process dynamics (pan rotation period ~10–20 seconds) and ensures that any excursion from coating weight target is captured within one control cycle before batch rejection criteria are exceeded. | Test | session-558, qc, film-coating, mes, idempotency:ifc-012-film-coating-mes-v1 |
| IFC-REQ-013 | The interface between the Tablet Compression Subsystem and the Film Coating Subsystem SHALL transfer compressed tablet cores via a closed IBC transfer system, with the Tablet Compression Subsystem providing a signed transfer record (batch ID, weight, tablet count, core hardness mean ± 3σ, friability result) to the Film Coating Subsystem before any coating operation commences; the Film Coating Subsystem SHALL reject the transfer if any core attribute falls outside the predefined acceptance range defined in the batch record. Rationale: Physical hand-off between compression and coating is a critical GMP in-process release step under 21 CFR Part 211.110 (Sampling and testing of in-process materials). Core quality attributes (hardness, friability) directly determine coating adhesion and film integrity; out-of-specification cores entering the coater cause coating defects that are difficult to detect without destructive testing post-coating. A signed transfer record with a defined rejection gate prevents downstream waste and protects batch integrity. | Inspection | session-558, qc, tablet-compression, film-coating, idempotency:ifc-013-compression-coating-v1 |
| IFC-REQ-014 | The interface between the Packaging and Serialisation Subsystem and the Manufacturing Execution System SHALL receive batch release authorisation and serialisation master data (product code, batch number, expiry date, GTIN) from the MES prior to line start, and SHALL return completed pack-level and case-level serial number aggregation records to the MES within 5 minutes of line clearance, with 100% serial number reconciliation enforced before the MES records batch disposition as complete. Rationale: EU Falsified Medicines Directive (FMD) Delegated Regulation 2016/161 and US Drug Supply Chain Security Act (DSCSA) mandate unique serialisation of every saleable unit and full aggregation to case and pallet level. The MES is the system of record for batch disposition; packaging cannot begin without MES authorisation (GMP two-person batch release) and the EBR cannot be closed without confirmed serial number reconciliation. The 5-minute reconciliation window is determined by regulatory serialisation verification system response time SLAs. | Test | session-558, qc, packaging, mes, serialisation, idempotency:ifc-014-packaging-mes-v1 |
| IFC-REQ-015 | The interface between the Film Coating Subsystem and the Packaging and Serialisation Subsystem SHALL transfer coated tablets via a closed IBC or chute system, with the Film Coating Subsystem providing a signed in-process release record (coating weight gain mean ± 2σ, dissolution test result if performed, appearance inspection result) to the Packaging Subsystem before any packaging operation commences; the Packaging Subsystem SHALL block line start and alert the MES if the release record is absent or indicates an out-of-specification attribute. Rationale: Coated tablets are the final intermediate product before primary packaging; coating weight gain and dissolution performance are Critical Quality Attributes per ICH Q8 (Pharmaceutical Development) and must be within specification before patients could be exposed to the dosage form. A hard interlock preventing packaging without a valid release record eliminates the GMP deviation risk of packaging non-conforming tablets, which would require a costly and time-consuming recall. | Inspection | session-558, qc, film-coating, packaging, idempotency:ifc-015-coating-packaging-v1 |
| IFC-REQ-016 | The interface between the Containment and Environmental Control Subsystem and the Manufacturing Execution System SHALL transmit classified area environmental parameters (temperature, relative humidity, differential pressure, particle counts at ≥0.5 µm and ≥5 µm) to the MES at a minimum 5-minute update interval; when any parameter exceeds the action limit defined in the Site Master File, the MES SHALL halt all affected manufacturing operations and record an environmental deviation event in the Electronic Batch Record within 30 seconds of alarm receipt. Rationale: GMP cleanroom environments under EU GMP Annex 1 (Manufacture of Sterile Medicinal Products) and ISO 14644-1 (Cleanrooms and associated controlled environments) require continuous environmental monitoring with documented response to excursions. For OEB 4/5 potent compound areas (OEL < 1 µg/m³), pressure differential loss is a safety-critical event: a positive-pressure failure allows potent aerosol escape to adjacent areas. The 30-second MES halt window is set to prevent more than one in-process tablet unit from being produced in an unmonitored environment. | Test | session-558, qc, containment, mes, environmental, idempotency:ifc-016-containment-mes-v1 |
| IFC-REQ-017 | The interface between the Material Handling and Dispensing Subsystem and the Manufacturing Execution System SHALL receive dispensing orders (material code, lot number, target weight, tolerance ±0.1%) from the MES and SHALL return verified dispensing records (material identity confirmed by NIR verification, actual dispensed weight, operator ID, balance calibration status) to the MES within 60 seconds of each weighing operation; the MES SHALL reject any dispensing record where the actual weight deviates from target by more than ±0.5% and record a GMP deviation event. Rationale: Dispensing is the first in-process step in oral solid dosage manufacturing and the point of highest risk for API content non-uniformity. EU GMP Part II (API manufacturing) and 21 CFR Part 211.101 (Charge-in of components) require documented verification of material identity and weight for every dispensing event. A ±0.1% target tolerance with ±0.5% rejection threshold provides a two-sigma safety margin against dosage uniformity failure while remaining achievable by calibrated pharmaceutical balance equipment (typical METTLER-TOLEDO ICS balance accuracy ±0.02%). | Test | session-558, qc, material-handling, mes, dispensing, idempotency:ifc-017-material-handling-mes-v1 |
| IFC-REQ-018 | The interface between the Material Handling and Dispensing Subsystem and the Granulation and Blending Subsystem SHALL physically transfer dispensed and verified raw material containers (IBCs, drums, sacks) to the granulator charge point using a documented, barcode-verified transfer protocol; the Granulation and Blending Subsystem SHALL perform a secondary identity verification scan of each container barcode against the dispensing record before allowing material to be charged into the high shear granulator, and SHALL reject and alert the MES if any container scan fails identity verification. Rationale: The physical handoff from dispensing to granulation is the last point at which a wrong material or wrong lot can be intercepted before it is irreversibly mixed into a granule batch. A double-verification protocol (dispensing NIR + granulation barcode scan) implements a two-barrier defence against mix-ups, which is a root-cause pattern in pharmaceutical recalls (FDA recall database analysis: ~12% of solid dosage form recalls involve wrong API or wrong excipient). Barcode verification at the charge point is low-cost relative to the cost of a contaminated batch recall (~0–50M). | Inspection | session-558, qc, material-handling, granulation, idempotency:ifc-018-material-granulation-v1 |
| IFC-REQ-019 | The interface between the Enterprise Resource Planning System and the Manufacturing Execution System SHALL deliver electronic production orders (product code, target batch size, BOM version, planned start date) from the ERP to the MES at least 24 hours before scheduled manufacturing start, and SHALL receive confirmed batch yield, actual cycle time, and material consumption quantities from the MES within 4 hours of batch completion; the MES SHALL not allow production to commence without a valid, ERP-issued production order reference in the Electronic Batch Record header. Rationale: GMP site operations under EU GMP Part I require that every manufacturing operation is performed against an authorised, documented production order. The ERP-to-MES production order handshake is the GMP-mandated control preventing unauthorised or unplanned manufacturing (an audit finding category). Batch yield and consumption data returned to ERP enable inventory reconciliation and release cost accounting. The 24-hour advance notice requirement allows the MES to stage material dispensing orders and equipment verification tasks within the current shift schedule. | Test | session-558, qc, erp, mes, production-order, idempotency:ifc-019-erp-mes-v1 |
| IFC-REQ-020 | The interface between the Laboratory Information Management System and the Manufacturing Execution System SHALL receive in-process and release sample requests generated by the MES (sample ID, sample point, test method, specification reference), and SHALL return analytical results (test method, result value with units, specification limits, pass/fail verdict, analyst ID, instrument ID) to the MES within the turnaround time specified in the master test schedule; the MES SHALL block batch disposition to 'released' status until all mandatory release test results are received from LIMS with a passing verdict. Rationale: GMP batch release under 21 CFR Part 211.165 and EU GMP Chapter 4 requires that all specified release tests are completed with documented results before a batch is released for distribution. LIMS is the system of record for analytical results; the MES is the system of record for batch disposition. The bi-directional interface ensures a closed-loop release workflow where sample chain of custody, analytical data, and batch status are maintained in separate validated systems with a defined integration point, reducing the risk of manual transcription errors that have historically driven pharmaceutical data integrity citations. | Test | session-558, qc, lims, mes, batch-release, idempotency:ifc-020-lims-mes-v1 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| ARC-REQ-001 | The PAT Subsystem SHALL comprise three sensor instruments (NIR spectrometer, Raman spectrometer, Laser Diffraction Analyser) connected to a centralised DAC Workstation, sustaining real-time CQA monitoring with any two instruments operational when one fails. Rationale: Three-instrument PAT architecture selected over single-sensor design to enable degraded-mode operation (SIL-3 H-004 mitigation). Updated with SHALL keyword per validation session 566 to correct architecture decision record format. | Inspection | reqs-eng-session-566 |
| ARC-REQ-002 | The Manufacturing Execution System SHALL comprise five functional modules: Electronic Batch Record Engine, Recipe Management, In-Process Control, Equipment Lifecycle Management, and Material Tracking, communicating via a GAMP 5 Category 4 qualified internal event bus. Rationale: Five-module MES architecture selected to align with 21 CFR Part 11 compliance domains and GAMP 5 (Good Automated Manufacturing Practice) categorisation. Updated with SHALL keyword per validation session 566 to correct architecture decision record format. | Inspection | reqs-eng-session-566 |
| ARC-REQ-003 | The Granulation and Blending Subsystem SHALL implement a linear single-train process sequence: High Shear Granulator, Granule Transfer System, Fluid Bed Dryer, Granule Sizing Mill, and IBC Blender, in that order without parallel processing paths. Rationale: Linear single-train topology minimises inter-vessel transfer complexity and OEB containment breaches. Updated with SHALL keyword per validation session 566 to correct architecture decision record format. | Inspection | reqs-eng-session-566 |
| ARC-REQ-004 | The Tablet Compression Subsystem SHALL comprise four components: Rotary Tablet Press operating at 20–80 RPM with per-station punch force monitoring, IPC Sampling Station, Metal Detection Unit, and Tablet Diversion Gate controlled by the PAT Subsystem and MES. Rationale: Four-component architecture provides complete in-process surveillance. The Metal Detection Unit and Tablet Diversion Gate are safety-critical components for H-004 mitigation. Updated with SHALL keyword per validation session 566 to correct architecture decision record format. | Inspection | reqs-eng-session-566 |
| ARC-REQ-005 | The Manufacturing Execution System SHALL be deployed on a dedicated redundant server pair (active-passive) housed in the plant's Grade C server room, with each server providing a minimum of 8 CPU cores, 32 GB RAM, and 2 TB RAID-6 storage, dimensioned to host all MES application components and support concurrent access by 20 users. Rationale: MES physical server infrastructure is a constraint derived from system performance (concurrent users, EBR throughput) and pharmaceutical GMP requirements for dedicated IT environments. The redundant pair ensures SIL-2 availability for the EBR and LOTO safety functions (H-006, H-007). Physical embodiment requirement resolves ontological mismatch between software classification and physical installation constraints. | Test | session-565, mes, physical-embodiment, lint-fix-lh1, idempotency:ses565-mes-physical-server-infra, idempotency:ses565-mes-physical-server-infra |
| ARC-REQ-006 | The Manufacturing Execution System SHALL be validated as ISPE GAMP 5 Category 4 software, with no biological components, no interaction with biological materials or organisms, and no requirement for biocompatibility or sterilisation certification; all MES hardware and software components SHALL be validated for pharmaceutical manufacturing environments per FDA 21 CFR Part 11 and EU GMP Annex 11 only. Rationale: An explicit statement that the MES is Category 4 software with no biological embodiment is required to prevent misclassification in regulatory submissions and risk assessments. The MES interfaces with biological manufacturing processes but is not itself a biological system; this requirement establishes the validation category and confirms that biological safety regulations (ISO 10993) do not apply to MES components. | Inspection | session-565, mes, gamp5, non-biological, lint-fix-lh5, idempotency:ses565-mes-gamp5-non-biological, idempotency:ses565-mes-gamp5-non-biological |
| ARC-REQ-007 | The process control system SHALL be powered from a dedicated 24 VDC industrial power supply rated at 1000 W with ±1% voltage regulation, protected by an online double-conversion UPS providing 30 minutes autonomy at full PLC load, and shall monitor supply voltage continuously, triggering a panel alarm if supply drops below 23.0 VDC or rises above 25.0 VDC. Rationale: The process control system's PLCs and safety I/O are safety-critical components (SIL-2, H-007 LOTO enforcement). A defined power supply specification and UPS backup are required to ensure continued interlocking function during mains power disturbances. The 24 VDC 1000 W specification is typical for mid-size PLC installations supporting 64 I/O modules and safety relay outputs. Voltage monitoring prevents silent hardware faults. | Test | session-565, process-control-system, power, ups, lint-fix, idempotency:ses565-pcs-power-explicit, idempotency:ses565-pcs-power-explicit |
| ARC-REQ-010 | ARC: Material Handling and Dispensing — The material handling function is separated from granulation because it operates in a distinct cleanroom zone (ISO 7 weigh booth with laminar flow), has a different contamination control strategy (lot segregation, cleaning between materials vs. in-process cleaning between batches), and interfaces with ERP for material identity verification. Alternative considered: combining dispensing with granulation as a single feed-to-granulate train. Rejected because dispensing serves multiple downstream processes in multi-product facilities and has independent regulatory audit requirements (material traceability per EU GMP Annex 11). Rationale: Material handling and dispensing is architecturally separated from granulation because it operates under a distinct contamination control regime: ISO 7-classified weigh booth with laminar flow, lot segregation between materials, and independent regulatory audit trail per EU GMP Annex 11. Combining dispensing with granulation would collapse two independent failure domains (material identity error vs. in-process granulation failure) into one subsystem, increasing consequence of a single point failure. | Inspection | architecture, material-handling, session-2, idempotency:arc-material-handling-2, informational |
| ARC-REQ-011 | ARC: Film Coating — The coating function is separated from compression because it operates a fundamentally different process (thermal spray-coating vs. mechanical forming), uses distinct equipment (perforated pan coater vs. rotary press), and has independent failure modes (spray nozzle blockage, coating uniformity) unrelated to compression quality. Alternative considered: integrating coating as a post-compression stage within the tablet compression subsystem. Rejected because coating operates at different throughput rates (45-minute batch cycle vs. continuous compression), requires separate air handling with solvent exhaust, and is optional for some products (uncoated tablets bypass this subsystem entirely). Rationale: Film coating is architecturally separated from tablet compression because the two functions occupy different process domains: thermal spray-coating in a perforated pan coater versus high-speed mechanical forming in a rotary press. Their failure modes are independent (nozzle blockage, coating non-uniformity vs. punch breakage, tooling wear), they operate at incompatible throughput rates (45-minute batch cycle vs. continuous compression), and coating is optional for some products — uncoated tablets bypass the subsystem entirely. Merging them would create an unnecessary operational dependency and a more complex failure analysis. | Inspection | architecture, film-coating, session-2, idempotency:arc-film-coating-2, informational |
| ARC-REQ-012 | ARC: Packaging and Serialisation — Packaging and serialisation are combined into a single subsystem because they operate on the same physical line (blister forming, inspection, serialisation, aggregation are sequential stations on one conveyor), share a common data chain (serial number generation through to EPCIS upload), and are jointly regulated under EU FMD (Delegated Regulation 2016/161) and US DSCSA. Alternative considered: separating serialisation as a standalone IT subsystem. Rejected because the serialisation data flow is tightly coupled to physical packaging events (each blister sealed triggers serial number application), and separating them creates an interface complexity that adds failure modes without reducing coupling. Rationale: Packaging and serialisation are combined into a single subsystem because physical packaging events (blister sealing) and serialisation data events (serial number application) are causally coupled at every station — separating them would require a cross-subsystem interface at the point of highest coupling, adding failure modes without reducing interdependency. EU FMD Delegated Regulation 2016/161 (Falsified Medicines Directive) and US DSCSA jointly regulate the combined function, making a unified compliance boundary architecturally appropriate. | Inspection | architecture, packaging, session-2, idempotency:arc-packaging-serial-2, informational |
| ARC-REQ-013 | ARC: Containment and Environmental Control — Environmental monitoring (HVAC, cleanroom) and containment (potent compound isolation, E-stop, machine safety) are combined because they share a common safety PLC, building utilities interface (air handling, pressure control), and SIL 2 safety integrity requirement. Their failure modes are correlated — loss of HVAC compromises both cleanroom classification and containment pressure cascade. Alternative considered: separating containment (safety function) from HVAC (environmental function). Rejected because the containment strategy depends on HVAC pressure cascade control — a containment breach response (switch to 100% exhaust) is an HVAC operating mode, not a separate system. Splitting them creates a dangerous interface where a containment alarm must command HVAC changes across a subsystem boundary. Rationale: Containment (potent compound isolation, E-stop, machine safety) and environmental monitoring (HVAC, cleanroom) are combined because their failure modes are causally correlated: loss of HVAC directly compromises containment pressure cascade, and the containment breach response (switch to 100% exhaust) is implemented as an HVAC operating mode. Separating them would place a SIL-2 safety function (containment breach response) across a subsystem interface, creating a cross-boundary command latency risk. A shared safety PLC governs both functions, making a single combined subsystem the safer and simpler architecture. | Inspection | architecture, containment, environmental, session-2, idempotency:arc-containment-env-2, informational |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| VER-108 | Verify SUB-REQ-063: During factory acceptance testing, operate the HVAC Air Handling Unit at nominal setpoints for 2 hours and record temperature, RH, and ACH at six measurement points across the ISO 7 cleanroom bay. Pass criterion: all six locations within 20±2°C, 45±5% RH, and minimum 20 ACH continuously for 60 minutes. Rationale: FAT under controlled factory conditions allows verification of HVAC performance against cleanroom specification before GMP facility installation. Six measurement points ensure spatial uniformity is confirmed, not just average values. | Test | verification, containment, hvac, session-548, idempotency:ver-sub-063-hvac-conditions-548 |
| VER-109 | Verify SUB-REQ-065: In a qualified test environment, simulate containment integrity failure by reducing isolator pressure above -5 Pa for 6 seconds. Measure time from PLC fault detection to confirmation of: HVAC 100% exhaust mode, supply dampers sealed, and Level 1 alarm triggered. Pass criterion: all three responses achieved within 30 seconds. Rationale: Safe state transition test is the primary SIL-2 verification method per IEC 61508-4 Section 7.4. The test must be executed with the actual safety PLC and HVAC hardware under worst-case conditions (highest process load) to be valid for the safety case. | Test | verification, containment, safe-state, sil-2, session-548, idempotency:ver-sub-065-safe-state-548 |
| VER-110 | Verify IFC-021: Generate an environmental alarm event in the EMS test environment and measure end-to-end latency from alarm trigger to receipt of OPC UA message in the MES EBR engine. Verify alarm record includes timestamp, severity, and audit trail entry per 21 CFR Part 11. Pass criterion: latency less than 10 seconds across 20 consecutive trials with no failed transmissions. Rationale: Integration test at the EMS-MES boundary is the minimum viable verification for a GxP data interface. Twenty consecutive trials at production load provides statistical confidence that the interface meets the 10-second latency requirement under realistic EMS polling cycles. | Test | verification, containment, ems, mes, interface, session-548, idempotency:ver-ifc-021-ems-mes-548 |
| VER-111 | Verify IFC-022: Interrupt the 24 VDC hardwired signal bus between the Containment Safety PLC and the HVAC Air Handling Unit by disconnecting the emergency exhaust command signal. Measure time to HVAC exhaust mode activation. Pass criterion: HVAC switches to exhaust mode within 100 ms of signal interruption (open-circuit = fail-safe). Rationale: Fail-safe open-circuit behaviour is a SIL-2 architectural requirement per IEC 61508. The hardwired channel cannot be verified by software simulation alone; physical disconnection testing is required to confirm the fail-safe direction and timing for the safety case. | Test | verification, containment, safety-plc, hvac, sil-2, interface, session-548, idempotency:ver-ifc-022-safetyplc-hvac-548 |
| VER-112 | Verify end-to-end containment response chain: introduce a simulated OEB 4 API dust release at the Potent Compound Isolator exhaust port and measure the sequence from airborne concentration exceeding 80% OEL (detected by API monitor) through Safety PLC fault response to HVAC exhaust mode activation and EMS alarm embedding in MES EBR. Pass criterion: complete chain within 30 seconds, EBR entry created with alarm timestamp. Rationale: End-to-end system integration test validates the SIL-2 safety chain from sensor detection through logic to actuator response and data recording, as required by IEC 61508 Section 7.4 for functional safety verification. This test cannot be replaced by individual component tests because it verifies the timing of the complete chain under realistic conditions. | Test | verification, containment, e2e, integration, sil-2, session-548, idempotency:ver-cec-e2e-integration-548 |
| VER-113 | Verify IFC-023: Connect a calibrated position sensor to a HVAC VAV damper actuator. Command position changes via the Differential Pressure Monitoring Controller at 1-second intervals. Verify PID closed-loop response updates within 1 second and position feedback remains within 5% of commanded value. Inject a blocked actuator fault; verify alarm within 10 seconds. Pass criterion: all 20 command cycles within 1s, zero false positives. Rationale: IFC-023 specifies 1-second PID update cycle and 5% position tolerance. The PID response test must be performed at the physical actuator interface to confirm that the analogue 4-20 mA control loop achieves the specified accuracy under realistic HVAC load conditions. | Test | verification, containment, dp-controller, hvac, interface, session-548, idempotency:ver-ifc-023-dp-hvac-548 |
| VER-114 | Verify SUB-REQ-064: Disturb cleanroom pressure by propping a pass-through door open for 10 seconds during operational conditions. Measure time for Differential Pressure Monitoring Controller to restore: +10 Pa between ISO 7 cleanroom and corridor, and -12.5 Pa inside Potent Compound Isolator. Pass criterion: both setpoints restored within 30 seconds, no pressure undershoot below -15 Pa in isolator. Rationale: Pressure cascade setpoint recovery under door-disturbance is the worst-case realistic test for HVAC PID response in a pharmaceutical cleanroom. The 30-second recovery criterion is the same as the containment safe state transition budget, ensuring the HVAC can restore containment before the safety PLC would trip. | Test | verification, containment, pressure-cascade, sil-2, session-548, idempotency:ver-sub-064-pressure-cascade-548 |
| VER-REQ-001 | The verification activity for SUB-REQ-003 SHALL inject a pre-characterised reference standard tablet spectrum into the PAT DAC Workstation and confirm that CQA model evaluation completes and returns a pass/fail classification within the specified 30-second sample interval cycle. Rationale: SIL-3 H-004 safety function: CQA model latency directly determines how many OOS tablets pass before the diversion valve responds. The 2-second criterion bounds the number of tablets at risk between sensor acquisition and valve actuation at 60 RPM press speed (approximately 4 tablets per second) to fewer than 8 tablets, which is within the divertible buffer volume. | Test | reqs-eng-session-555 |
| VER-REQ-002 | The verification activity for SUB-REQ-004 SHALL apply a CQA limit-exceedance command to the Diversion Valve Assembly pneumatic solenoid at operating pressure (5-7 bar) and confirm that valve position transitions from accept to reject within 2 seconds as measured by dual limit switch feedback across 10 test actuations. Rationale: SIL-3 H-004 safe state: the valve must reach the reject position before the next tablet reaches the accept stream. At 60 RPM press speed, tablets exit at 1-second intervals; 500ms actuation leaves a 500ms margin. The spring-return test verifies fail-safe behaviour — the hardware safety function independent of software. | Test | reqs-eng-session-555 |
| VER-REQ-003 | The verification activity for SUB-REQ-005 SHALL inject a degraded NIR reference spectrum (SNR reduced by 50% via attenuation filter) into the PAT subsystem and confirm that the sensor diagnostic algorithm detects the degradation within 15 seconds and generates a sensor health alert to the DAC Workstation. Rationale: SIL-3 H-004: sensor degradation that is not detected means CQA model predictions are based on corrupted spectra, potentially releasing OOS product without triggering diversion. The 15-second detection window allows one to two press rotations before the operator is notified to switch to manual sampling mode. | Test | reqs-eng-session-555 |
| VER-REQ-004 | The verification activity for IFC-REQ-001 SHALL inject 100 consecutive simulated CQA limit-exceedance events at the PAT DAC Workstation OPC-UA server, measure the alarm transit time to confirmed receipt at the MES OPC-UA client, and confirm that all 100 events arrive within 500 ms with zero loss. Rationale: SIL-3 H-004 interface criticality: the CQA alarm is the trigger for MES to confirm diversion and lock the batch record. If the alarm is lost or delayed beyond 500ms, OOS product may enter the accept stream. The 1000-event soak test detects intermittent OPC-UA subscription failures that may not appear in short tests. | Test | reqs-eng-session-555 |
| VER-REQ-005 | The verification activity for IFC-REQ-003 SHALL measure, following receipt of a CQA alarm from the PAT subsystem, the elapsed time for the MES to transmit a diversion acknowledgment and operator disposition to the PAT DAC Workstation, and confirm transmission completes within the specified interface latency for 20 consecutive alarm events. Rationale: SIL-3 H-004 interface: the acknowledgment confirms to the PAT system that the MES has registered the diversion event and locked the relevant batch record segment. Without this confirmation, the PAT system cannot determine whether a second CQA exceedance is a new event or a duplicate of the unacknowledged prior alarm. | Test | reqs-eng-session-555 |
| VER-REQ-006 | The verification activity for SUB-REQ-008 SHALL attempt to execute each of the five 21 CFR Part 11 critical EBR actions (batch initiation, exception handling, parameter override, batch release, deviation closure) without providing valid electronic credentials, and confirm that the MES rejects all five attempts without committing any record. Rationale: SIL-2 H-006 data integrity: unsigned EBR entries are inadmissible as evidence in FDA inspection and can result in consent decree or product recall. The 100% rejection criterion is absolute — no partial authentication tolerance exists under 21 CFR Part 11.50. | Test | reqs-eng-session-555 |
| VER-REQ-007 | The verification activity for SUB-REQ-011 SHALL apply a maintenance lock to the rotary tablet press entry in the MES LOTO registry and confirm that subsequent equipment restart commands issued via operator HMI and programmatic API are both rejected with an interlock alarm until the lock is formally removed. Rationale: SIL-2 H-007 mechanical entrapment: the LOTO restart prevention is the primary software barrier preventing a maintenance technician from being caught in moving equipment. The test must exercise the OPC-UA programmatic path — not only the HMI path — because PLC restart commands may bypass the HMI in some process recovery sequences. | Test | reqs-eng-session-555 |
| VER-REQ-008 | The verification activity for SUB-REQ-010 SHALL write 500 sequential EBR entries via the MES API, run the hash chain integrity verification job, confirm no discontinuities, then modify one mid-chain record directly and confirm the MES detects the discontinuity and generates an integrity alert within 60 seconds. Rationale: SIL-2 H-006: the SHA-256 hash chain is the technical control proving EBR entries have not been altered post-signature. The tamper detection test must use direct database manipulation rather than API manipulation because 21 CFR Part 11 treats database-level tampering as the primary threat model for electronic records. | Test | reqs-eng-session-555 |
| VER-REQ-009 | The verification activity for the end-to-end PAT-to-diversion chain SHALL measure total latency from spectrum injection at the NIR spectrometer through CQA model evaluation, OPC-UA alarm to MES, MES diversion acknowledgment, and Diversion Valve Assembly confirmed actuation, and confirm the cumulative chain latency is within the SIL-3 H-004 limit for 5 consecutive test runs. Rationale: The end-to-end test is the definitive SIL-3 H-004 safety case evidence. Individual component tests confirm subsystem compliance but do not demonstrate that the chain functions correctly under realistic load conditions. The 3-second total budget combines the 2-second model evaluation bound plus 500ms alarm transmission plus 500ms valve actuation margin. | Test | reqs-eng-session-555 |
| VER-REQ-010 | The verification activity for SUB-REQ-002 SHALL scan a certified reference material (polystyrene NIST SRM 1921b) using the Raman spectrometer and confirm that the instrument acquires a full spectrum covering the 200–3200 cm-1 range with spectral resolution ≤4 cm-1 at the 30-second specified interval. Rationale: Raman spectrometer performance verification confirms the instrument meets specification for blend uniformity monitoring. NIST-traceable reference materials provide measurement traceability required for GxP instrument qualification (IQ/OQ). | Test | reqs-eng-session-555 |
| VER-REQ-011 | The verification activity for SUB-REQ-007 SHALL measure a certified glass bead reference standard (NIST SRM 1018c, D50 = 57 µm ±3%) using the laser diffraction analyser with dry dispersion at 0.5 bar, and confirm the measured D10/D50/D90 values are within the certified tolerance band in 5 consecutive measurements. Rationale: Laser diffraction qualification confirms the instrument meets specification for granulation endpoint monitoring. D50 accuracy within 5% is the ICH Q8 acceptance criterion for particle size measurement in granulation development; repeatability RSD <2% meets GAMP 5 Category 3 instrument qualification requirements. | Test | reqs-eng-session-555 |
| VER-REQ-012 | The verification activity for SUB-REQ-015 SHALL simulate an EBR data integrity failure by injecting a hash chain discontinuity and confirm that the MES transitions operators to paper-backup recording mode within 30 minutes, that paper backup records are available to operators within 5 minutes of the alert, and that recovery to electronic recording is possible from the last verified backup. Rationale: SIL-2 H-006 safe state: when electronic records cannot be guaranteed tamper-evident, GMP requires a fallback to paper records to maintain the manufacturing record continuity required for batch release. The 30-minute window reflects the EU GMP Annex 11 requirement for backup systems to be available promptly. | Demonstration | reqs-eng-session-555 |
| VER-REQ-013 | The verification activity for IFC-REQ-006 SHALL connect a calibrated NIR reference spectrometer in parallel with the FBD in-line probe, inject 10 pre-characterised reference spectra spanning the LOD validation range (0.5% to 3.5%), and confirm that the LOD values reported via the G&B subsystem interface agree with the reference within the specified tolerance. Rationale: IFC-REQ-006 specifies maximum 30-second spectral data intervals and 5-second CQA model evaluation latency for the G&B-to-PAT NIR interface. The parallel-reference-spectrometer test method is chosen because it provides independent ground truth for both the data values (via certified reference spectra) and the timing (via synchronized timestamps). If this interface has latency >5 seconds under load, the PAT system receives stale LOD values and may issue false blend-endpoint signals — potentially releasing under-dried granulate with LOD above target into the IBC blender. | Test | reqs-eng-session-555 |
| VER-REQ-014 | The verification activity for IFC-REQ-007 SHALL trigger a simulated G&B batch start in the MES and measure the elapsed time from MES step initiation signal to PLC setpoint receipt confirmation at the HSG, FBD, and IBC Blender PLCs, confirming all three PLCs acknowledge within the specified interface response time. Rationale: Integration test to verify MES-to-G&B recipe delivery latency and EBR feedback interval under production load conditions. | Test | reqs-eng-session-555 |
| VER-REQ-015 | The verification activity for the end-to-end Granulation and Blending cycle SHALL load a validated product recipe into the MES, execute one complete G&B cycle from API powder charge to IBC seal, and confirm granulation endpoint, drying LOD within specification, sized granule D90 ≤ 1 mm, blend RSD ≤ 5.0% across stratified samples, and complete MES batch record with all IPC entries. Rationale: End-to-end integration test verifying the complete G&B process train produces granules meeting all CQA specifications under recipe control. This test is the minimum viable verification for GMP process validation (PV Stage 2) sign-off of the G&B subsystem. | Test | reqs-eng-session-555 |
| VER-REQ-016 | The verification activity for IFC-REQ-008 SHALL complete a G&B cycle producing a sealed IBC, inspect the tamper-evident seal, and confirm that the MES batch genealogy record contains the IBC mass, blend authorisation code, and lot number linking the IBC to its input raw material charges. Rationale: IBC handoff integrity is verified by inspection of the seal and genealogy record, with a negative test (blocked press start) confirming the MES access control. This matches the regulatory requirement for documented batch record evidence (21 CFR 211.182). | Inspection | reqs-eng-session-555 |
| VER-REQ-017 | The verification activity for IFC-REQ-002 SHALL inject an NIR reference degradation (40% signal attenuation) while the PAT subsystem is in nominal operation, and confirm that the MES receives an OPC UA sensor health update indicating degraded status within 10 seconds of the attenuation event. Rationale: IFC-REQ-002 is the primary early-warning signal for the PAT-MES CQA diversion path. Verification requires injecting a controlled degradation to confirm the OPC UA publish cycle, field completeness, and state machine transition. Failure to verify this interface could allow undetected sensor drift to produce undetected quality deviations in product. | Test | reqs-eng-session-555 |
| VER-REQ-018 | The verification activity for IFC-REQ-004 SHALL log MES CQA data receipt timestamps against PAT OPC UA publish timestamps during a simulated production run, inject a known OOS API concentration sample, and confirm the diversion decision is transmitted to the MES within the specified interface latency. Rationale: IFC-REQ-004 is the real-time CQA measurement stream that drives diversion decisions. End-to-end latency of the MES OPC UA subscription must be verified under live production protocol to confirm diversion is triggered within the 2-second hard limit before non-conforming material passes the diversion valve. This is the safety-critical data path for batch release. | Test | reqs-eng-session-555 |
| VER-REQ-019 | The verification activity for SUB-REQ-009 SHALL attempt to modify a completed EBR field via direct database access and via the MES UI, and confirm in both cases that the hash chain invalidation is detected and a tamper alert is generated within 60 seconds without the modification being accepted. Rationale: SUB-REQ-009 implements the 21 CFR Part 11 (Electronic Records; Electronic Signatures) requirement for tamper-evident records. This is a regulatory compliance test: FDA expects evidence that the hash chain integrity mechanism actually detects record modification. Pass/fail determines whether the batch release system meets 21 CFR Part 11 Subpart B Section 11.10(e) audit trail requirements. | Test | reqs-eng-session-555 |
| VER-REQ-020 | The verification activity for SUB-REQ-020 SHALL complete a validation blending run using placebo granules with tracer API equivalent, collect 10 stratified samples from IBC discharge points after blend-endpoint indication, and confirm that API content RSD across all samples is ≤5.0%. Rationale: SUB-REQ-020 sets the blend uniformity acceptance criterion for IBC blending. ICH Q2(R1) (Validation of Analytical Procedures: Text and Methodology) requires offline HPLC confirmation of the NIR endpoint model during process validation. The 10-sample stratified plan is the minimum statistical design that detects a pattern-based segregation within the IBC at 95% confidence. Failure of this test would require revalidation of the blend process. | Test | reqs-eng-session-555 |
| VER-REQ-021 | The verification activity for SUB-REQ-001 SHALL configure the NIR spectrometer for the 900–1700 nm range with 256-channel resolution, record 100 consecutive spectra during a simulated production run, and confirm all spectra are acquired at the 30-second interval with signal-to-noise ratio meeting the diagnostic acceptance criterion. Rationale: SUB-REQ-001 defines the minimum spectral parameters of the NIR spectrometer as the primary CQA sensor. Verification of spectral range and channel count ensures the PLS chemometric model built for this instrument remains valid under the as-deployed configuration. A failure here would require re-validation of the entire NIR calibration model before the instrument can be used for batch release decisions. | Test | reqs-eng-session-555 |
| VER-REQ-022 | The verification activity for IFC-REQ-009 SHALL trigger a PAT degraded-mode transition by disabling the NIR sensor in a simulated production environment, measure the elapsed time from mode transition to MES command receipt at the PAT subsystem, confirm continuity of CQA monitoring on the remaining active sensor channels throughout the transition, and verify that the MES manual sampling schedule command is issued within 30 seconds of degradation detection. Pass criterion: (a) MES degraded-mode command received by PAT subsystem within 30 seconds; (b) ≥1 CQA evaluation completed on each remaining active channel during the transition interval; (c) manual sampling schedule issued with 15-minute interval and sample point specification. Rationale: IFC-REQ-009 adds quantified performance thresholds to the degraded mode MES-PAT protocol. The 30-second MES command delivery window and CQA monitoring continuity criteria are the testable acceptance criteria for the degraded mode qualification test. Explicit pass criteria required per IEC 61508 (Functional safety of E/E/PE safety-related systems) for SIL-rated interface verification — binary pass/fail must be demonstrable. Updated per validation session 566 to resolve ambiguousReqs blocker. | Test | reqs-eng-session-555 |
| VER-REQ-023 | The verification activity for SUB-REQ-024 SHALL induce degradation on one NIR sensor channel, measure the elapsed time from the first degraded spectrum to suspension of CQA model evaluation on that channel, and confirm that the remaining two channels continue model evaluation throughout the suspension period. Pass criterion: suspension of the degraded channel occurs within 5 seconds of first degraded spectrum; unaffected channels maintain ≥1 CQA model evaluation per 30-second cycle throughout the test; minimum CQA throughput on remaining channels is ≥70% of nominal three-channel throughput. Rationale: SUB-REQ-024 quantifies response times and channel-failure thresholds for the PAT degraded-mode protocol. The 5-second suspension window and ≥70% CQA throughput retention on remaining channels are the minimum performance criteria required to assure product quality surveillance is maintained during single-channel failure. Explicit pass criteria are required so the test result is binary and auditable per EU GMP Annex 11. | Test | reqs-eng-session-555 |
| VER-REQ-024 | The verification activity for SUB-REQ-027 SHALL open a guard door on the Rotary Tablet Press while the press is operating at nominal speed (60 RPM), and confirm that: (a) the main drive de-energises within 200ms of guard opening as measured by current-clamp on the drive power supply; (b) the turret braking system brings turret speed to zero within 3 seconds; and (c) the MES LOTO registry logs the guard-open event with timestamp accurate to 1 second. Test shall be repeated 5 times. Pass criterion: all 5 trials meet both timing thresholds. Rationale: EN ISO 13849-1 (Safety of machinery: Safety-related parts of control systems) Category 3 guard interlock requires Test verification with measured response times. The 200ms and 3-second thresholds derive from the maximum kinetic energy of the turret at 60 RPM and the stopping distance required to prevent punch-tip contact with an intruding hand. | Test | session-556, idempotency:ver-sub027-tc-loto-556 |
| VER-REQ-025 | The verification activity for SUB-REQ-028 SHALL install a calibrated differential pressure transmitter at the Tablet Compression Containment Housing during press operation at 120 RPM, and confirm that: (a) steady-state differential pressure is maintained at -15 Pa ± 5 Pa relative to the adjacent room; (b) when a 10mm gap is simulated at the transfer sleeve, an alarm is generated within 10 seconds; and (c) the HVAC switches to 100% exhaust within 30 seconds of alarm confirmation. Pass criterion: all acceptance values met across 3 measurement cycles. Rationale: The -15 Pa containment threshold is derived from OEL 0.5 µg/m³ containment modelling per ISPE Good Practice Guide for Pharmaceutical Equipment Containment. Test verification is required because containment performance depends on actual airflow dynamics that cannot be confirmed by inspection or analysis alone. | Test | session-556, idempotency:ver-sub028-tc-containment-556 |
| VER-REQ-026 | The verification activity for IFC-REQ-010 SHALL run the rotary tablet press at 120 RPM with every-30th-tablet auto-sampling enabled, use OPC-UA monitoring software to log the IPC data stream for 30 minutes, and confirm: (a) message delivery rate ≥99.5% (measured as received messages / expected messages at 2 Hz sampling × 1800 s); (b) maximum single-message latency ≤500ms; (c) all tablet weight, hardness, and thickness values are present in each message with no null fields. Pass criterion: all three acceptance criteria met across the full 30-minute run. Rationale: The 99.5% delivery rate and 500ms latency limits are derived from the in-process control response time required to detect and reject out-of-specification tablets before more than 2 tablets beyond the detected outlier pass the rejection point. Test verification is mandatory because OPC-UA message delivery performance depends on actual network configuration and cannot be demonstrated by inspection. | Test | session-556, idempotency:ver-ifc010-tc-pat-556 |
| VER-REQ-027 | The verification activity for IFC-REQ-011 SHALL inject 50 deliberate rejection events (by commanding out-of-band force values to the IPC at 10 events/minute) and 5 operational state transitions (normal → degraded → normal → emergency stop → normal) via the test harness, and confirm: (a) each rejection event generates a corresponding rejection command to the tablet reject mechanism within 200ms; (b) each state transition event is received and displayed in the MES within 2 seconds; (c) all 55 events are recorded in the EBR with correct timestamps and event types. Pass criterion: 100% event receipt with zero dropped events and all timing thresholds met. Rationale: Zero-drop event delivery is required for 21 CFR Part 11 (Electronic Records; Electronic Signatures) EBR completeness — any dropped rejection event could result in a non-conforming tablet escaping to the batch. The 200ms rejection response limit is derived from tablet press throughput: at 120 RPM × 60 stations, tablets exit at 120/s, so a 200ms window allows at most 24 tablets to pass the reject point after a defect is detected. | Test | session-556, idempotency:ver-ifc011-tc-mes-556 |
| VER-REQ-028 | The verification activity for IFC-REQ-012 SHALL execute a simulated film coating batch cycle, logging all coating parameters (pan speed, inlet temperature, spray rate, atomisation pressure, weight gain) to the MES EBR and confirming that each parameter write completes within 60 seconds of measurement, with end-to-end data integrity confirmed by LIMS audit trail review. Rationale: IFC-REQ-012 requires 30-second update intervals and 60-second EBR write completion. This test validates both timing constraints under representative production load conditions, confirming that the Film Coating Subsystem to MES data channel meets GMP EBR completeness and timeliness requirements. | Test | session-558, qc, ver, film-coating, mes, idempotency:ver-028-ifc-012-v1 |
| VER-REQ-029 | The verification activity for IFC-REQ-013 SHALL present the Film Coating Subsystem with a compression-to-coating transfer IBC containing a complete signed transfer record, confirm the subsystem accepts the transfer and commences the coating cycle, then repeat with a second IBC containing a deliberately out-of-specification core hardness value and confirm the subsystem rejects the transfer and raises an MES alert within 30 seconds. Rationale: IFC-REQ-013 requires a hard reject gate at the coating subsystem boundary for out-of-specification core attributes. The pass/reject test pair validates both the acceptance and rejection paths, confirming that the inter-subsystem transfer control prevents quality-compromised material from entering the coating operation. | Test | session-558, qc, ver, tablet-compression, film-coating, idempotency:ver-029-ifc-013-v1 |
| VER-REQ-030 | The verification activity for IFC-REQ-014 SHALL complete a packaging line run of 1,000 serialised units, confirm 100% serial number reconciliation against the MES batch record within 5 minutes of line clearance, then simulate a line run without a valid ERP production order and confirm the MES blocks packaging start. Rationale: IFC-REQ-014 requires 100% serial number reconciliation within 5 minutes and MES block without production order. The 1,000-unit run provides a statistically representative sample for serialisation throughput. The production-order-absent negative test confirms the GMP authority control at packaging. | Test | session-558, qc, ver, packaging, mes, idempotency:ver-030-ifc-014-v1 |
| VER-REQ-031 | The verification activity for IFC-REQ-015 SHALL present the Packaging Subsystem with a film-to-packaging transfer IBC accompanied by a complete in-process release record showing all CQA attributes within specification, confirm packaging start is permitted; then repeat with a release record containing a deliberate out-of-specification coating weight gain result and confirm the Packaging Subsystem blocks line start and notifies the MES within 30 seconds. Rationale: IFC-REQ-015 requires a hard interlock preventing packaging without a valid release record. The dual-path test (compliant/non-compliant transfer) validates both the acceptance and blocking logic, confirming that the packaging subsystem cannot process tablets that fail coating CQA release criteria. | Test | session-558, qc, ver, film-coating, packaging, idempotency:ver-031-ifc-015-v1 |
| VER-REQ-032 | The verification activity for IFC-REQ-016 SHALL confirm that environmental monitoring data (temperature, RH, differential pressure, particle counts) are received in the MES at the required 5-minute intervals during a simulated production shift, then inject a simulated pressure differential exceedance signal and confirm the MES halts the affected manufacturing operation and writes an environmental deviation event to the EBR within 30 seconds. Rationale: IFC-REQ-016 requires a 30-second MES halt response to environmental exceedances. The timing test is critical for OEB 4/5 containment: a pressure differential loss in a potent compound area is a personnel safety event. The 30-second window must be verified under representative system load conditions to confirm the safety-critical response time is achievable. | Test | session-558, qc, ver, containment, mes, idempotency:ver-032-ifc-016-v1 |
| VER-REQ-033 | The verification activity for IFC-REQ-017 SHALL complete 20 consecutive dispensing operations with a calibrated balance, confirm each weighing record (material identity, actual weight, operator ID, balance calibration status) is written to the MES EBR within 60 seconds, then simulate a dispensing event with actual weight at +0.6% of target and confirm the MES records a GMP deviation event. Rationale: IFC-REQ-017 requires 60-second EBR write completion per dispensing event and a GMP deviation for >±0.5% weight deviation. The 20-operation run validates the timing requirement under representative throughput. The deliberate-exceedance test confirms the rejection gate at the GMP deviation threshold. | Test | session-558, qc, ver, material-handling, mes, idempotency:ver-033-ifc-017-v1 |
| VER-REQ-034 | The verification activity for IFC-REQ-018 SHALL present the Granulation Subsystem charge point with a correctly labelled container barcode and confirm the identity verification scan passes and charge is permitted; then present a container barcode not matching the dispensing record and confirm the subsystem rejects the charge and notifies the MES within 15 seconds. Rationale: IFC-REQ-018 requires a secondary identity scan at the granulation charge point to enforce the double-verification anti-mix-up protocol. The negative test (mismatched barcode) is the safety-critical path: a false-pass (allowing a wrong material into the granulator) would contaminate the entire batch. The 15-second response window is consistent with the granulation charge sequence timing. | Test | session-558, qc, ver, material-handling, granulation, idempotency:ver-034-ifc-018-v1 |
| VER-REQ-035 | The verification activity for IFC-REQ-019 SHALL issue a production order from the ERP test system at least 24 hours before a simulated manufacturing start, confirm the MES receives and stages the order correctly, complete a simulated batch cycle, and verify batch yield and material consumption data are returned to ERP within 4 hours of batch completion; then attempt to start manufacturing without a valid ERP production order reference in the EBR header and confirm the MES blocks the operation. Rationale: IFC-REQ-019 requires 24-hour advance order notification, 4-hour yield return, and an MES block without production order. These three constraints collectively enforce the GMP authority chain from ERP to MES. Each must be independently verified; the timing constraints cannot be inferred from design inspection alone. | Test | session-558, qc, ver, erp, mes, idempotency:ver-035-ifc-019-v1 |
| VER-REQ-036 | The verification activity for IFC-REQ-020 SHALL generate a batch sample request in the MES, confirm the LIMS receives and registers the request with correct test method and specification reference, return a passing analytical result and confirm the MES receives it within the master test schedule turnaround time; then attempt to advance batch disposition to 'released' with an outstanding LIMS result and confirm the MES blocks disposition. Rationale: IFC-REQ-020 requires a closed-loop LIMS-MES release workflow with the MES blocking batch disposition until all release results are received. The pass and blocking tests together validate the two critical control points: data completeness (all results received) and data quality (passing verdict required). These cannot be validated by inspection of the interface specification alone. | Test | session-558, qc, ver, lims, mes, idempotency:ver-036-ifc-020-v1 |
| VER-REQ-037 | The verification activity for SUB-REQ-012 SHALL apply a maintenance lock to a designated piece of equipment via the MES LOTO registry, attempt a restart command (confirming denial), remove the lock, re-attempt restart (confirming success), then attempt a lock override via the maintenance UI and confirm the system denies and logs the override attempt; all six events (lock applied, restart denied, lock removed, restart permitted, override attempted, override denied) SHALL appear in the EBR audit log with correct operator ID, equipment ID, timestamp, and outcome within 10 seconds of each event. Rationale: SUB-REQ-012 requires complete LOTO event logging covering all four event types. The positive-path (lock and release) tests confirm nominal logging. The override-attempt test is the safety-critical path: a false-permit on an energised machine is an H-007 mechanical entrapment hazard. SIL-2 allocation requires test-method verification, not analysis. | Test | session-560, validation, mes, loto, sil-2, h-007, idempotency:session560-ver-037-sub012-loto-logging |
| VER-REQ-038 | The verification activity for SUB-REQ-014 SHALL run the MES EBR database for a simulated 4-hour production period, confirm automated backup events occur at intervals not exceeding 15 minutes by inspecting backup logs with timestamps, verify each backup file hash against the stored integrity hash; then simulate a data integrity failure by corrupting the primary EBR database, initiate restore from the most recent verified backup, and confirm full system functionality is restored within 30 minutes of failure detection, with no EBR data loss beyond the last verified backup interval. Rationale: SUB-REQ-014 specifies a 15-minute backup interval and 30-minute RTO. These timing requirements protect against H-006 EBR data integrity failure. The 30-minute RTO is the regulatory recovery window before a batch must be quarantined. Neither the backup interval nor the restore time can be verified by analysis of the backup architecture alone; both require measured test execution. | Test | session-560, validation, mes, backup, sil-2, h-006, idempotency:session560-ver-038-sub014-ebr-backup |
| VER-REQ-039 | The verification activity for SUB-REQ-016 SHALL execute three consecutive High Shear Granulator runs using a validated placebo formulation with a characterised endpoint torque profile; inject a simulated endpoint signal (torque or NIR wet-mass spectrum at validated criterion) and measure the elapsed time from endpoint signal to granulation stop and Fluid Bed Dryer transfer initiation command, confirming the stop-and-transfer sequence completes within 10 seconds in all three runs; pass criteria: 100% of runs stop within 10 seconds, transfer initiated in all runs, endpoint event logged in EBR with timestamp. Rationale: SUB-REQ-016 specifies a 10-second stop-and-transfer response at granulation endpoint. Late endpoint response causes over-granulation (too dense granules), producing tablets with hardness outside specification. SIL-2 tagging requires test verification; the 10-second constraint is a real-time control loop timing requirement that cannot be demonstrated by design inspection. | Test | session-560, validation, granulation-blending, sil-2, idempotency:session560-ver-039-sub016-hsg-endpoint |
| VER-REQ-040 | The verification activity for SUB-REQ-022 SHALL disable the PAT NIR blend-endpoint monitor (simulate sensor fault) mid-blending cycle, confirm the IBC blender continues for the MES-recipe fixed-time minimum duration (≥20 minutes at validated RPM) without issuing blend-complete, confirm the MES prompts for supervisory authorisation at blend time expiry and blocks blend-complete without the authorisation signature, confirm the authorised signature permits blend-complete, and verify the EBR contains a PAT-unavailable event record with timestamp and reason; then re-enable PAT and confirm normal endpoint monitoring resumes. Rationale: SUB-REQ-022 is the degraded-mode safety net for H-004: when PAT is unavailable, a fixed-time blend with supervisory gate prevents release of a potentially non-homogeneous batch. The supervisory authorisation gate (the safety-critical control) can only be verified by attempting blend-complete without authorisation and confirming the block. Analysis of the software design cannot substitute for this negative test. | Test | session-560, validation, granulation-blending, pat, degraded-mode, sil-2, h-004, idempotency:session560-ver-040-sub022-degraded-blend |
| VER-REQ-041 | The verification activity for SUB-REQ-025 SHALL run the Rotary Tablet Press at nominal speed with instrumented punches and inject 20 deliberate out-of-range force events (±5 kN deviation from setpoint) distributed across 5 tooling stations; confirm each out-of-range tablet is rejected by the pneumatic ejector within 200 ms of ejection-point detection, confirm no in-specification tablet is incorrectly rejected, and confirm all 20 rejection events are logged in the MES batch record; then run 1,000 tablets within specification and confirm zero false rejections; pass criteria: 100% sensitivity and 100% specificity on rejection gate. Rationale: SUB-REQ-025 specifies a 200 ms ejection response and a ±5 kN force gate protecting product quality (H-004). A missed rejection (false negative) releases an OOS tablet; a false acceptance of a false rejection could cause a recall if it becomes systematic. The 200 ms timing requirement cannot be verified by inspection of the ejector actuator specification. Both sensitivity and specificity require physical test execution. | Test | session-560, validation, tablet-compression, sil-2, idempotency:session560-ver-041-sub025-press-force-rejection |
| VER-REQ-042 | The verification activity for SUB-REQ-029 SHALL set the compression count on one punch station RFID tag to 499,999 in the test environment, cycle the press through one compression, and confirm the station count increments to 500,000 and the press halts with an RFID lifecycle limit event logged to the MES batch record; then present the press with one RFID tag read failure (tag disabled) and confirm the press does not start, the failed station is identified in the MES log, and the operator is prompted to replace the tooling station before restart; pass criteria: press halted on lifecycle limit, failed read blocks start. Rationale: SUB-REQ-029 protects against tooling fatigue fracture (a broken punch tip contaminating tablets with metal fragments — an H-007 and product quality risk). The lifecycle limit gate and the read-failure block are the two safety controls. Both require physical test execution with instrumented RFID state because wear accumulation and tag fault simulation cannot be analytically verified against the subsystem implementation. | Test | session-560, validation, tablet-compression, rfid, h-007, idempotency:session560-ver-042-sub029-rfid-tooling |
| VER-REQ-043 | The verification activity for SUB-REQ-030 SHALL disable one of the three IPC measurement channels (weight, hardness, or thickness) while the press is running at nominal speed, confirm the press automatically reduces throughput to ≤60% of nominal RPM, confirm the MES displays a degraded-mode alert and begins prompting manual sample collection at 5-minute intervals, confirm the degraded-mode start time and failed channel are recorded in the MES batch record; then restore the failed channel and confirm the press returns to nominal throughput and MES reverts to automated IPC mode with no operator intervention required; repeat for each of the three channels. Rationale: SUB-REQ-030 defines the tablet compression degraded-mode safe-state (reduced speed, manual sampling) that maintains product quality when one IPC channel fails. The 60% throughput limit prevents tablet production rate from outpacing manual sampling capacity. This is a real-time control response that cannot be verified by simulation analysis; all three channel failure modes must be physically induced to confirm the subsystem correctly identifies and responds to each. | Test | session-560, validation, tablet-compression, degraded-mode, idempotency:session560-ver-043-sub030-ipc-degraded |
| VER-REQ-044 | The verification activity for SYS-REQ-005 SHALL actuate the emergency stop function via operator E-stop button, automatic interlock, and software-initiated stop command in three separate test runs; measure elapsed time from trigger to de-energisation of all drive systems (pass: ≤3 s), closure of all product-transfer valves (pass: ≤5 s), and confirmed equipment standstill (pass: ≤10 s) using calibrated high-speed timers and actuator position feedback; all three activation paths must meet timing criteria in 3 consecutive runs per path. Rationale: SYS-REQ-005 is the system-level emergency stop safety function covering H-001 (containment breach), H-003 (dust explosion), and H-007 (mechanical entrapment). The three timing thresholds (3/5/10 s) are safety case evidence required by IEC 61508 (Functional safety of E/E/PE safety-related systems) for SIL-2 allocation. Individual subsystem stop tests (VER-REQ-024 covers press guard interlock) do not demonstrate the system-wide coordinated stop of all drives and valves in the correct sequence. This test is the definitive system-level E-stop qualification evidence. | Test | session-561, validation, estop, sil-2, h-001, h-003, h-007, system-level, idempotency:session561-ver-sys005-estop-system-level |
| VER-REQ-045 | The verification activity for SYS-REQ-006 SHALL inject simulated parameter exceedances (differential pressure exceedance, temperature exceedance, humidity exceedance) sequentially in a qualified production environment and confirm: (a) MES alarm generated within 60 seconds of alert limit breach for each parameter; (b) MES-initiated production halt within 120 seconds of action limit breach; (c) each exceedance event recorded in the EBR with timestamp, parameter identity, actual value, and limit reference; test three parameter types, three consecutive runs per type, all nine runs must meet timing criteria. Rationale: SYS-REQ-006 specifies system-level 60-second alarm and 120-second halt response times for cleanroom environmental exceedances. H-005 (loss of cleanroom environmental control causing microbial contamination) is SIL-1. VER-REQ-032 tests only the IFC-REQ-016 pressure-differential interface; it does not verify the system-level temperature and humidity exceedance response times, nor confirm 100% EBR recording across all three environmental parameters. This system-level test is required for EU GMP Annex 1 environmental monitoring qualification and site inspection evidence. | Test | session-561, validation, cleanroom, sil-1, h-005, system-level, envmon, idempotency:session561-ver-sys006-cleanroom-system-level |
| VER-REQ-046 | The verification activity for SYS-REQ-008 SHALL execute one complete product changeover sequence (cytotoxic to standard product) with a qualified operator: complete three-wash cleaning cycle guided by MES workflow, collect swab samples at all 15 predefined worst-case locations and rinse water samples, confirm MES prevents production start until all cleaning steps are electronically signed, confirm swab HPLC and TOC results are below acceptance limits, confirm MES blocks next batch record initiation until all cleaning verification signatures are complete; total elapsed time from cleaning start to MES release logged in EBR. Rationale: SYS-REQ-008 is SIL-3 (H-002 cross-contamination) requiring changeover cleaning to be verified with quantitative HPLC and TOC acceptance limits. IEC 61508 (Functional safety of E/E/PE safety-related systems) SIL-3 mandates Test verification — Demonstration is insufficient because it cannot inject a deliberate OOS swab failure to confirm the MES blocks production restart. The Test method requires: (a) a passing run confirming normal changeover workflow, (b) a forced OOS swab injection at location 7 (worst-case hopper weld seam) to confirm MES blocks next batch initiation, (c) pass criterion: TOC ≤500µg/L and swab residue ≤0.004µg/cm² at all 15 locations, with MES batch initiation blocked until all electronic signatures complete. | Test | session-561, validation, changeover, cleaning, sil-3, h-002, system-level, idempotency:session561-ver-sys008-changeover-system-level |
| VER-REQ-047 | The verification activity for SUB-REQ-031 SHALL deploy a primary DAC Workstation and a configured hot-standby instance in a test environment, inject a simulated primary node failure, and confirm that: (a) the standby instance assumes primary control within 5 seconds as measured by timestamp of first CQA model output from standby; (b) the last CQA diversion state held by the primary is replicated to the standby without loss; (c) the diversion valve remains in its last commanded state throughout the transition; and (d) the test is repeated 3 times to confirm repeatability. Pass criterion: all 3 trials meet the ≤5 second switchover threshold with zero diversion state loss. Rationale: IEC 61508 (Functional safety of E/E/PE safety-related systems) SIL-3 requires Test verification (not Analysis alone) for hardware fault tolerance claims. Analysis alone cannot demonstrate that the actual hardware/software implementation achieves HFT=1 — only a live failover test with timing measurements can. This VER resolves the silWithoutVer quality gate blocker and directly validates the hazard H-004 mitigation for OOS product release. | Test | session-562, validation, pat, sil-3, h-004, architecture, redundancy, idempotency:session562-ver-sub031-sil3-hft1-failover |
| VER-REQ-048 | The verification activity for SUB-REQ-006 SHALL place the PAT Subsystem in sensor-degraded state by disabling one NIR channel and confirm that: (a) real-time CQA model evaluation on that channel suspends within 15 seconds; (b) a PAT DEGRADED alert appears on the SCADA dashboard within 30 seconds; (c) the MES updates sampling interval guidance from 30-minute to 10-minute intervals; and (d) all actions are recorded in the EBR deviation log with timestamps. Pass criterion: all four confirmations met in 3 consecutive test runs. Rationale: SUB-REQ-006 is a degraded-mode safety requirement — test verification is required because timing of alert propagation and EBR logging depends on software state machine transitions that cannot be confirmed from design documentation. The 15-second detection and 30-second alert thresholds are the maximum acceptable delay before manual QC sampling begins. | Test | session-562, validation, pat, degraded-mode, h-004, idempotency:session562-ver-sub006-pat-degraded-alert |
| VER-REQ-049 | The verification activity for SUB-REQ-013 SHALL execute a simulated 3-batch production run in the MES test environment and confirm the batch genealogy record for each batch links: (a) each raw material lot number consumed; (b) each in-process test result with equipment ID and timestamp; (c) the packaging serialisation range (first and last unit serial number); and (d) operator signatures for each critical step. Pass criterion: genealogy query returns all four data categories with no null fields for all 3 batches. Rationale: 21 CFR Part 11 and EU GMP Annex 11 require complete and accurate batch genealogy as a prerequisite for batch release. Inspection of design documentation cannot demonstrate that all genealogy linkages are captured and queryable — only a functional test can confirm end-to-end traceability. | Test | session-562, validation, mes, genealogy, idempotency:session562-ver-sub013-mes-genealogy |
| VER-REQ-050 | The verification activity for SUB-REQ-017 SHALL execute three drying cycles with placebo granules at the product-specific LOD recipe target, collect 3 stratified samples at end of drying, and confirm: (a) all 3 samples achieve LOD at or below the recipe target by Karl Fischer titration; (b) FBD inlet air temperature remained within plus or minus 2 degrees Celsius of recipe setpoint throughout the cycle per MES log. Pass criterion: all acceptance criteria met across all 3 runs. Rationale: LOD reduction to target is a CQA for tablet dissolution and stability. Karl Fischer titration per USP 921 provides the reference measurement for GMP validation of the drying endpoint per ICH Q8. Test verification is required because drying performance depends on actual feed granule properties and equipment state. | Test | session-562, validation, granulation-blending, sil-2, fbd, idempotency:session562-ver-sub017-fbd-lod-target |
| VER-REQ-051 | The verification activity for SUB-REQ-018 SHALL install calibrated thermocouples at FBD inlet air duct and product chamber, run three consecutive drying cycles at nominal recipe setpoint, and confirm: (a) inlet air temperature remains within plus or minus 2 degrees Celsius of setpoint for at least 95 percent of each cycle; (b) any exceedance beyond plus or minus 3 degrees Celsius triggers an MES alarm within 60 seconds; (c) the MES recipe interlock halts the cycle if temperature exceeds plus or minus 5 degrees Celsius for more than 2 consecutive minutes. Pass criterion: all criteria met across all 3 test cycles. Rationale: Inlet air temperature is a KPP for granule LOD and physical properties. The control band derives from the ICH Q8 validated design space. Test verification requires calibrated instrumentation because PID control loop response cannot be demonstrated by inspection of parameter settings. | Test | session-562, validation, granulation-blending, sil-2, fbd, idempotency:session562-ver-sub018-fbd-inlet-temp |
| VER-REQ-052 | The verification activity for SUB-REQ-019 SHALL run a post-drying milling cycle on a representative placebo granule batch, collect a sample at mill discharge, measure particle size distribution by laser diffraction per ISO 13320, and confirm: (a) D90 of the milled granule is 500 micrometres or less; (b) fines fraction below 53 micrometres does not exceed 15 percent v/v; (c) mill parameters recorded in MES match the validated recipe. Pass criterion: all acceptance criteria met across 3 milling runs. Rationale: Granule particle size directly impacts tablet compressibility and dissolution rate. The D90 and fines acceptance criteria are derived from the compression process validated design space per ICH Q8. Laser diffraction per USP 429 is the reference technique for pharmaceutical granule sizing. Test verification is required because milling performance depends on actual feed properties and equipment wear. | Test | session-562, validation, granulation-blending, sil-2, mill, idempotency:session562-ver-sub019-granule-sizing-d90 |
| VER-REQ-053 | The verification activity for SUB-REQ-021 SHALL execute a complete granulation and blending campaign in the MES test environment and confirm: (a) the MES records the net mass of each material charge within plus or minus 0.1 percent of actual as verified against calibrated balance read-back; (b) all transfer operations are logged with source and destination container ID and transferred mass; (c) mass balance closure is within plus or minus 0.5 percent for each process step. Pass criterion: all mass records complete and mass balance within tolerance across a 3-batch test run. Rationale: Accurate mass recording is required for 21 CFR Part 11 complete batch record and EU GMP Annex 11 data integrity. Mass balance closure is the primary control for detecting unmeasured losses indicating contamination or dispensing errors. The 0.5 percent closure limit detects single-operator dispensing errors exceeding 0.5 percent of batch size. | Test | session-562, validation, granulation-blending, sil-2, mass-balance, idempotency:session562-ver-sub021-gb-mass-recording |
| VER-REQ-054 | The verification activity for SUB-REQ-023 SHALL activate OEB 3 compound handling mode in the test environment, execute a full granulation and blending cycle, and confirm: (a) all IBC charging operations execute only when containment interlock confirms isolator docking is complete per sensor log; (b) continuous air monitoring in the G&B area remains below 0.8 times the OEL action limit throughout the campaign; (c) simulated containment breach injection at 1.0 times OEL triggers automatic halt of material transfer within 10 seconds. Pass criterion: all three criteria met in a single full-cycle test. Rationale: OEB 3 containment is a SIL-2 requirement addressing H-001 airborne potent compound exposure. The 10-second auto-halt threshold is derived from operator dose accumulation modelling at the OEL action limit. Test verification is mandatory because containment interlock logic depends on physical sensor states and pneumatic actuation that cannot be verified by inspection. | Test | session-562, validation, granulation-blending, sil-2, h-001, containment, idempotency:session562-ver-sub023-gb-oeb3-containment |
| VER-REQ-055 | The verification activity for SUB-REQ-026 SHALL operate the Tablet In-Process Control System at nominal press speed (60 RPM), confirm auto-sampling of every 30th tablet via IPC log (sample count equals run duration in seconds times RPM times station count divided by 30, within plus or minus 5 percent), and confirm weight, hardness, and thickness measurements for each sampled tablet are transmitted to the PAT subsystem within 10 seconds of sampling. Pass criterion: sampling rate compliance and data transmission latency both met across a 60-minute run. Rationale: The every-30th-tablet sampling rate meets USP 905 content uniformity statistical power requirements. The 10-second data transmission limit ensures PAT model inputs are current — stale IPC data reduces CQA prediction accuracy. Test verification is required because sampling rate depends on IPC mechanical timing which cannot be verified from design drawings. | Test | session-562, validation, tablet-compression, ipc, pat, idempotency:session562-ver-sub026-ipc-sampling-rate |
| VER-REQ-056 | The verification activity for the OEL/OEB containment system requirement (SYS-REQ-013) SHALL operate a production run with a potent compound simulant at OEB 4 containment conditions, inject a simulated air concentration at 80 percent of the OEL action limit into the continuous monitoring system, and confirm: (a) an alarm is generated within 30 seconds of the injection; (b) the alarm is visible on the MES SCADA operator display; and (c) the EBR deviation log records the event with a timestamp accurate to 1 second. Pass criterion: all three confirmations met. Rationale: SYS-REQ-013 is a SIL-2 safety requirement driving H-001 mitigation. Test verification is required to confirm the alarm propagation latency and EBR logging are consistent with actual system behaviour under simulated exposure conditions. | Test | session-562, validation, containment, sil-2, h-001, oel, idempotency:session562-ver-sys013-oel-alarm |
| VER-REQ-057 | The verification activity for the process validation data recording requirement (SYS-REQ-014) SHALL execute a complete production batch from raw material dispense through packaging, export the batch EBR, and confirm using a data completeness checklist that all ICH Q8 required CPP and CQA data fields are present, timestamped, and associated with the correct batch ID. Pass criterion: zero missing mandatory data fields across a 3-batch validation run. Rationale: The appropriate verification for data completeness and format compliance is Analysis against the ICH Q8 data requirements checklist. This confirms the EBR structure meets regulatory filing requirements without requiring a live regulatory submission. | Analysis | session-562, validation, process-validation, ich-q8, idempotency:session562-ver-sys014-ich-q8-data |
| VER-REQ-058 | The verification activity for the EU FMD serialisation requirement (SYS-REQ-015) SHALL execute a packaging line run of 100 serialised units in the EMVS test environment, confirm 100 percent of serial numbers are successfully submitted to the national medicines verification system within 24 hours, and confirm that attempting to verify a decommissioned serial number returns a decommissioned status within 5 seconds. Pass criterion: 100% successful submission and correct decommissioned status response. Rationale: EU Delegated Regulation 2016/161 compliance requires functional integration with the national EMVS. Test verification against the EMVS test repository is the only way to confirm correct data format and successful API communication with the external system. | Test | session-562, validation, serialisation, eu-fmd, regulatory, idempotency:session562-ver-sys015-eu-fmd |
| VER-REQ-059 | The verification activity for the EN ISO 13849-1 machine safety requirement (SYS-REQ-016) SHALL perform a documented Performance Level calculation for the guard interlock, emergency stop, and LOTO verification safety functions using the methodology of EN ISO 13849-1:2015, confirm that each function achieves PLd or higher, and document MTTFd, DCavg, and CCF values for each safety function in the safety case. Pass criterion: all three safety functions confirmed at PLd in the documented calculation. Rationale: EN ISO 13849-1 PL determination is a structured analytical process, not a physical test. The PL calculation methodology using MTTFd, DCavg, and CCF per ISO 13849-1 is the accepted verification method for Machinery Directive 2006/42/EC compliance. Analysis is the correct verification type for this standards-based calculation. | Analysis | session-562, validation, machine-safety, en-iso-13849, idempotency:session562-ver-sys016-iso13849-pl |
| VER-REQ-060 | The verification activity for the OEE tracking requirement (SYS-REQ-017) SHALL run the system for 24 hours of simulated production with known availability events (3 unplanned stops of known duration), known speed losses (2 hours at 80 percent rated speed), and known quality losses (5 percent rejected tablets), compute the expected OEE from these inputs, and confirm the system-calculated OEE is within plus or minus 2 percent of the expected value. Pass criterion: OEE calculation accuracy within tolerance and alert generated when subsystem OEE drops below 75 percent. Rationale: OEE calculation accuracy cannot be confirmed by inspection of the calculation algorithm alone — it requires end-to-end verification that data collection from all subsystems feeds the OEE calculation correctly. The plus or minus 2 percent tolerance is within measurement uncertainty for a 24-hour production window. | Test | session-562, validation, oee, idempotency:session562-ver-sys017-oee |
| VER-REQ-061 | The verification activity for the PAT qualification enforcement requirement (SYS-REQ-018) SHALL set one PAT instrument's calibration status to expired in the MES, attempt to initiate real-time release for a batch, and confirm: (a) the MES blocks real-time release initiation with an explicit error message citing the out-of-calibration instrument; (b) the block is not bypassable without QA Manager role credentials; and (c) the calibration status and block event are recorded in the EBR. Pass criterion: all three confirmations met. Rationale: SYS-REQ-018 is a SIL-3 requirement addressing H-004 OOS product release. The enforcement of PAT calibration as a real-time release gate must be verified by Test — it cannot be confirmed by inspection because the block depends on runtime status flag evaluation in the MES workflow engine. | Test | session-562, validation, pat, calibration, sil-3, h-004, idempotency:session562-ver-sys018-pat-calibration-block |
| VER-REQ-062 | The verification activity for the PAT power supply requirement SHALL simulate a mains power failure by switching off the PAT subsystem UPS input, confirm: (a) the PAT subsystem continues operating without interruption for a minimum of 4 hours on battery; (b) a power failure alarm is transmitted to the MES within 10 seconds of mains loss; (c) battery state-of-charge is displayed on the SCADA operator dashboard throughout the test. Pass criterion: 4-hour autonomous operation and MES alarm within 10 seconds confirmed. Rationale: SUB-REQ for PAT power supply directly supports SIL-3 hazard H-004 mitigation. The 4-hour UPS runtime must be verified by actual battery discharge test — design specifications for UPS capacity cannot substitute for a live runtime test under actual load conditions. | Test | session-562, validation, pat, power, sil-3, idempotency:session562-ver-pat-power-ups-runtime |
| VER-REQ-063 | The verification activity for the PAT manual override requirement SHALL log in as QC Analyst role in the MES test environment, trigger a CQA limit violation, activate the manual override function, confirm: (a) the override is accepted and recorded in the EBR within 60 seconds with operator ID and justification text; (b) attempting the same override with Operator role (below QC Analyst) is rejected; and (c) the override event is flagged in the batch audit trail for QA Manager review. Pass criterion: all three confirmations met. Rationale: The manual override is a SIL-3 safety function — it must be restricted to qualified personnel and fully audit-trailed. Test verification is required because role-based access control enforcement depends on runtime identity and authorisation logic that cannot be confirmed by inspection of configuration settings alone. | Test | session-562, validation, pat, override, sil-3, h-004, idempotency:session562-ver-pat-override-rbac |
| VER-REQ-064 | The verification activity for the MES watchdog timer requirement SHALL stop the EBR processing heartbeat in the test environment, wait 95 seconds (3 consecutive missed heartbeats at 30-second interval), and confirm: (a) a system health alert is logged to the CMMS within 100 seconds; (b) the SCADA operator display changes to system-unavailable state within 100 seconds; (c) a new batch record initiation attempt fails with an explicit system-unavailable error. Pass criterion: all three confirmations met. Rationale: The MES watchdog is a SIL-2 autonomous system safety control. Test verification is required because watchdog timer logic depends on actual heartbeat timing and state machine transitions — design documentation review cannot confirm the watchdog fires correctly under real failure conditions. | Test | session-562, validation, mes, watchdog, sil-2, h-006, idempotency:session562-ver-mes-watchdog-test |
| VER-REQ-065 | The verification activity for the Emergency Stop recovery requirement SHALL trigger a simulated containment breach alarm, confirm the system enters Emergency Stop mode, then attempt re-energisation without QA Manager sign-off and confirm rejection, then wait 30 minutes, perform QA Manager EBR sign-off, and confirm production equipment is permitted to restart. Pass criterion: unauthorised re-energisation blocked and authorised re-energisation permitted after sign-off and clearance period. Rationale: Emergency Stop mode exit is a SIL-2 safety gate for H-001 and H-007 hazards. Test verification of the QA sign-off enforcement is mandatory — the effectiveness of an access control gate cannot be demonstrated by inspection of the workflow configuration. The 30-minute clearance period and QA sign-off requirement are both testable pass/fail criteria. | Test | session-564, validation, emergency-stop, mode-coverage, sil-2, h-001, ambiguity-fixed |
| VER-REQ-066 | The verification activity for the Maintenance LOTO display requirement SHALL apply a LOTO lock to the rotary tablet press via the MES LOTO registry, attempt to power on the press via all three command interfaces (operator HMI, PLC direct command, and MES remote command), confirm all three are rejected, and confirm the LOTO status (locked, applied-by, time-applied) is displayed on the MES operator HMI. Pass criterion: all three command rejections confirmed and LOTO status correctly displayed. Rationale: The LOTO display and enforcement during Maintenance mode is a SIL-2 safety requirement for H-007 prevention. OSHA 29 CFR 1910.147 requires energy control procedures to be verified — inspection of LOTO registry configuration alone cannot demonstrate that all three command paths are blocked. Testing all three command paths is critical because single-channel protection is insufficient for SIL-2. | Test | session-562, validation, maintenance, loto, sil-2, h-007, idempotency:session562-ver-maintenance-loto-display |
| VER-REQ-067 | The verification activity for the Degraded Production mode real-time release block requirement SHALL activate degraded production mode in the MES test environment, produce a test batch, and confirm: (a) real-time release initiation is blocked with an explicit degraded-mode error message within 2 seconds of initiation attempt; (b) the batch is placed in quarantine status automatically within 60 seconds of batch completion; (c) QA Manager EBR sign-off is required before the batch is permitted to advance from quarantine. Pass criterion: all three confirmations met in 3 consecutive test runs; zero false-pass events (real-time release must never succeed in degraded mode). Rationale: Blocking real-time release in degraded mode is an H-004 mitigation. The 2-second block response time and 60-second quarantine automation deadline are the minimum performance criteria required for this test to be meaningful. Zero false-pass events (real-time release succeeding in degraded mode) is the absolute safety criterion. Three consecutive runs confirm the control is not intermittent. Numeric criteria added per validation session 566. | Test | session-564, validation, degraded, sil-3, h-004, rtrt, ambiguity-fixed |
| VER-REQ-068 | The verification activity for the Tablet Compression Subsystem power supply requirement SHALL measure the main drive de-energisation time from EPO activation using a current clamp and oscilloscope, confirm de-energisation within 200ms across 5 test actuations, and confirm the MES LOTO registry logs the EPO event with a timestamp within 1 second of actuation. Pass criterion: all 5 actuations within 200ms and MES log entry confirmed. Rationale: The 200ms EPO response is a direct contributor to H-007 safe state (equipment de-energised). Measurement of actual de-energisation time by oscilloscope is required because design specifications for contactor response times have manufacturing tolerances that may result in slower actual response. The MES LOTO log entry is required for 21 CFR Part 11 audit completeness. | Test | session-562, validation, tablet-compression, power, h-007, idempotency:session562-ver-tc-epo-timing |
| VER-REQ-069 | The verification activity for the Granulation and Blending Subsystem power supply requirement SHALL measure supply voltage at the HSG and FBD main distribution boards during a nominal production cycle, confirm voltage remains within plus or minus 10 percent of 400V nominal, inject a simulated voltage deviation beyond 10 percent, and confirm an MES alarm is generated within 60 seconds. Pass criterion: voltage within tolerance during production and alarm within 60 seconds of simulated deviation. Rationale: Power supply voltage deviation affects both the HSG impeller speed (granule endpoint CQA) and FBD heating performance (LOD CQA). Test verification requires actual voltage measurement at distribution boards — design specifications cannot account for cable voltage drops and transformer loading effects in the installed facility. | Test | session-562, validation, granulation-blending, power, idempotency:session562-ver-gb-power-voltage |
| VER-REQ-070 | The verification activity for the Film Coating Subsystem power supply requirement SHALL run a complete simulated coating batch cycle, log MES power consumption data for the cycle, confirm power consumption per batch is within plus or minus 15 percent of the design specification value, and confirm the EPO de-energises all drives within 500ms across 5 test actuations. Pass criterion: power consumption within tolerance and EPO timing confirmed. Rationale: Film coating power consumption logging is required for OEE calculation accuracy. The 15 percent tolerance accounts for coating load variability across batches. EPO test is required for H-001 safe state confirmation during coating of potent compounds. | Test | session-562, validation, film-coating, power, idempotency:session562-ver-fc-power-consumption |
| VER-REQ-071 | The verification activity for the Containment and Environmental Control Subsystem UPS requirement SHALL disconnect mains power from the containment subsystem UPS, confirm all monitoring and alarm functions remain operational for a minimum of 2 hours, confirm HVAC dampers remain in exhaust position throughout the test (fail-secure), and confirm UPS battery state-of-charge is displayed on the SCADA operator dashboard throughout. Pass criterion: 2-hour continuous operation and fail-secure exhaust position confirmed. Rationale: The containment UPS runtime is a SIL-2 safety function for H-001 mitigation during power failure. Battery runtime must be verified by actual discharge test — manufacturer UPS capacity ratings do not account for actual connected load and battery ageing in the installed system. | Test | session-562, validation, containment, power, sil-2, h-001, idempotency:session562-ver-cec-ups-runtime |
| VER-REQ-072 | The verification activity for the MES server hardware requirement SHALL inspect the server room physical configuration and confirm by visual inspection: (a) dual redundant PSUs installed in each server with both connected to independent circuits; (b) server room door equipped with badge access reader with logged access events; (c) server room access log retrievable from CMMS for the previous 90 days. Pass criterion: all three items confirmed by inspection. Rationale: Physical installation and access control measures for the MES server are verifiable by Inspection — they are observable physical characteristics that do not require functional testing. The 90-day access log retention directly supports 21 CFR Part 11 audit trail requirements for the physical location housing the EBR system. | Inspection | session-562, validation, mes, hardware, 21cfr11, idempotency:session562-ver-mes-server-inspection |
| VER-REQ-073 | The verification activity for the Startup mode entry criteria requirement SHALL configure the MES test environment with one equipment qualification record expired, one PAT system suitability check failed, and one open deviation from a prior campaign, then attempt to initiate a new batch record, and confirm the MES blocks batch record initiation with an error identifying all three blocking conditions. Pass criterion: batch record initiation blocked and all three blocking conditions clearly identified in the error message. Rationale: Startup mode entry gate enforcement is a quality assurance control preventing production on unqualified equipment. Test verification requires injecting each blocking condition individually and in combination to confirm the MES enforcement logic is comprehensive. Inspection of workflow configuration alone cannot confirm all conditions are evaluated. | Test | session-562, validation, startup, mode-coverage, mes, idempotency:session562-ver-startup-entry-gate |
| VER-REQ-074 | The verification activity for the Degraded Production mode quarantine requirement SHALL complete a production run in degraded mode, confirm: (a) the batch is automatically placed in MES quarantine status within 60 seconds of batch completion without operator action; (b) an attempt to advance the batch to released status without QA Manager sign-off is rejected within 2 seconds with an explicit error message; (c) QA Manager sign-off (electronic signature) permits batch advancement. Pass criterion: automatic quarantine within 60 seconds confirmed, QA sign-off gate enforced with zero bypass events, all three test runs pass. Rationale: The Degraded mode quarantine gate is an H-004 mitigation control. The 60-second automated quarantine deadline and the 2-second reject response for unauthorised release attempts are the quantified performance criteria required to confirm the control works under operational timing conditions. Zero bypass events is the absolute criterion — the sign-off gate must never fail. Numeric thresholds added per validation session 566 to resolve ambiguousReqs blocker. | Test | session-564, validation, degraded, mode-coverage, h-004, ambiguity-fixed |
| VER-REQ-075 | The verification activity for SUB-REQ-048 SHALL inject a simulated airborne concentration at 85 percent of OEL into the continuous monitoring system, confirm: (a) Emergency Stop activates within 5 seconds; (b) all material transfer valves close within 5 seconds as confirmed by position feedback; (c) HVAC switches to 100 percent exhaust within 15 seconds; (d) evacuation alarm sounds at minimum 85 dB at 1 metre. Pass criterion: all 4 criteria met in 3 test runs. Rationale: H-001 is a SIL-2 hazard. Test verification with timing measurements is required for all four automated responses. Design analysis alone cannot confirm actual pneumatic valve actuation and HVAC damper response times match specified values. | Test | session-562, validation, containment, sil-2, h-001, idempotency:session562-ver-sub048-breach-autoresponse |
| VER-REQ-076 | The verification activity for SUB-REQ-049 SHALL configure the test environment to log air monitoring data for 24 hours, confirm that a minimum of 1 sample per 60 seconds per monitoring point is recorded in the EBR log, export the 24-hour record in CSV and PDF formats, and confirm file format validity. Pass criterion: sampling frequency confirmed at 1 per 60 seconds or higher and both export formats valid. Rationale: Air monitoring frequency and data export format compliance cannot be confirmed by inspection of system configuration alone — actual data logging rate must be measured across a 24-hour period to confirm no gaps. Export format validation ensures regulatory inspection accessibility. | Test | session-562, validation, containment, monitoring, h-001, idempotency:session562-ver-sub049-air-monitoring-freq |
| VER-REQ-077 | The verification activity for SUB-REQ-050 SHALL inject a cleaning validation failure result (location 7 swab result exceeding acceptance limit) into the MES test environment, confirm: (a) next batch associated with that equipment is automatically placed in quarantine; (b) QA Manager receives SCADA notification and email alert within 5 minutes; (c) batch release is blocked until QA Manager sign-off. Pass criterion: all 3 confirmations met. Rationale: Automatic quarantine on cleaning validation failure is a H-002 SIL-3 mitigation. Test verification is required to confirm the automatic quarantine trigger and dual notification path are both functional — inspection of workflow configuration cannot confirm the actual message routing and quarantine state enforcement. | Test | session-562, validation, mes, changeover, sil-3, h-002, idempotency:session562-ver-sub050-cleaning-quarantine |
| VER-REQ-078 | The verification activity for SUB-REQ-051 SHALL attempt to advance an API dispensing step in the MES test environment with only one operator confirmation, confirm the step advancement is blocked, then provide both operator confirmations and confirm the step advances. Repeat with a simulated second operator confirmation from an unauthorised role and confirm rejection. Pass criterion: single-confirmation advance blocked and dual authorised-role confirmation accepted. Rationale: Two-person API dispensing verification is a 21 CFR Part 211 critical step control for H-002. Test verification must confirm both the enforcement of two distinct operator identities and the role authorisation requirement. These are runtime EBR workflow controls that cannot be verified by inspection. | Test | session-562, validation, material-handling, sil-3, h-002, idempotency:session562-ver-sub051-two-person-api |
| VER-REQ-079 | The verification activity for SUB-REQ-052 SHALL run the tablet compression line with the metal detection system active, inject 5 known metallic particles of 0.5mm diameter into the tablet stream at known positions, confirm: (a) all 5 particles are detected; (b) rejection mechanism activates and diverts the 10 tablets before and 10 after each detected particle; (c) a critical alarm is generated in the MES for each detection. Pass criterion: 100 percent detection rate and correct rejection window confirmed. Rationale: Metal detection performance cannot be verified by equipment specification review alone — actual detection sensitivity depends on tablet mass, line speed, and detector calibration. Testing with 0.5mm particles at known positions confirms the worst-case detection scenario for the punch-tip fragment size most likely to result from tooling breakage. | Test | session-562, validation, tablet-compression, metal-detection, idempotency:session562-ver-sub052-metal-detection |
| VER-REQ-080 | The verification activity for SUB-REQ-053 SHALL connect a calibrated dust concentration monitor to the FBD exhaust duct, inject a dust aerosol to reach 30 percent of LEL, confirm: (a) the system detects concentration above 25 percent LEL threshold; (b) nitrogen inerting activates within 10 seconds; (c) FBD airflow reduces to minimum circulation rate within 10 seconds; (d) SIL-2 alarm is generated in MES within 10 seconds. Pass criterion: all 4 criteria met. Rationale: H-003 dust explosion prevention is a SIL-2 safety function. Test verification with a calibrated dust monitor and timed response measurement is required. The 25 percent LEL detection threshold and 10-second response time must be confirmed under actual process conditions — design specifications for sensor sensitivity and pneumatic valve response times may differ from installed performance. | Test | session-562, validation, granulation-blending, dust-explosion, sil-2, h-003, idempotency:session562-ver-sub053-dust-lel |
| VER-REQ-081 | The verification activity for SUB-REQ-054 SHALL run 500 blister packs through the packaging vision inspection system, introduce 10 packs with deliberate defects (5 absent tablets, 3 broken tablets, 2 foreign particle simulants) at known positions, confirm: (a) all 10 defective packs are rejected; (b) no non-defective packs are rejected; (c) all rejected pack IDs and rejection reasons are logged in the EBR. Pass criterion: 100 percent defect detection with zero false rejects and complete EBR logging. Rationale: Vision inspection at 100 percent confidence is a final critical quality gate before product release. Test verification with known defect types and zero false-reject tolerance is required because vision system performance depends on lighting, tablet colour, and line speed factors that vary with product. The EBR logging requirement ensures rejected pack traceability for batch disposition. | Test | session-562, validation, packaging, vision-inspection, idempotency:session562-ver-sub054-vision-inspection |
| VER-REQ-082 | The verification activity for SUB-REQ-055 SHALL register a time-critical sample request in the MES, confirm the LIMS receives the request within 30 seconds, enter the result in LIMS, and confirm the MES displays the result within 5 minutes of LIMS entry. Also confirm that a rejected result is retained with rejection reason in both systems. Pass criterion: both latency SLAs met and rejected result retained in both audit trails. Rationale: LIMS-MES integration latency determines real-time release cycle time. The 30-second receipt and 5-minute result return SLAs must be verified by end-to-end integration test — interface configuration review cannot confirm actual network latency and system processing time under production load conditions. | Test | session-562, validation, lims, mes, idempotency:session562-ver-sub055-lims-mes |
| VER-REQ-083 | The verification activity for SUB-REQ-056 SHALL complete a simulated batch, confirm the MES generates a PDF/A batch review report within 15 minutes of batch completion, verify the report contains all required sections (CPP trends, IPC results, deviation summary, compliance checklist), and confirm the PDF/A format is valid per ISO 19005 using a PDF/A validator. Pass criterion: report generated within 15 minutes and PDF/A format confirmed valid. Rationale: Batch review report SLA and PDF/A format compliance must be verified by a functional end-to-end test. The 15-minute SLA is a business process requirement for same-shift review. PDF/A validity requires format-level testing with a standards-compliant validator — design review cannot confirm PDF/A compliance in the generated output. | Test | session-562, validation, mes, batch-review, idempotency:session562-ver-sub056-batch-report |
| VER-REQ-084 | The verification activity for SUB-REQ-057 SHALL operate the PAT subsystem for 31 days in the test environment, query the audit log for day 1 entries and confirm they are present and unmodified, attempt to modify a log entry and confirm rejection, and export the full 30-day record in CSV format and confirm all entries are present. Pass criterion: 30-day retention confirmed, tamper evidence confirmed, and export validated. Rationale: The 30-day PAT audit log retention is a SIL-3 H-004 data integrity control. Tamper-evidence verification requires attempting a modification and confirming it is rejected — inspection of technical controls alone cannot confirm tamper-evidence effectiveness. The CSV export confirmation is required for regulatory inspection accessibility. | Test | session-562, validation, pat, audit-log, sil-3, h-004, idempotency:session562-ver-sub057-pat-audit-log |
| VER-REQ-085 | The verification activity for the auto-deviation record requirement (SYS-REQ-019) SHALL inject a CPP limit exceedance into the test system, confirm a deviation record is created in the EBR within 10 minutes linking all required data fields (batch ID, measurement value, subsystem, timestamp), and confirm the deviation is visible to QA Manager in the SCADA review queue within the same window. Pass criterion: complete deviation record within 10 minutes. Rationale: Deviation record generation latency must be confirmed by functional test because it depends on real-time EBR write performance under production load. The 10-minute SLA is a patient safety and regulatory compliance requirement under ICH Q10. | Test | session-562, validation, mes, deviation, idempotency:session562-ver-sys019-auto-deviation |
| VER-REQ-086 | The verification activity for the cleaning status registry requirement (SYS-REQ-020) SHALL set equipment item A's cleaning status to expired in the MES test environment, attempt to assign equipment A to a new batch record, confirm the assignment is blocked with an explicit status reason, then complete a cleaning record for equipment A, confirm the status updates to confirmed clean, and confirm the assignment now succeeds. Pass criterion: block enforced on expired status and unblocked after cleaning confirmation. Rationale: Cleaning registry enforcement is a SIL-3 H-002 mitigation. Test verification confirms the enforcement gate is functional across the full status lifecycle (expired, cleaning in progress, confirmed clean). Runtime state evaluation cannot be confirmed by inspection of database schema design. | Test | session-562, validation, changeover, sil-3, h-002, idempotency:session562-ver-sys020-cleaning-registry |
| VER-REQ-087 | The verification activity for the shift handover requirement (SYS-REQ-021) SHALL simulate a shift end with 1 open deviation and 1 in-progress batch, confirm the outgoing supervisor electronically signs the handover record with all required data fields, attempt to start a new production operation without incoming supervisor acknowledgement and confirm rejection, then complete incoming supervisor acknowledgement and confirm the operation is permitted to proceed. Pass criterion: operation rejection confirmed before acknowledgement and permitted after. Rationale: Shift handover enforcement is a 21 CFR Part 11 process control. Test verification confirms the MES workflow gate is enforced correctly for the specific scenarios where handover is most critical — active deviations and in-progress batches. Design review of workflow configuration cannot confirm runtime gate enforcement. | Test | session-564, validation, mes, handover, ambiguity-fixed |
| VER-REQ-088 | The verification activity for the system-level OEE tracking (SYS-REQ-017) SHALL confirm the OEE dashboard is accessible from the SCADA operator display, that all three OEE components (Availability, Performance, Quality) are displayed with the contributing subsystem breakdown, and that an alert is generated and visible on the dashboard when a subsystem OEE drops below 75 percent for more than one production shift. Pass criterion: dashboard accessible, all components displayed, and alert confirmed. Rationale: OEE dashboard accessibility and display correctness is confirmed by Demonstration — a functional walkthrough of the dashboard with known input values. This complements VER-REQ-069 (OEE calculation accuracy test) by confirming the display layer and alerting logic are functional. | Demonstration | session-562, validation, oee, idempotency:session562-ver-oee-dashboard-demo |
| VER-REQ-089 | The verification activity for the batch genealogy system-level requirement (SYS-REQ-007) SHALL execute a complete production campaign (materials → packaging) for a single batch, perform a genealogy query for the finished product lot number, and confirm the returned record includes: (a) all raw material lot numbers and supplier certificates; (b) all in-process test results with subsystem IDs; (c) all deviation records and their dispositions; (d) the complete serialisation range. Pass criterion: all four genealogy components present and traceable to source records. Rationale: SYS-REQ-007 system-level batch genealogy is a 21 CFR Part 211 and EU GMP Annex 15 requirement. Test verification of end-to-end genealogy requires an actual production campaign to confirm all data linkages are created correctly across all subsystem interfaces. Design review of database schema cannot confirm that all subsystem integration points populate genealogy records. | Test | session-562, validation, genealogy, 21cfr11, system-level, idempotency:session562-ver-sys007-genealogy-system |
| VER-REQ-090 | The verification activity for SYS-REQ-003 SHALL inject 50 pre-characterised CQA test spectra spanning 10 nominal, 10 OOS-API, 10 OOS-dissolution, 10 sensor-degraded, and 10 boundary-condition samples into the system at the PAT DAC Workstation, and confirm: (a) each spectrum is evaluated within 5 seconds; (b) OOS classification triggers automatic diversion valve actuation within 2 seconds; (c) sensor-degraded samples trigger a health alert within 15 seconds. Pass criterion: 50/50 correct decisions with all timing bounds met. Rationale: SYS-REQ-003 is the system-level PAT/CQA requirement covering the safety-critical chain from spectrum acquisition through diversion actuation, addressing SIL-3 H-004. A system-level test with representative sample types is required because individual subsystem tests do not confirm the integrated acquisition-evaluation-actuation chain behaves correctly end-to-end. | Test | session-564, validation, pat, sil-3, h-004, sys-level, ambiguity-fixed, idempotency:session564-ver-sys003-pat-system-level |
| VER-REQ-091 | The verification activity for SYS-REQ-004 SHALL install calibrated airflow velocity probes at all access point openings of a qualified potent compound enclosure, operate the system under production conditions, inject a tracer aerosol in the enclosure headspace, and confirm: (a) inward airflow velocity is at least 0.5 m/s at all open access points; (b) continuous airborne particle monitor generates an alarm when concentration exceeds 20 percent of OEL; (c) automatic enclosure lockdown activates within 10 seconds of alarm. Pass criterion: all three measurements confirmed. Rationale: SYS-REQ-004 is a SIL-2 H-001 safety requirement. Test verification with physical airflow measurement is required by COSHH regulations to confirm the negative pressure isolation is effective under actual production conditions. Design analysis of HVAC specifications cannot confirm in-situ airflow velocities with production equipment in place. | Test | session-564, validation, containment, sil-2, h-001, sys-level, idempotency:session564-ver-sys004-containment-system-level |
| VER-REQ-092 | The verification activity for SYS-REQ-011 SHALL register an active LOTO lockout device in the MES for three separate equipment types (tablet press, granulator, packaging line), attempt restart commands for each via operator HMI, supervisor override, and programmatic API, and confirm all nine restart attempts are rejected with LOTO interlock alarm while the lockout is active; remove each lockout device and confirm equipment restart is then permitted. Pass criterion: all 9 blocking attempts rejected and all 3 restart permits granted after LOTO removal. Rationale: SYS-REQ-011 is a SIL-2 H-007 safety requirement — preventing energisation of equipment during maintenance. Test verification with three equipment types and three restart methods confirms the LOTO interlock is implemented uniformly across the system, not just for the specific configurations tested at subsystem level (VER-REQ-007, VER-REQ-037, VER-REQ-066). | Test | session-564, validation, loto, sil-2, h-007, sys-level, idempotency:session564-ver-sys011-loto-system-level |
| VER-REQ-093 | The verification activity for SYS-REQ-001 SHALL execute a continuous 12-hour simulated production run at the nominal recipe setpoint for a representative product, log the MES production counter at the start and end of each unit operation, and confirm: (a) cumulative tablet output at end of shift is at least 300,000 tablets; (b) MES OEE report is updated at least once per hour; (c) OEE is calculated and displayed for the shift. Pass criterion: throughput target met and hourly OEE reporting confirmed. Rationale: SYS-REQ-001 is the primary production capacity requirement derived from STK-REQ-001. Test verification requires a full-shift production run to confirm all subsystem throughput contributions combine to meet the system-level target; static analysis of individual subsystem rates cannot confirm dynamic bottlenecks are absent. | Test | session-564, validation, throughput, oee, sys-level, idempotency:session564-ver-sys001-throughput-system-level |
| VER-REQ-094 | The verification activity for SYS-REQ-002 SHALL execute a complete batch lifecycle in the MES test environment: create an EBR, execute all lifecycle steps with electronic signatures, perform an audit trail review, confirm backup occurs within 15 minutes by checking backup timestamps, then tamper with one EBR record directly and confirm the cryptographic hash integrity check detects the alteration within 60 seconds. Pass criterion: all lifecycle operations succeed with electronic signatures, backup interval confirmed, and tamper detection triggered. Rationale: SYS-REQ-002 covers EBR data integrity and electronic signature enforcement under 21 CFR Part 11 and EU GMP Annex 11. The original Inspection method is insufficient for a SIL-2 H-006 data integrity requirement — Test is required to confirm the hash chain, access controls, and backup intervals function correctly under actual system load. | Test | session-564, validation, ebr, 21cfr11, sil-2, h-006, sys-level, idempotency:session564-ver-sys002-ebr-system-level |
| VER-REQ-095 | The verification activity for SYS-REQ-009 SHALL induce PAT sensor-degraded mode in a running production simulation, and confirm: (a) the system switches to manual in-process testing mode within 30 seconds with a 15-minute sampling schedule; (b) production throughput is maintained at 50 percent of nominal or above for the next 30 minutes; (c) Production Supervisor receives a prominent EBR annotation within 30 seconds. Pass criterion: all three confirmations met across 3 test runs. Rationale: SYS-REQ-009 implements the PAT Sensor Drift ConOps scenario — degraded mode must maintain minimum throughput while protecting product quality. Test verification confirms the mode transition, throughput floor, and supervisor notification all occur within the required time bounds under actual system load. | Test | session-564, validation, degraded-mode, pat, sys-level, pat-sensor-drift-scenario, idempotency:session564-ver-sys009-degraded-mode-system-level |
| VER-REQ-096 | The verification activity for SYS-REQ-010 SHALL run a packaging line production of 500 saleable units, confirm 100 percent of units receive a 2D DataMatrix barcode encoding serial number, GTIN, lot number, and expiry date, measure the barcode verification reject rate over the run and confirm it is below 0.5 percent, then confirm aggregation data for the lot is uploaded to the external serialisation system within 2 hours of line completion. Pass criterion: 100 percent barcode application, reject rate below 0.5 percent, and upload confirmed. Rationale: SYS-REQ-010 implements EU FMD and DSCSA serialisation requirements at system level. Test verification requires a production-representative run because barcode reject rate is a statistical metric that cannot be confirmed by inspection of the print-and-verify station in isolation from the full packaging line. | Test | session-564, validation, serialisation, eu-fmd, sys-level, idempotency:session564-ver-sys010-serialisation-system-level |
| VER-REQ-097 | The verification activity for SYS-REQ-012 SHALL run the tablet press at nominal speed with IPC system active, inject 10 tablets per rejection criterion (10 overweight, 10 underweight, 10 hard, 10 soft, 10 thick, 10 thin) into the press feed, confirm all 60 out-of-specification tablets are rejected at the IPC station, then inject a sequence exceeding the L1 AV threshold of 15.0 and confirm the entire production segment is rejected. Pass criterion: 60/60 individual rejections and segment rejection confirmed. Rationale: SYS-REQ-012 defines the system-level tablet quality rejection criteria. Test verification with deliberate OOS samples per acceptance criterion confirms the rejection logic is implemented for all specified parameters, not just the ones tested at subsystem level. The L1 AV segment rejection is an additional system-level control not covered by individual tablet rejection tests. | Test | session-564, validation, product-quality, ipc, sys-level, idempotency:session564-ver-sys012-product-quality-system-level |
| VER-REQ-098 | The verification activity for SUB-REQ-058 SHALL log in as QC Analyst in the MES test environment, trigger a CQA limit violation, activate the manual override function and confirm: (a) EBR electronic signature is required before override activates; (b) override expires automatically after 60 minutes and autonomous CQA evaluation resumes; (c) attempted override without electronic signature is rejected. Pass criterion: all three confirmations met. Rationale: SUB-REQ-058 is a SIL-3 H-004 safety constraint on the PAT autonomous diversion function. Test is required to confirm the signature gate, duration limit, and automatic restoration all function correctly under operational conditions. | Test | session-564, validation, pat, sil-3, h-004, override, functional-autonomy, idempotency:session564-ver-sub058-pat-override-test |
| VER-REQ-099 | The verification activity for SUB-REQ-059 SHALL conduct a physical inspection of the Granulation and Blending Subsystem installation during commissioning: confirm the equipment bay is classified ISO 8 (Grade D) by environmental monitoring certificate, confirm all product-contact surfaces are 316L stainless steel by material certification, and confirm all IBC transfer connections are documented as ANSI/ISPE OEB 4-compatible by supplier certificate. Pass criterion: all three material and classification certificates present and signed by QA. Rationale: SUB-REQ-059 is SIL-2 tagged (G&B containment subsystem contributes to H-002 cross-contamination mitigation via OEB 4 transfer connection integrity). IEC 61508 SIL-2 requires Test verification for safety-critical installation requirements — Inspection alone cannot confirm that the sealed IBC transfer connections withstand operating pressures and do not leak fine powder. The Test method adds: (d) pneumatic pressure integrity test of each ANSI/ISPE OEB 4-compatible transfer connection at 0.7 bar dry-air for 30 seconds with zero detectable powder leakage (leak detector ≤1×10⁻⁶ mbar·L/s). Inspection checks (material certificates, environmental certificate, sensor heights) are retained as Pass criteria (a)-(c) within the same Test protocol. | Test | session-565, validation, granulation, installation, sil-2, idempotency:session565-ver-subreq059-granulation-install |
| VER-REQ-100 | The verification activity for SUB-REQ-060 SHALL measure PCS power consumption at full PLC chassis load using a calibrated power analyser (confirm ≤ 500 W per chassis), then disconnect utility mains and confirm: (a) UPS sustains all PLC and HMI functions for a minimum of 30 minutes; (b) a power failure alarm appears on the SCADA operator screen within 2 seconds of mains loss; (c) supply voltage remains within 23.0–25.0 VDC throughout the test. Pass criterion: all three checks confirmed in a single test run. Rationale: SUB-REQ-060 specifies the PCS power integrity constraints that protect batch execution during utility interruptions. Test verification with physical mains disconnection is the only method that can confirm the 30-minute autonomy period, the 2-second alarm response, and the voltage regulation simultaneously — these are measurable performance parameters that cannot be confirmed by Inspection or Analysis alone. PCS power continuity is an enabler for the MES heartbeat (SUB-REQ-061) and the safe-state transition sequence. | Test | session-565, validation, pcs, power, ups, idempotency:session565-ver-subreq060-pcs-power |
| VER-REQ-101 | The verification activity for SUB-REQ-061 SHALL: (a) Watchdog test — suspend the MES heartbeat signal in a test environment and confirm the watchdog triggers a controlled safe-state transition within 30 seconds: batch execution suspended, HVAC failsafe command issued (confirmed at HVAC controller), and an operator alert generated; (b) E-STOP test — activate the dedicated physical E-STOP button at each operator workstation in sequence and confirm all MES-controlled automated functions halt within 10 seconds per activation; (c) Confirm all watchdog and E-STOP events are recorded in the EBR with timestamp and operator station ID. Pass criterion: all activations meet timing criteria and EBR records are present. Rationale: SUB-REQ-061 is a SIL-tagged safety requirement covering the MES watchdog timer and operator E-STOP — both are safety-critical functions for the Emergency Stop operating mode. IEC 61511 (Functional Safety — Safety Instrumented Systems for the Process Industry Sector) requires Test verification for SIL-rated functions; Analysis or Inspection alone cannot demonstrate that the actual hardware/software combination meets the 30-second watchdog timeout and 10-second E-STOP response. The HVAC failsafe confirmation is critical because HVAC exhaust mode is the H-001 containment breach safe state. | Test | session-565, validation, mes, watchdog, estop, sil-2, safety-critical, idempotency:session565-ver-subreq061-mes-watchdog |
| VER-REQ-102 | The verification activity for SUB-REQ-062 SHALL conduct a commissioning inspection of all environmental monitoring sensor installations: (a) verify differential pressure transmitters are present at each of the three controlled cleanroom boundaries by physical walkthrough against installation drawing; (b) confirm temperature and humidity sensor mounting heights are within 0.8–1.2 m above finished floor level using calibrated measuring tape at each classified bay; (c) verify 316L stainless steel construction for all sensor housings by material certification; (d) confirm ISO 8 installation certificate signed by QA for each bay. Pass criterion: all four checks confirmed at all locations. Rationale: SUB-REQ-062 governs physical sensor placement and material certification — Inspection is the correct method as the requirement is verified by physical presence, position measurement, and certificate review, not by dynamic testing. The commissioning inspection is conducted against installation drawings and GMP qualification records and forms part of the Installation Qualification (IQ) package per ISPE Baseline Guide Volume 5 (Commissioning and Qualification). | Inspection | session-565, validation, environmental-control, sensor-installation, idempotency:session565-ver-subreq062-sensor-install |
| VER-REQ-103 | The verification activity for SYS-REQ-026 SHALL install reference traceable standards at three cleanroom monitoring points, confirm each differential pressure transmitter reads within ±1 Pa of the reference standard at 0, 50, and 100 Pa calibration points; each temperature transmitter reads within ±0.3°C at 15°C, 22°C, and 30°C; each RH transmitter reads within ±2% RH at 30%, 50%, and 70% RH. Pass criterion: all calibration points within stated tolerances for all installed sensors, confirmed against ISO 17025-accredited calibration records. Rationale: SYS-REQ-026 specifies sensor accuracy requirements (±1 Pa, ±0.3°C, ±2% RH) and calibration intervals. These tolerances must be demonstrated by calibration test against traceable reference standards — instrument specification alone does not demonstrate field accuracy after installation. ISO 17025-accredited calibration records provide the regulatory evidence required for GMP instrument qualification. | Test | session-566, validation, cleanroom, environmental, physical-embodiment, idempotency:ses566-ver-sys026-cleanroom-sensors |
| VER-REQ-104 | The verification activity for SYS-REQ-027 SHALL confirm: (a) with PLC in RUN mode, pressing the manual override pushbutton at each equipment panel de-energises the target actuator within 250 ms (measured via oscilloscope on the actuator power circuit); (b) initiating an Emergency Stop via a hardwired safety relay input (bypassing software) de-energises all drives within 250 ms; (c) the override actions do not require any software acknowledgement and are effective regardless of recipe or interlock state. Pass criterion: all actuators de-energised within 250 ms on every test, 100% success rate across 10 consecutive tests per actuator type. Rationale: SYS-REQ-027 specifies hardware-enforced overrides and 250ms E-stop response. The 250ms timing must be measured with an oscilloscope on the power circuit — software timing logs are insufficient because software failure is the scenario being mitigated. Testing with PLC in RUN mode confirms override works under normal software conditions; hardware bypass test (direct relay input) confirms override is independent of software state. EN ISO 13849-1 requires demonstrated performance level for safety-related control functions. | Test | session-566, validation, process-control-system, safety-override, sil-2, idempotency:ses566-ver-sys027-pcs-override |
| VER-REQ-105 | The verification activity for SYS-REQ-023 SHALL: (a) log in as a qualified Production Supervisor in the MES test environment; (b) trigger a PAT-induced automated batch diversion; (c) invoke the operator override function and confirm the system requests 21 CFR Part 11 electronic signature before accepting the override; (d) confirm the diversion is suspended and the override timer starts; (e) confirm the system automatically restores automated diversion control after 60 minutes without operator action; (f) confirm the audit trail records operator identity, override reason, start time, and duration. Pass criteria: 21 CFR Part 11 e-sig enforced on all override invocations; auto-restore within 60 minutes (±30 seconds); all 5 audit trail fields populated. Rationale: SYS-REQ-023 (operator override capability, 21 CFR Part 11, 60-minute auto-restore) was identified as having no VER trace in the validation session. The override function is safety-relevant because suspension of automated diversion without audit trail creates H-004 (OOS product release) risk. Test verification is required to confirm: (1) electronic signature cannot be bypassed, (2) auto-restore timeout functions correctly, and (3) audit trail is complete per 21 CFR Part 11 requirements. | Test | session-567, validation, override, normal-production, 21-cfr-part-11, sys-023, idempotency:session567-ver-sys023-operator-override |
| VER-REQ-106 | The verification activity for SYS-REQ-022 SHALL conduct a commissioning inspection of the manufacturing facility against the approved GMP facility layout drawing: (a) confirm presence of at least four classified cleanrooms (weigh booth, granulation/compression, coating/packaging, and materials corridor) by physical walkthrough; (b) confirm ISO 7/Grade C classification certificate for the weigh booth and ISO 8/Grade D classification for remaining production bays by review of environmental monitoring qualification certificates; (c) confirm positive pressure cascade from cleanest to less-clean zones via magnehelic gauge readings at each boundary; (d) confirm dedicated access airlocks at each classified zone boundary. Pass criterion: all four zone certificates present, signed by QA; pressure cascade confirmed in the correct direction at all boundaries. Rationale: SYS-REQ-022 is a facility layout inspection requirement (ISO 7/Grade C cleanrooms). Inspection is the appropriate verification method since compliance is demonstrated by facility qualification certificates and physical walkthrough, not by instrument test. EU GMP Annex 1 requires documented environmental classification for each cleanroom zone. | Inspection | session-567, validation, facility, cleanroom, sys-022, idempotency:session567-ver-sys022-facility-layout |
| VER-REQ-107 | The verification activity for SYS-REQ-025 SHALL inspect the installed environmental monitoring sensor positions in each classified bay: (a) measure mounting height of temperature and humidity sensors at each of the three classified bays with a calibrated measuring tape and confirm all sensors are within 0.8 to 1.2 m above finished floor level; (b) confirm differential pressure transmitters are positioned at each of three controlled cleanroom boundaries; (c) confirm all sensor cables route to the EMS rack and that the EMS controller is within the classified area. Pass criterion: all sensor positions within specified height range; differential pressure taps at all three boundaries; EMS rack location confirmed. Rationale: SYS-REQ-025 specifies physical sensor mounting positions (0.8-1.2m height, three DP boundaries). Inspection is appropriate as sensor placement is verified by physical measurement during commissioning. No VER trace existed prior to this session. | Inspection | session-567, validation, sensors, physical-embodiment, sys-025, idempotency:session567-ver-sys025-sensor-placement |
| VER-REQ-108 | The verification activity for SYS-REQ-028 SHALL perform a physical commissioning inspection of the GMP equipment rack housing the EMS controller, PCS I/O modules, and 4-20mA signal conditioning hardware: (a) confirm the enclosure IP rating is IP54 or better by inspection of the manufacturer certificate; (b) confirm stainless steel construction by visual inspection and material certificate; (c) confirm the rack is installed within the manufacturing line classified area by physical location check against the approved facility layout drawing; (d) confirm connection to the clean power UPS supply by following the UPS output cable to the rack power inlet and verifying the UPS label matches SYS-REQ-007 specification; (e) confirm at least three 4-20mA input channels are wired to differential pressure transmitters at the three cleanroom boundaries. Pass criterion: all five checks confirmed and documented in the commissioning inspection record. Rationale: SYS-REQ-028 specifies the physical attributes of the environmental monitoring rack (IP54, stainless steel, location in classified area, UPS connection, 4-20mA channels). Inspection is the appropriate verification method: physical attributes are confirmed by inspection and review of material certificates rather than by instrument testing. The inspection record provides the documentary evidence required for GMP facility qualification. | Inspection | session-568, validation, normal-production, physical-embodiment, mes, sys-028, idempotency:session568-ver-sys028-rack-inspection |
| VER-REQ-115 | Verify SYS-REQ-030: Inspect PCS network architecture documentation to confirm firewall or unidirectional gateway separates PCS from enterprise IT network. Review network topology diagram and firewall ruleset. Verify IEC 62443-3-3 Security Level 2 compliance assessment is documented. Test access control by attempting HMI login with invalid credentials and verify lockout occurs. Review user access matrix to confirm individual authentication is in place. Rationale: Network isolation and access control for safety-critical OT systems cannot be fully tested at the system level without risk of disrupting live production. Inspection of documented architecture and security assessment, combined with targeted authentication testing, provides the required verification for a safety-functional cybersecurity requirement. | Inspection | session-549, qc, cybersecurity, pcs, verification, idempotency:ver-sys-req-030-pcs-cyber-session-549 |
flowchart TB n0["component<br>NIR Spectrometer"] n1["component<br>Raman Spectrometer"] n2["component<br>Laser Diffraction Analyser"] n3["component<br>PAT DAC Workstation"] n4["component<br>CQA Model Engine"] n5["component<br>Diversion Valve Assembly"] n6["external<br>MES (External)"] n7["component<br>PAT NIR Spectrometer"] n8["component<br>PAT Raman Spectrometer"] n9["component<br>PAT Laser Diffraction Analyser"] n10["component<br>PAT Data Acquisition and Processing Workstation"] n11["component<br>PAT CQA Model Engine"] n12["component<br>PAT Batch Diversion Valve Assembly"] n0 -->|spectra USB3/Eth| n3 n1 -->|spectra RS-232| n3 n2 -->|PSD data| n3 n3 -->|model execution| n4 n3 -->|diversion cmd| n5 n3 -->|OPC-UA: CQA alarm, health| n6 n7 -->|NIR spectra 400-2500nm, 30s cycle| n10 n8 -->|Raman spectra 785nm, 60s cycle| n10 n9 -->|PSD data D10/D50/D90 at 2Hz| n10 n11 -->|validated chemometric model predictions| n10 n10 -->|diversion command on CQA fail SIL 3, 2s| n12
Process Analytical Technology Subsystem — Internal
flowchart TB n0["component<br>Electronic Batch Record Engine"] n1["component<br>Electronic Signature Controller"] n2["component<br>Hash Chain Integrity Engine"] n3["component<br>LOTO Registry Module"] n4["component<br>Batch Genealogy Database"] n5["external<br>PAT Subsystem (External)"] n6["external<br>ERP/SAP (External)"] n7["component<br>MES Electronic Batch Record Engine"] n8["component<br>MES Electronic Signature Controller"] n9["component<br>MES Hash Chain Integrity Engine"] n10["component<br>MES LOTO Registry Module"] n1 -.->|e-sig events| n0 n2 -.->|hash chain| n0 n3 -.->|LOTO events to EBR| n0 n4 -->|genealogy data| n0 n5 -->|CQA data, alarms| n0 n0 -->|batch records out| n6 n7 -->|signature request with meaning metadata| n8 n8 -->|signed record with non-repudiation token| n7 n7 -->|EBR entries and signature events for SHA-256 chaining| n9 n10 -->|LOTO lock status and isolation point confirmation| n7
Manufacturing Execution System — Internal
flowchart TB n0["component<br>High Shear Granulator"] n1["component<br>Granule Transfer System"] n2["component<br>Fluid Bed Dryer"] n3["component<br>Granule Sizing Mill"] n4["component<br>IBC Blender"] n5["external<br>MES Recipe Controller"] n6["external<br>PAT DAC Workstation"] n7["component<br>High-Shear Granulator"] n8["component<br>Blending Vessel"] n9["component<br>Granulation Process Controller PLC"] n0 -->|wet granules| n1 n1 -->|wet granules| n2 n2 -->|dried granules| n3 n3 -->|sized granules| n4 n5 -.->|recipe control| n0 n5 -.->|recipe control| n2 n5 -.->|blend recipe| n4 n6 -.->|NIR blend endpoint| n4 n2 -->|LOD NIR signal| n6 n9 -->|recipe setpoints torque, temp, spray rate| n7
Granulation and Blending — Internal
flowchart TB n0["component<br>Rotary Tablet Press"] n1["component<br>Tablet IPC System"] n2["component<br>Punch Die Tooling"] n3["component<br>Containment Housing"] n4["external<br>IBC Blender"] n5["external<br>PAT Workstation"] n6["external<br>MES"] n4 -->|granule feed| n0 n0 -->|compression force| n1 n2 -->|tooling RFID| n0 n1 -->|OPC-UA weight/hardness| n5 n1 -->|rejection events| n6 n3 -.->|guard interlock| n0
Tablet Compression Subsystem — Internal
flowchart TB n0["component<br>HVAC Air Handling Unit"] n1["component<br>Containment Safety PLC"] n2["component<br>Environmental Monitoring System"] n3["component<br>Potent Compound Isolator"] n4["component<br>Differential Pressure Monitoring Controller"] n5["component<br>Exhaust Air Treatment Unit"] n1 -->|safety commands| n0 n4 -->|damper control| n0 n4 -->|pressure data| n2 n2 -->|alarm signals| n1 n0 -->|exhaust air| n5 n3 -->|containment exhaust| n5 n1 -.->|pressure monitoring| n3
Containment and Environmental Control Subsystem — Internal
| Entity | Hex Code | Description |
|---|---|---|
| Airborne potent compound exposure hazard | 40400251 | Hazard in Pharmaceutical Manufacturing Line during production or changeover: containment failure releases airborne active pharmaceutical ingredient (API) with occupational exposure limit below 1µg/m³. Operators inhale potent compound causing acute pharmacological effects or chronic health damage. Consequence ranges from reversible symptoms to permanent organ damage depending on compound potency class. |
| blending subsystem | DE851218 | Physical granulation and blending subsystem of a pharmaceutical manufacturing line. Consists of a high-shear granulator (150L bowl), fluid bed dryer, and bin blender mounted in a Grade D cleanroom bay. All product-contact surfaces are 316L stainless steel. Physical footprint ~20m², weight ~2000kg. Processes dry/wet powders. |
| Changeover and Cleaning mode of Pharmaceutical Manufacturing Line | 40953A58 | Product changeover mode between manufacturing campaigns. All product-contact surfaces must be cleaned to validated levels to prevent cross-contamination. Cleaning validation acceptance criteria are typically <10ppm of previous product or <0.1% of minimum therapeutic dose, verified by swab testing and rinse sampling with HPLC analysis. For potent compounds (OEL <10µg/m³), dedicated equipment or additional containment cleaning is required. Duration: 4-24 hours depending on product toxicity classification. Operators follow product-specific cleaning SOPs. |
| Cleanroom environmental control failure hazard | 00050259 | Hazard in Pharmaceutical Manufacturing Line: HVAC system failure causes loss of cleanroom differential pressure, temperature, or humidity control. Microbial contamination enters product stream. For non-sterile oral solid dosage, bioburden limits apply (TAMC <10³ CFU/g). Loss of humidity control causes powder hygroscopic degradation or electrostatic buildup. Consequence: batch contamination, potential patient infection risk for immunocompromised patients, or product stability failure. |
| Coat Tablets | 54D53218 | System function of Pharmaceutical Manufacturing Line: apply aqueous film coating to compressed tablet cores for moisture protection, taste masking, and product identification in perforated pan coater. Inputs: tablet cores, coating suspension, inlet air at 60C. Outputs: coated tablets with uniform coating thickness ±10%, specified appearance and dissolution profile. Constraints: 45min coating cycle, controlled spray rate, exhaust humidity monitoring. |
| Compress Tablets | 56B73258 | System function of Pharmaceutical Manufacturing Line: form granule blend into tablets of specified weight (±5%), hardness, thickness (±2%), and content uniformity using rotary tablet press at 20-80 RPM. Inputs: blended granule from IBC, compression parameters. Outputs: compressed tablets meeting pharmacopoeial specs. Constraints: per-station force monitoring, automatic out-of-spec rejection, 300k tablets/shift, real-time PAT NIR monitoring. |
| Containment and Environmental Control Subsystem | 55F73858 | Potent compound containment and cleanroom environmental monitoring subsystem. Manages OEB 4/5 (OEL < 1 µg/m³) isolation barriers including laminar flow isolators, split butterfly valves (SBVs), and continuous liner systems for potent compound transfer. Continuous real-time monitoring of airborne particle concentration at operator breathing zones using isokinetic sampling (LPC). Also integrates cleanroom environmental monitoring: differential pressure transducers (±1 Pa accuracy), temperature/humidity sensors (±0.5°C/±1% RH), particle counters (ISO 21501-4 compliant). Alarm generation, automated enclosure lockdown, and emergency purge functions. |
| Containment Safety PLC | 51F77858 | IEC 61508 SIL-2 rated safety programmable logic controller dedicated to the Containment and Environmental Control Subsystem. Executes safety instrumented functions: containment breach detection and automated response (switch HVAC to 100% exhaust within 30s, trigger alarm), emergency stop interlock for all material handling in containment zones, and fail-safe HVAC damper control on power loss. Receives inputs from airborne particle counters, API concentration monitors, and door/access interlocks. Outputs commands to HVAC dampers, alarm system, and MES. Operates in 1oo2D redundant configuration per IEC 62061 (Safety of machinery — Functional safety of safety-related control systems). Certified to EN ISO 13849-1 PLd for machine safety functions. |
| Control Environment and Containment | 51F73858 | System function of Pharmaceutical Manufacturing Line: maintain ISO 7/8 cleanroom conditions (20±2C, 45±5% RH, +15Pa differential pressure, 20 ACH HEPA filtration), enforce negative-pressure containment for potent compounds (OEL <1ug/m3, 0.5m/s inward airflow), execute emergency stop (de-energise all drives within 3 seconds, close transfer valves within 5 seconds), and implement machine safety per EN ISO 13849-1 PLd. Inputs: environmental sensor data, containment air monitors, E-stop signals, safety interlocks. Outputs: conditioned air, containment isolation, emergency shutdown commands. Constraints: SIL 2 for containment, continuous particle/environmental monitoring. |
| Cross-contamination between drug products hazard | 00000259 | Hazard in Pharmaceutical Manufacturing Line during changeover: residual API from previous product campaign contaminates the next product. Patient receives unintended drug at unknown dose. Particularly dangerous when previous product is a cytotoxic, hormone, or sensitising agent. Consequence: patient harm from unintended pharmacological effect, product recall, regulatory action. |
| Degraded Production mode of Pharmaceutical Manufacturing Line | 40941A19 | Production continues with reduced capability after a non-critical equipment fault or PAT sensor degradation. Examples: one of two redundant NIR probes fails (production continues at reduced throughput with single probe plus increased manual sampling), coating pan temperature sensor drift (manual temperature checks substituted), or secondary packaging line fault (tablets held in bulk containers pending packaging repair). Key constraint: product quality must still be demonstrably maintained — if quality cannot be assured, mode transitions to emergency stop. |
| Differential Pressure Monitoring Controller | 55F77A58 | Dedicated digital controller maintaining GMP cleanroom pressure cascade between room grades. Reads calibrated differential pressure transmitters (range 0–100 Pa, accuracy ±1 Pa) at each cleanroom boundary. Drives HVAC VAV damper actuators to maintain target pressure differentials: +10 Pa between ISO 7 and corridor, -12.5 Pa inside containment isolators. Generates alerts within 60 seconds of differential pressure excursion beyond ±15 Pa of target per SYS-REQ-006. Logs all pressure data with timestamp for GMP record, forwarding to EMS. SIL-1 rated per IEC 61508 for pressure cascade maintenance function. |
| Drug serialisation and track-and-trace system | 40E57BD9 | External serialisation system compliant with EU FMD, US DSCSA, and other national track-and-trace regulations. Generates unique serial numbers for each dosage unit, manages aggregation hierarchy (unit→bundle→case→pallet), and uploads data to national verification databases. Interface via EPCIS events over AS2/REST. Owned by supply chain/regulatory team. |
| Electronic batch record data integrity failure hazard | 00010259 | Hazard in Pharmaceutical Manufacturing Line: electronic batch record system loses data integrity — process parameters are corrupted, overwritten without audit trail, or fabricated. Regulatory consequence: FDA 483 observation, warning letter, consent decree. Product consequence: inability to demonstrate product was manufactured under controlled conditions, requiring recall of all batches since last verified data integrity checkpoint. This is the #1 cause of FDA warning letters in pharmaceutical manufacturing. |
| Emergency Stop mode of Pharmaceutical Manufacturing Line | 40B57A51 | Safety-critical mode triggered by detection of conditions that could compromise product quality, operator safety, or equipment integrity. Triggers include: containment breach of potent compound (airborne API exceeds OEL), dust explosion risk (dust concentration exceeds 25% LEL), loss of cleanroom differential pressure (contamination risk), critical PAT failure where quality cannot be assured, or manual emergency stop activation. All motors de-energise, containment dampers close, HVAC switches to full exhaust mode, and the batch is quarantined pending investigation. |
| Enterprise Resource Planning System for pharmaceutical plant | 50A57B58 | SAP or Oracle ERP system external to the manufacturing line. Provides production orders, bill of materials, material master data. Receives batch completion records, material consumption, yield data. Interface via OPC-UA or REST API through DMZ. Owned by corporate IT, not manufacturing. Availability: 99.5% with planned maintenance windows on weekends. |
| Environmental Health and Safety Officer | 008D38F9 | EHS role responsible for occupational safety on the pharmaceutical manufacturing line. Manages containment strategies for potent compounds, dust explosion prevention, ergonomic assessments, personal protective equipment selection, exposure monitoring, and emergency response coordination. Leads incident investigation for containment breaches. |
| Environmental Monitoring System | 54F77B58 | GxP-compliant Environmental Monitoring System (EMS) server software running on validated hardware within the pharmaceutical manufacturing facility's IT infrastructure. Aggregates continuous data streams from differential pressure transmitters, temperature/RH probes, particle counters, and API concentration monitors across all four ISO 7/8 cleanroom bays. Stores 21 CFR Part 11-compliant environmental monitoring records with electronic audit trail. Generates excursion alerts within 60 seconds of out-of-limit conditions per SYS-REQ-006. Interfaces with MES via OPC UA to embed environmental data in electronic batch records. Interfaces with building management system for HVAC setpoint adjustment. ISPE GAMP 5 Category 4 validated software. |
| Exhaust Air Treatment Unit | D6F73058 | Downstream exhaust treatment system processing exhaust air from the potent compound containment isolator and weigh booth before discharge to atmosphere. Comprises a two-stage filtration train: H14 HEPA pre-filter removing API-laden particulates to >99.995% efficiency, followed by activated carbon adsorption for volatile organic compound removal. Interlocked with Containment Safety PLC — if filter differential pressure exceeds replacement threshold, an alarm is generated and the HVAC system is switched to backup exhaust path. Compliant with ATEX Directive 2014/34/EU for operation in pharmaceutical dust environments. Sized for 2000 m³/hour exhaust flow from all containment zones. |
| FDA/EMA Regulatory Inspector | 00847AF9 | Government authority inspector who audits the pharmaceutical manufacturing facility for compliance with 21 CFR Parts 210/211, EU GMP Annex 15, and ICH guidelines. Reviews batch records, data integrity, validation documentation, deviation management, and CAPA effectiveness. Findings range from observations (483) to warning letters to consent decrees. |
| film coating subsystem | DEC51218 | Physical pharmaceutical coating unit comprising a rotary pan coater (60L capacity), inlet/outlet air handling system, coating solution spray system, and tablet discharge conveyor. Applies aqueous film coatings to compressed tablet cores at 45-minute cycle times with inlet air at 60 degrees Celsius. Physically installed in a cleanroom with utility connections for compressed air (7 bar), purified water, and electrical power. Contains rotating drum requiring physical guarding and LOTO interlocks. Weighs approximately 800 kg with a footprint of 2m x 1.5m. |
| Film Coating Subsystem | 56F53218 | Tablet film coating subsystem using an Opadry or HPMC-based aqueous coating system. Pan coater with 800L capacity. Sprays aqueous or organic coating suspension onto tablet bed at controlled inlet air temperature (60-70°C), exhaust temperature (40-45°C), and spray rate (100-300 g/min). PAT integration: in-line colour spectrophotometer for coating thickness endpoint determination. Critical outputs: coated tablets with target weight gain ±1%, uniform colour, and moisture barrier. Interfaces: tablet transfer from tablet press, coated tablet transfer to packaging line, PAT coating endpoint data to MES. Organic solvent coating requires ATEX Zone 1 classification. |
| Fluid Bed Dryer | D6F53218 | |
| GMP Cleanroom Environment ISO Class 7/8 | 44853858 | Controlled manufacturing environment for oral solid dosage pharmaceutical production. ISO Class 7 (10,000 particles/m³ at 0.5µm) in compression and coating areas, ISO Class 8 in granulation and packaging. Temperature 18-25°C ±2°C, relative humidity 30-65% RH, pressure cascade +15Pa between zones. HVAC provides 20 air changes/hour with HEPA filtration. Gowning procedures required. Continuous environmental monitoring (particle counters, temperature/humidity loggers). |
| GMP Material Handler | 00050078 | Warehouse and dispensing role responsible for receiving, storing, and dispensing raw materials to the manufacturing line. Verifies material identity (IR spectroscopy or Raman), checks certificate of analysis, manages material status (quarantined/released/rejected), and maintains chain of custody documentation. Works in both warehouse and cleanroom environments. |
| Granulate and Blend | 54F53218 | System function of Pharmaceutical Manufacturing Line: transform weighed API and excipient powders into uniform, compressible granule through wet granulation (high-shear mixing with binder solution), fluid bed drying to <2% LOD, granule sizing through conical mill, and final blending in IBC blender. Inputs: weighed powder charges, binder solution, drying air. Outputs: homogeneous granule blend with d50 150-300um, controlled moisture and content uniformity. Constraints: 15min blend cycles, 60C drying inlet, 100-500kg batch size. |
| Granulation and Blending Subsystem | 50F53218 | Wet granulation and fluid bed drying subsystem for pharmaceutical oral solid dosage manufacturing. High-shear granulator processes API/excipient powder blends with binding solution to produce uniform granules. Fluid bed dryer reduces moisture to target LOD (loss on drying) < 2%. V-blender or bin blender performs final blend for content uniformity. PAT integration via in-line NIR for blend endpoint determination. Critical inputs: dispensed powders; critical outputs: dried, blended granules with API content uniformity AV < 15. Key hazard: dust explosion risk for fine powders, explosive atmosphere classification Zone 20/21. |
| Granule Sizing Mill | D6C53218 | |
| High Shear Granulator | D7F53218 | |
| HVAC Air Handling Unit | D6F57058 | Industrial-grade HVAC Air Handling Unit serving GMP cleanroom suites in a pharmaceutical manufacturing facility. Manages supply air temperature (20±2°C), relative humidity (45±5% RH), air changes per hour (20 ACH minimum for ISO 7/8 cleanrooms), and drives the pressure cascade (positive-to-negative) between cleanroom grades. Receives control signals from the Containment Safety PLC and the Differential Pressure Monitoring Controller. Operates in emergency exhaust mode (100% exhaust, 0% recirculation) on containment breach signal. Includes supply and exhaust fans, HEPA H14 filters, heating/cooling coils, and variable air volume dampers. Critical for maintaining cleanroom classification and containment pressure differentials per EU GMP Annex 1 (Manufacture of Sterile Medicinal Products). |
| IBC Blender | D6F53218 | |
| Laboratory Information Management System | 50AD7B58 | |
| Manage Manufacturing Records | 40E53B58 | System function of Pharmaceutical Manufacturing Line: generate, execute, and archive electronic batch records with 21 CFR Part 11 compliant electronic signatures, maintain complete batch genealogy from raw material to finished product, manage deviation records, cleaning status registry, LOTO events, operator handovers, and calculate OEE metrics. Inputs: process events from all subsystems, operator actions, material movements. Outputs: compliant EBRs, genealogy database, deviation records, OEE reports. Constraints: audit trail integrity per 21 CFR Part 11, 15-minute backup intervals, SIL 2 for data integrity. |
| manufacturing execution system | D6B51018 | MES is a physical system: a 2U rack server pair installed in a physical server rack in the plant's Grade C server room. The Manufacturing Execution System hardware has dimensions, weight, and power consumption. It IS a physical object — an installed piece of equipment. Software-based but physically embodied in dedicated server hardware. Physical Object: YES. |
| Manufacturing Execution System | 41B77B58 | Production control, electronic batch record, and scheduling software subsystem for the pharmaceutical manufacturing line. Executes validated batch recipes, generates and enforces electronic batch records per 21 CFR Part 11 and EU Annex 11. Collects process parameters from all equipment (granulator, dryer, blender, tablet press, coater) and PAT instruments at 1-second intervals. Manages operator workflow with electronic signatures. Tracks OEE in real time. Generates production reports and deviations. Interfaces: ERP (production orders), LIMS (test results), PAT subsystem (CQA data), serialisation system (packaging data), environmental monitoring (cleanroom alarms). Runs on validated SCADA/DCS platform with 99.5% availability SLA. |
| Manufacturing Execution System (MES) | 40B57B59 | Software platform for pharmaceutical batch execution management. Orchestrates batch lifecycle per electronic batch records (EBR), enforces 21 CFR Part 11 electronic signatures, manages LOTO registry and equipment interlocks via OPC-UA, and provides audit trail. No independent physical embodiment — runs on plant server infrastructure. Executes batch recipes semi-autonomously with mandatory human approval gates at critical steps. Regulated under FDA 21 CFR Part 11 and EU GMP Annex 11. Interfaces: PAT subsystem, equipment PLCs, environmental control, serialisation system. |
| manufacturing line | DE851218 | Physical pharmaceutical manufacturing line — a real engineered production facility occupying ~800m² of cleanroom space. Physically installed ISO 7 and ISO 8 classified rooms with structural, mechanical, and electrical infrastructure. Has physical embodiment: equipment, pipework, HVAC, electrical panels. A tangible installation requiring construction, qualification, and maintenance. |
| Material Handling and Dispensing Subsystem | 56B53A59 | Raw material receipt, quarantine, dispensing, and gravimetric weighing subsystem for the pharmaceutical manufacturing line. Handles APIs and excipients with weights ranging from grams to kilograms. Integrates with ERP for material orders, uses barcode scanning for lot identification, and interfaces with LIMS for CoA verification. Dispenses into stainless steel vessels that are transferred to the granulator. Includes OEB 4/5 high-containment dispensing booths for potent compounds. Critical inputs: raw material lots; critical outputs: dispensed, weighed, and identified material vessels with EBR records. |
| mes | D6E51018 | MES: a physically installed Manufacturing Execution System. The MES is not abstract software — it is an installed physical system: a 2U server rack in the Grade C server room with network switches, HMI terminals, and barcode scanners. It occupies physical space, has weight, consumes electrical power, and is connected to equipment via physical Ethernet cables. The physical MES hardware receives coating recipe parameters and environmental monitoring data from physical subsystems over plant network. It IS a physical object. |
| MES Electronic Batch Record Engine | 50A73B58 | Core EBR management engine within the MES subsystem of a pharmaceutical manufacturing line. Generates, executes, and archives electronic batch records with 21 CFR Part 11 compliant electronic signatures, tamper-evident audit trail with cryptographic hash chain, and 15-minute automated backup. Manages the complete batch lifecycle from material dispense through release. SIL 2 safety function: data integrity failure triggers switch to paper backup (H-006). |
| MES Electronic Signature Controller | 50AD7B78 | 21 CFR Part 11 compliant e-signature enforcement module within the MES. Manages role-based identity verification for critical EBR steps (batch initiation, exception handling, batch release). Implements FDA-mandated meaning-of-signature binding, requiring operators to re-enter credentials (username+password) for each significant record entry. Generates audit trail entries for every signature event with timestamp, user ID, and action performed. LDAP/AD integration for identity provider. |
| MES Hash Chain Integrity Engine | 40A53158 | Data integrity module within the MES implementing SHA-256 cryptographic hash chaining for all EBR entries. Each record entry includes the SHA-256 hash of the previous entry, creating an immutable linked list. Discontinuity in the hash chain (detected on read or nightly integrity job) triggers an audit alert and EBR lock. Hashes are stored in a separate tamper-evident log table with restricted database user access. Validated per ISPE GAMP 5 Category 4. |
| MES LOTO Registry Module | 40B57B58 | Software module within the MES managing the lockout/tagout registry for all energy-isolating devices on the manufacturing line. Maintains real-time state of each lockable device (lock applied, personnel name, work order, expected release time). Enforces restart prevention: equipment restart commands are blocked unless the LOTO registry confirms all locks released and workers signed off. Interfaces to equipment PLC interlocks via OPC-UA hardened gateway. SIL-2 safety function per H-007. |
| Monitor Process Quality | 45F77A18 | System function of Pharmaceutical Manufacturing Line: acquire real-time PAT sensor data (NIR spectrometry, Raman spectrometry, laser diffraction) at 30-second intervals, evaluate Critical Quality Attribute (CQA) prediction models within 5 seconds, generate system suitability alerts on sensor drift or prediction residual exceedance, and actuate automatic batch diversion valves when CQA limits are breached. Inputs: spectral data from in-line probes, calibration models, specification limits. Outputs: real-time CQA predictions, diversion commands, deviation alerts. Constraints: SIL 3 for out-of-spec product release prevention. |
| normal production | 56C51218 | A physical production phase of the pharmaceutical manufacturing line during which process equipment is actively operating to transform raw pharmaceutical materials into finished dosage forms. During Normal Production, physical equipment is energised and running: the high-shear granulator (30kW motor, 316L stainless vessel), fluid bed dryer (heating element 50kW), rotary tablet press (60 RPM, 1.2 tonne compression force), pan film coater, and blister packaging line are all in active mechanical operation. Physical sensors installed in the production bays measure differential air pressure, temperature, and humidity. The mode represents an industrial manufacturing process with physical machinery, physical transformation of pharmaceutical powder into tablets, physical containment of potent compounds, and physical infrastructure for cleanroom environmental control. |
| Normal Production Campaign Scenario | 40841218 | Normal operations scenario: a 3-day production campaign of 500mg ibuprofen tablets, 300,000 units per batch, 2 batches per day |
| Normal Production Mode | 40B53A58 | Operating mode of a pharmaceutical manufacturing line — not a physical object. Entry conditions: all equipment qualified, batch record initiated, raw materials released. Characterised by automated PAT monitoring, real-time EBR documentation, IPC at 15-min intervals. The line executes the batch recipe semi-autonomously under operator supervision; operator approves exceptions and performs manual sampling. Exit: batch completion, changeover, or escalation to degraded/emergency mode. Governed by validated manufacturing procedures and cGMP regulations. |
| Normal Production mode of Pharmaceutical Manufacturing Line | 54E53218 | Steady-state commercial production mode. Raw materials are dispensed from verified inventory, fed through granulation/blending, compressed into tablets or filled into capsules, coated if required, and packaged with serialisation. In-process controls (weight, hardness, dissolution, NIR content uniformity) run continuously. Process analytical technology (PAT) provides real-time quality data. Operators monitor HMI dashboards, perform manual sampling at defined intervals, and manage material flow. Runs 16-24 hours per day in campaign mode, producing 100k-500k units per batch. |
| Out-of-specification dosage form released to market hazard | 40000259 | Hazard in Pharmaceutical Manufacturing Line during production: PAT system failure or calibration drift causes out-of-specification product (incorrect potency, dissolution, content uniformity) to pass real-time release testing and reach the supply chain. Patient receives sub-therapeutic or supra-therapeutic dose. Particularly dangerous for narrow therapeutic index drugs (warfarin, digoxin, lithium). Consequence: therapeutic failure or toxicity, product recall affecting thousands of patients. |
| Package and Serialise | 44E77A59 | System function of Pharmaceutical Manufacturing Line: form coated tablets into blister packs, perform 100% vision inspection for defects, apply unique 2D DataMatrix barcode (GTIN, serial, lot, expiry) to each saleable unit, aggregate serials to case and pallet level, and upload EPCIS events to national registries (EU FMD, US DSCSA). Inputs: coated tablets, packaging materials (PVC/Alu blisters, cartons). Outputs: serialised, inspected finished goods on pallets. Constraints: <0.1% barcode verification reject rate, 100% serialisation coverage. |
| Packaging and Serialisation Subsystem | 54E57258 | Primary and secondary packaging subsystem with integrated serialisation for the pharmaceutical manufacturing line. Primary packaging: blister forming/sealing (PVC/PVDC or Alu-Alu) at up to 300 blisters/min, or HDPE bottle filling and capping at 200 bottles/min. 100% in-line vision inspection for blister seal integrity, missing tablets, and foreign particles. Secondary packaging: cartoning, batch printing (lot, expiry, GTIN), and 2D DataMatrix serialisation with camera verification. Aggregation to case and pallet. Serialisation data transmission to EU FMD/DSCSA repository. Reject stations for serialisation failures (< 0.5% reject rate). Interfaces: coated tablets from film coater, serialisation data to Drug Serialisation System. |
| PAT Batch Diversion Valve Assembly | D7F77018 | Pneumatically-actuated 3-way diversion valve positioned at the tablet press output chute, downstream of the NIR probe. On CQA limit exceedance signal, redirects in-specification product to the accepted stream and out-of-specification product to a sealed reject container. Spring-return-to-reject fail-safe design: loss of pneumatic supply or signal causes diversion to reject stream (safe state). Position feedback via dual limit switches confirmed within 500ms of actuation command. SIL-3 safety function per H-004. |
| PAT CQA Model Engine | 51A73318 | Chemometric model execution engine within the PAT subsystem of a pharmaceutical manufacturing line. Runs PLS (content uniformity), PCA (blend homogeneity), and correlation (particle size) models on NIR, Raman, and laser diffraction spectra. Must evaluate all models within 5 seconds of data acquisition. Uses SHA-256 signed model files with version registry. SIL 3 safety function: incorrect model output can release out-of-specification product (H-004). |
| PAT Data Acquisition and Processing Workstation | D0E57018 | Industrial PC workstation running the PAT software suite (e.g., Thermo Unscrambler, SIMCA). Hosts all chemometric PLS models for NIR, Raman, and laser diffraction sensors. Executes model predictions in <2 seconds from spectrum acquisition, generates CQA alarm signals to MES via OPC-UA, logs all spectra and predictions to a validated SQL database. Redundant power supply, RAID-1 storage, connected to OT network (ISA-99 Zone 3). SIL-3 model execution integrity enforced via checksum validation on model file hashes. |
| PAT Laser Diffraction Analyser | 54C42018 | On-line laser diffraction particle size analyser installed at the fluid-bed dryer outlet. Measures granule particle size distribution (D50, D90, span) in the 1–3500 µm range using Fraunhofer/Mie diffraction theory. Samples granule stream via a dry dispersion accessory at 0.5 bar. Provides 60-second measurement cycle results to PAT workstation. Calibrated quarterly against NIST-traceable reference materials (glass beads, lactose). Informs granulation endpoint determination. |
| PAT NIR Spectrometer | D4E53218 | Inline near-infrared spectrometer probing the tablet stream inside the rotary press exit chute. Acquires diffuse reflectance spectra in the 900–2500 nm range every 30 seconds during compression, providing API content uniformity prediction via partial least squares (PLS) chemometric model. Temperature-stabilised housing (±0.5°C) with built-in reference standard for automated wavelength verification. Interfaces to PAT Data Acquisition Computer via USB3/Ethernet. SIL-3 rated diversion function relies on this data. |
| PAT Raman Spectrometer | D4E41018 | Immersion-probe Raman spectrometer positioned in the fluid-bed granulator and blender for in-situ polymorphic form and API blend uniformity monitoring. 785 nm excitation laser, 200–3200 cm-1 range. Calibrated against certified reference standards quarterly. Provides redundant content uniformity confirmation when NIR signal is ambiguous. Interfaces to PAT Data Acquisition Computer via RS-232/USB. Has independent SIL-3 model evaluation path. |
| PAT Sensor Drift Degraded Operation Scenario | 00000200 | Degraded operation scenario: NIR probe calibration drifts during production, requiring fallback to manual sampling |
| Patient receiving manufactured medication | 00000011 | End user of the pharmaceutical product. Has no direct interaction with the manufacturing system but is the ultimate stakeholder whose safety drives all quality requirements. Includes vulnerable populations: paediatric, geriatric, immunocompromised, and patients on narrow therapeutic index drugs. Represented in the system through product quality specifications and pharmacovigilance feedback. |
| Pharmaceutical dust explosion hazard | 42000051 | Hazard in Pharmaceutical Manufacturing Line during granulation, milling, or tablet compression: fine organic powder (API or excipient) accumulates in enclosed equipment at concentration exceeding lower explosive limit (LEL). Ignition source (static discharge, hot bearing, mechanical spark) triggers deflagration. Pharmaceutical powders typically have Kst values of 50-200 bar·m/s and MIE of 1-100mJ. Consequence: equipment destruction, operator burn injuries or fatality, facility damage. |
| Pharmaceutical Equipment Maintenance Technician | 000420F8 | Skilled technician responsible for preventive and corrective maintenance of tablet presses, granulators, coating equipment, and packaging lines. Performs LOTO, tooling changes, instrument calibration, and equipment qualification. Must work in cleanroom environment and follow GMP documentation requirements. |
| Pharmaceutical Manufacturing Line | 55F73A59 | Automated continuous pharmaceutical manufacturing line for oral solid dosage forms (tablets/capsules). Operates in a GMP-compliant cleanroom environment (ISO Class 7/8). Encompasses raw material dispensing, granulation/blending, tablet compression or capsule filling, coating, in-process quality control (NIR spectroscopy, weight/hardness testing), packaging, and serialisation. Must comply with FDA 21 CFR Parts 210/211, EU GMP Annex 15, and ICH Q8-Q12 guidelines. Produces 100,000–500,000 dosage units per batch with real-time release testing capability. Safety concerns include potent compound containment (OEL <1µg/m³ for some APIs), dust explosion prevention, and cross-contamination control between product changeovers. |
| Pharmaceutical regulatory compliance framework | 40853AD9 | Regulatory constraints on the pharmaceutical manufacturing line from multiple authorities: FDA 21 CFR Parts 210/211 (cGMP), 21 CFR Part 11 (electronic records), EU GMP Annex 15 (qualification and validation), ICH Q8 (pharmaceutical development), ICH Q9 (quality risk management), ICH Q10 (pharmaceutical quality system), ICH Q12 (lifecycle management). ISPE GAMP 5 for computerised system validation. Product-specific constraints from marketing authorisations filed with FDA, EMA, PMDA, and national authorities. |
| Pharmaceutical utilities systems | 54C51058 | Building utility systems external to the manufacturing line: HVAC providing conditioned air to cleanrooms, purified water system (USP grade) for cleaning and granulation, clean steam for sterilisation-in-place, compressed air (ISO 8573-1 Class 1.2.1) for pneumatic actuators and product contact, nitrogen supply for inerting. These are shared building systems serving multiple manufacturing suites. |
| Potent Compound Containment Breach Emergency Scenario | 00800A51 | Emergency scenario: containment breach during high-potency API processing triggers full emergency response |
| Potent Compound Isolator | DE851058 | Pharmaceutical-grade hard-shell containment isolator for handling OEB 4/5 compounds (OEL < 1 µg/m³) during weighing and dispensing operations. Provides closed, glove-port access with continuous negative pressure isolation (-12.5 Pa minimum inward airflow, 0.5 m/s minimum at access openings per SYS-REQ-004). H14 HEPA filtered supply and dedicated exhaust with downstream scrubbing. Integrated rapid transfer port (RTP) for material transfer without exposing operators to potent API dust. Monitored by Containment Safety PLC for pressure integrity. Physical boundary between operator and potent compound per ISPE Good Practice Guide for Handling Highly Potent Compounds. |
| Preventive Maintenance mode of Pharmaceutical Manufacturing Line | 40843A58 | Scheduled or corrective maintenance mode. Equipment is isolated per lockout/tagout (LOTO) procedures. Maintenance activities include: tablet press tooling changes (every 1-5M tablets), compression roll replacement, filter changes, instrument calibration (pressure, temperature, weight, NIR), conveyor belt replacement, and software/firmware updates to PLCs and PAT systems. Some maintenance requires cleanroom re-qualification afterward. Maintenance is tracked in a computerised maintenance management system (CMMS) and must be reconciled with batch records for any in-campaign interventions. |
| Process Analytical Technology Subsystem | 55F77A18 | Real-time in-process quality monitoring subsystem for the pharmaceutical manufacturing line. Integrates NIR (near-infrared) spectrometer for API content uniformity and moisture monitoring during blending and drying, Raman spectrometer for API identity and polymorphic form verification, and laser diffraction for granule particle size distribution. Embedded chemometric models (PLS, PCA) evaluate CQA compliance in real time. Interfaces: sensor data from granulation, blend, and tablet press; model outputs to MES for batch diversion decisions; model calibration data from LIMS. Safety-critical function: automatic divert valve actuation when CQA limit breached. |
| process control system | D7FF7018 | Process control system: physically installed PLC-based control system in a pharmaceutical manufacturing line. Consists of physical hardware: PLC cabinets (Siemens S7 or equivalent), DCS workstations, physical I/O modules, control panels, HMI touchscreens, and instrument loops. The PLC hardware is housed in electrical panels in the plant utility area. Physical footprint ~2m² of panel space. Consumes 24 VDC power. Connected to sensors and actuators by physical field wiring. A tangible piece of electrical equipment installed in the facility. |
| Process Material | 44A53258 | System function of Pharmaceutical Manufacturing Line: receive, identity-verify (barcode/RFID), weigh, and dispense raw materials (API and excipients) to the production line. Inputs: raw material containers with lot-level identity, bill of materials from ERP. Outputs: verified, weighed material charges in clean containers ready for granulation. Constraints: must maintain full lot traceability, operate under laminar flow in ISO 7 weigh booth, prevent cross-contamination between lots. |
| Product Changeover Cleaning Validation Scenario | 00802A59 | Maintenance/changeover scenario: full product changeover between a cytotoxic compound and a standard NSAID, requiring enhanced cleaning validation |
| Production Supervisor | 018D5AF9 | Senior manufacturing role responsible for shift operations on the pharmaceutical manufacturing line. Initiates batch records, authorises line startup, manages operator team, makes real-time decisions on production deviations, and is accountable for OEE targets (>70%). Reports to Plant Manager. |
| Punch and Die Tooling Set | CE851058 | Interchangeable precision tooling for the rotary tablet press: upper punches, lower punches, and dies. Manufactured to EU/ISO tablet specifications (D, B, BB tooling). Material: hardened S7 or D3 tool steel, chrome-coated for corrosive compounds. Each station tracked by RFID tag for usage count (max 500,000 compressions before mandatory replacement). Worn or damaged tooling causes weight variation, capping/lamination, or metal contamination. Failure mode: punch tip fracture lodging in die bore. |
| Quality Control Analyst | 008D3AF9 | Laboratory and in-process quality role for the pharmaceutical manufacturing line. Reviews PAT data in real-time, performs offline HPLC/dissolution testing, executes cleaning validation sampling, approves real-time release decisions. Must comply with 21 CFR Part 211 laboratory controls. Reports to QA Manager. |
| Rotary Tablet Press | D6D51018 | High-speed multi-station rotary tablet press. 36-72 punch stations, 30-120 RPM turret speed, throughput 100,000-500,000 tabs/hr. Compression force 5-80 kN (upper and lower punches independently monitored). Fill depth and pre-compression/main compression adjustable via servo drives. Integrated containment housing for OEB3+ (negative pressure, local exhaust ventilation). Safety interlocks: guard door, torque overload (300 Nm cutoff), emergency stop. Feeds directly from IBC Blender via contained transfer chute. |
| Startup and Line Qualification mode of Pharmaceutical Manufacturing Line | 40953A58 | Initial startup mode where the manufacturing line undergoes equipment qualification (IQ/OQ/PQ), process validation runs, and cleaning validation before being released for commercial production. Operators execute predefined qualification protocols, instruments are calibrated against NIST-traceable standards, and environmental monitoring confirms cleanroom classification. Entry: new installation or post-major-maintenance. Exit: all qualification protocols pass acceptance criteria and QA signs off. |
| Tablet Compression Containment Housing | CE851858 | Sealed enclosure surrounding the tablet press turret and die table. Maintains negative pressure (-15 Pa relative to cleanroom) to contain pharmaceutical dust. Local exhaust ventilation at 1.5 m³/min connected to HEPA filtration. Interlocked guard doors: press cannot run with any guard open. Instrumented: differential pressure transmitter triggers alarm at >-10 Pa (loss of containment). Designed for OEB3 potent compounds (OEL 1-10 µg/m³). Complies with ISPE Baseline Guide for Containment. |
| tablet compression subsystem | DEC51018 | Physical manufacturing subsystem comprising a Rotary Tablet Press, Tablet In-Process Control (IPC) sampling station, and tooling management system. Receives granule-filled IBCs and produces compressed tablets at 60 RPM (120 RPM max). Physical dimensions of 2m x 1.5m x 2m, weighing approximately 2000 kg. Contains rotating mechanical components (turret, compression rolls, feed frame) requiring physical safety interlocks and LOTO provisions. Interfaces physically with conveyors, sampling systems, and downstream packaging. |
| Tablet Compression Subsystem | 54E51018 | Multi-station rotary tablet press subsystem for pharmaceutical oral solid dosage manufacturing. Compresses final blend into tablets at rates up to 500,000 tablets/hour. Turret with up to 75 stations; upper and lower punches apply compression force of 5-50 kN. In-line tablet inspection integrates 100% weight check (±0.5% individual; ±5% mean), hardness measurement (Schleuniger), and thickness measurement. Automatic rejection of out-of-specification tablets via pneumatic ejector. Major interfaces: blend reception from granulation, tablet transfer to film coating, IPC data to PAT subsystem, OEE data to MES. |
| Tablet In-Process Control System | 55F77A18 | Automated in-process control (IPC) system integrated with the rotary tablet press. Samples every 30th tablet. Measures: weight (±2mg, USP <905> tolerances), hardness (Newton, target 80-120N), thickness (±0.1mm), friability proxy. Communicates with press servo to adjust fill depth and compression force in closed-loop. Outputs: OPC-UA data stream to PAT workstation and MES. Rejects individual out-of-spec tablets via pneumatic diverter on ejection track. |
| Tablet press mechanical entrapment hazard | 40000011 | Hazard in Pharmaceutical Manufacturing Line during maintenance or production: operator hand or finger drawn into rotary tablet press turret, compression rollers, or granulator impeller. Tablet presses operate at 40-100 RPM with compression forces of 5-100 kN. Consequence: crush injury, amputation, or fatality. Most common during turret cleaning, tooling changeover, or clearing tablet press jam while machine is energised. |
| Tablet Press Mechanical Jam Failure Scenario | 40000210 | Equipment failure scenario: tablet press jams during production requiring maintenance intervention with safety protocols |
| Component | Belongs To |
|---|---|
| Material Handling and Dispensing Subsystem | Pharmaceutical Manufacturing Line |
| Granulation and Blending Subsystem | Pharmaceutical Manufacturing Line |
| Tablet Compression Subsystem | Pharmaceutical Manufacturing Line |
| Process Analytical Technology Subsystem | Pharmaceutical Manufacturing Line |
| Film Coating Subsystem | Pharmaceutical Manufacturing Line |
| Manufacturing Execution System | Pharmaceutical Manufacturing Line |
| Containment and Environmental Control Subsystem | Pharmaceutical Manufacturing Line |
| Packaging and Serialisation Subsystem | Pharmaceutical Manufacturing Line |
| PAT NIR Spectrometer | Process Analytical Technology Subsystem |
| PAT Raman Spectrometer | Process Analytical Technology Subsystem |
| PAT Batch Diversion Valve Assembly | Process Analytical Technology Subsystem |
| PAT Data Acquisition and Processing Workstation | Process Analytical Technology Subsystem |
| PAT Laser Diffraction Analyser | Process Analytical Technology Subsystem |
| PAT CQA Model Engine | Process Analytical Technology Subsystem |
| MES LOTO Registry Module | Manufacturing Execution System |
| MES Electronic Signature Controller | Manufacturing Execution System |
| MES Hash Chain Integrity Engine | Manufacturing Execution System |
| MES Electronic Batch Record Engine | Manufacturing Execution System |
| High Shear Granulator | Granulation and Blending Subsystem |
| Fluid Bed Dryer | Granulation and Blending Subsystem |
| Granule Sizing Mill | Granulation and Blending Subsystem |
| IBC Blender | Granulation and Blending Subsystem |
| Rotary Tablet Press | Tablet Compression Subsystem |
| Tablet In-Process Control System | Tablet Compression Subsystem |
| Punch and Die Tooling Set | Tablet Compression Subsystem |
| Tablet Compression Containment Housing | Tablet Compression Subsystem |
| HVAC Air Handling Unit | Containment and Environmental Control Subsystem |
| Containment Safety PLC | Containment and Environmental Control Subsystem |
| Environmental Monitoring System | Containment and Environmental Control Subsystem |
| Potent Compound Isolator | Containment and Environmental Control Subsystem |
| Differential Pressure Monitoring Controller | Containment and Environmental Control Subsystem |
| Exhaust Air Treatment Unit | Containment and Environmental Control Subsystem |
| From | To |
|---|---|
| PAT NIR Spectrometer | PAT Data Acquisition and Processing Workstation |
| PAT Raman Spectrometer | PAT Data Acquisition and Processing Workstation |
| PAT Laser Diffraction Analyser | PAT Data Acquisition and Processing Workstation |
| PAT Data Acquisition and Processing Workstation | Manufacturing Execution System |
| PAT Data Acquisition and Processing Workstation | PAT Batch Diversion Valve Assembly |
| Tablet In-Process Control System | PAT Data Acquisition and Processing Workstation |
| Tablet In-Process Control System | Manufacturing Execution System |
| Tablet In-Process Control System | PAT CQA Model Engine |
| Tablet Compression Subsystem | Manufacturing Execution System |
| Containment Safety PLC | HVAC Air Handling Unit |
| Containment Safety PLC | Environmental Monitoring System |
| Differential Pressure Monitoring Controller | HVAC Air Handling Unit |
| Environmental Monitoring System | Manufacturing Execution System |
| Component | Output |
|---|---|
| PAT NIR Spectrometer | diffuse reflectance spectra 900-2500nm at 30s intervals |
| PAT Raman Spectrometer | Raman spectra 200-3200 cm-1 for blend uniformity |
| PAT Batch Diversion Valve Assembly | physical stream diversion to reject container |
| PAT Data Acquisition and Processing Workstation | CQA predictions and OPC-UA alarm signals to MES |
| PAT Laser Diffraction Analyser | particle size distribution D50/D90/span at 60s intervals |
| High Shear Granulator | wet granule mass with controlled PSD endpoint |
| Fluid Bed Dryer | dried granules at target LOD for milling |
| Granule Sizing Mill | sized granules with D90 <500 µm for compression |
| IBC Blender | blended granule batch at target content uniformity for compression |
| Rotary Tablet Press | compressed tablets at target weight/hardness/thickness |
| Tablet In-Process Control System | weight/hardness/thickness measurements and individual tablet rejection signals |
| Tablet Compression Containment Housing | negative pressure containment zone and exhaust airflow to HEPA |
| HVAC Air Handling Unit | conditioned supply air at 20±2°C, 45±5% RH, 20 ACH minimum |
| Containment Safety PLC | SIL-2 safety function outputs: HVAC damper control, alarm, E-stop |
| Environmental Monitoring System | GxP environmental data records embedded in EBR via OPC UA |
| Differential Pressure Monitoring Controller | room differential pressure control and excursion alarms |
| Source | Target | Type | Description |
|---|---|---|---|
| REQ-SEPHARMAMANUFACTURING-019 | SUB-REQ-066 | derives | SYS-REQ-006 60s alarm response → SUB EMS alarm transmission |
| REQ-SEPHARMAMANUFACTURING-017 | SUB-REQ-064 | derives | SYS-REQ-004 negative pressure isolation → SUB pressure cascade |
| SYS-REQ-022 | SUB-REQ-068 | derives | SYS-REQ-022 ISO 7 cleanroom requirement → SUB particle count monitoring |
| SYS-REQ-022 | SUB-REQ-063 | derives | SYS-REQ-022 GMP cleanroom specification → SUB HVAC supply air conditions |
| SYS-REQ-013 | SUB-REQ-065 | derives | SYS-REQ-013 OEL maintenance → SUB containment safe state response |
| SYS-REQ-022 | SUB-REQ-062 | derives | Cleanroom facility requirement implemented by environmental sensor installation in each bay |
| SYS-REQ-025 | SUB-REQ-062 | derives | System-level sensor installation requirement decomposed to environmental control subsystem |
| SYS-REQ-023 | SUB-REQ-061 | derives | System override requirement derived to MES E-STOP workstation override |
| SYS-REQ-023 | SUB-REQ-058 | derives | System override capability derived to PAT subsystem CQA override implementation |
| SYS-REQ-022 | SUB-REQ-059 | derives | Facility installation requirement decomposed to granulation bay sub-specification |
| REQ-SEPHARMAMANUFACTURING-025 | ARC-REQ-004 | derives | SYS-REQ-012 in-process rejection requirements drive tablet compression decomposition |
| REQ-SEPHARMAMANUFACTURING-014 | ARC-REQ-003 | derives | SYS-REQ-001 throughput requirements drive linear G&B process train topology |
| REQ-SEPHARMAMANUFACTURING-015 | ARC-REQ-002 | derives | SYS-REQ-002 EBR integrity requirements drive MES five-module decomposition |
| REQ-SEPHARMAMANUFACTURING-016 | ARC-REQ-001 | derives | SYS-REQ-003 PAT requirements drive three-instrument PAT decomposition architecture |
| REQ-SEPHARMAMANUFACTURING-016 | SUB-REQ-031 | derives | SYS-REQ-003 PAT response time requirements derive hardware architecture constraint SUB-REQ-031 |
| REQ-SEPHARMAMANUFACTURING-015 | SUB-REQ-029 | derives | Punch RFID tooling tracking derives from EBR system requirement |
| REQ-SEPHARMAMANUFACTURING-022 | SUB-REQ-030 | derives | IPC degraded mode operation derives from system-level degraded production requirement |
| REQ-SEPHARMAMANUFACTURING-017 | SUB-REQ-028 | derives | SYS OEL pressure isolation derives to SUB containment housing setpoint |
| REQ-SEPHARMAMANUFACTURING-024 | SUB-REQ-027 | derives | SYS LOTO enforcement derives to SUB tablet press guard interlock |
| REQ-SEPHARMAMANUFACTURING-025 | SUB-REQ-026 | derives | IPC fill-depth servo feedback derives from automated quality enforcement |
| REQ-SEPHARMAMANUFACTURING-025 | SUB-REQ-025 | derives | SYS tablet rejection derives to SUB punch force monitoring |
| REQ-SEPHARMAMANUFACTURING-022 | SUB-REQ-024 | derives | SYS-REQ-009 degraded mode derives to quantified PAT sensor-degraded performance floor |
| REQ-SEPHARMAMANUFACTURING-014 | SUB-REQ-018 | derives | FBD temperature control implements CPP control for drying step in production sequence |
| REQ-SEPHARMAMANUFACTURING-017 | SUB-REQ-023 | derives | G&B containment implements negative pressure isolation at transfer points |
| REQ-SEPHARMAMANUFACTURING-022 | SUB-REQ-022 | derives | G&B degraded blend mode is the G&B-specific implementation of PAT degraded mode |
| REQ-SEPHARMAMANUFACTURING-020 | SUB-REQ-021 | derives | Mass balance accountability implements batch genealogy tracking at G&B level |
| REQ-SEPHARMAMANUFACTURING-016 | SUB-REQ-020 | derives | IBC NIR blend endpoint integrates PAT data acquisition into blend control |
| REQ-SEPHARMAMANUFACTURING-014 | SUB-REQ-019 | derives | Sizing Mill PSD implements granule sizing step in production sequence |
| REQ-SEPHARMAMANUFACTURING-014 | SUB-REQ-017 | derives | FBD LOD drying endpoint implements drying step in production sequence |
| REQ-SEPHARMAMANUFACTURING-016 | SUB-REQ-016 | derives | PAT NIR wet-mass endpoint integrates G&B endpoint detection with PAT subsystem |
| REQ-SEPHARMAMANUFACTURING-014 | SUB-REQ-016 | derives | Granulation endpoint detection implements production sequence step control |
| REQ-SEPHARMAMANUFACTURING-020 | SUB-REQ-013 | derives | SYS batch genealogy → SUB MES genealogy database with multi-dimensional query |
| REQ-SEPHARMAMANUFACTURING-024 | SUB-REQ-012 | derives | SYS LOTO event logging → SUB MES LOTO event recording in EBR |
| REQ-SEPHARMAMANUFACTURING-024 | SUB-REQ-011 | derives | SYS electronic lockout → SUB MES real-time lockout registry with restart prevention |
| REQ-SEPHARMAMANUFACTURING-015 | SUB-REQ-014 | derives | SYS EBR 15-minute backup → SUB MES automated backup with integrity verification |
| REQ-SEPHARMAMANUFACTURING-015 | SUB-REQ-010 | derives | SYS EBR cryptographic hash → SUB MES SHA-256 hash chain with discontinuity detection |
| REQ-SEPHARMAMANUFACTURING-015 | SUB-REQ-009 | derives | SYS EBR compliance derives to SUB MES audit trail |
| REQ-SEPHARMAMANUFACTURING-015 | SUB-REQ-008 | derives | SYS EBR electronic signatures → SUB MES 21 CFR Part 11 e-signature enforcement |
| REQ-SEPHARMAMANUFACTURING-022 | SUB-REQ-006 | derives | SYS degraded-mode manual sampling → SUB PAT degraded mode with 15-minute sampling prompts |
| REQ-SEPHARMAMANUFACTURING-022 | SUB-REQ-005 | derives | SYS degraded-mode transition → SUB sensor self-diagnostics and 15-second detection |
| REQ-SEPHARMAMANUFACTURING-016 | SUB-REQ-001 | derives | SYS PAT data acquisition derives to SUB NIR spectrometer spec |
| REQ-SEPHARMAMANUFACTURING-016 | SUB-REQ-004 | derives | SYS diversion actuation → SUB diversion valve with position feedback |
| REQ-SEPHARMAMANUFACTURING-016 | SUB-REQ-003 | derives | SYS PAT model evaluation timing → SUB CQA model evaluation with integrity checks |
| REQ-SEPHARMAMANUFACTURING-015 | IFC-REQ-011 | derives | TC-to-MES batch record write derives from electronic batch record system requirement |
| REQ-SEPHARMAMANUFACTURING-016 | IFC-REQ-010 | derives | IPC-to-PAT OPC-UA interface derives from system PAT data acquisition requirement |
| REQ-SEPHARMAMANUFACTURING-022 | IFC-REQ-009 | derives | SYS-REQ-009 degraded mode requirement derives to quantified MES-PAT degraded mode interface |
| REQ-SEPHARMAMANUFACTURING-020 | IFC-REQ-008 | derives | IBC sealed handoff implements batch genealogy chain at G&B-to-compression boundary |
| REQ-SEPHARMAMANUFACTURING-020 | IFC-REQ-004 | derives | SYS batch genealogy → IFC PAT CQA data stream to MES for process parameter logging |
| REQ-SEPHARMAMANUFACTURING-022 | IFC-REQ-005 | derives | SYS degraded-mode manual sampling → IFC MES-to-PAT manual sampling schedule command |
| REQ-SEPHARMAMANUFACTURING-022 | IFC-REQ-002 | derives | SYS degraded-mode transition → IFC sensor health status reporting interface |
| REQ-SEPHARMAMANUFACTURING-016 | IFC-REQ-001 | derives | SYS PAT acquisition and diversion → IFC CQA alarm signal specification |
| REQ-SEPHARMAMANUFACTURING-006 | SYS-REQ-030 | derives | STK-REQ-006 GMP compliance derives SYS-REQ-030 PCS cybersecurity |
| REQ-SEPHARMAMANUFACTURING-005 | SYS-REQ-029 | derives | Emergency stop includes dust explosion as triggering event |
| REQ-SEPHARMAMANUFACTURING-004 | SYS-REQ-029 | derives | Containment integrity drives dust explosion prevention |
| REQ-SEPHARMAMANUFACTURING-006 | SYS-REQ-022 | derives | STK GMP compliance derives to SYS GMP facility requirement |
| REQ-SEPHARMAMANUFACTURING-008 | REQ-SEPHARMAMANUFACTURING-023 | derives | STK drug serialisation need derives to SYS DataMatrix barcoding |
| REQ-SEPHARMAMANUFACTURING-007 | REQ-SEPHARMAMANUFACTURING-021 | derives | STK product changeover validation derives to SYS cleaning guidance |
| REQ-SEPHARMAMANUFACTURING-011 | REQ-SEPHARMAMANUFACTURING-019 | derives | STK cleanroom conditions need derives to SYS cleanroom monitoring |
| REQ-SEPHARMAMANUFACTURING-010 | REQ-SEPHARMAMANUFACTURING-020 | derives | STK material traceability need derives to SYS batch genealogy |
| REQ-SEPHARMAMANUFACTURING-009 | REQ-SEPHARMAMANUFACTURING-022 | derives | STK sensor degradation tolerance derives to SYS degraded-mode IPC |
| REQ-SEPHARMAMANUFACTURING-001 | SYS-REQ-017 | derives | STK OEE 75% target derives to SYS OEE monitoring |
| REQ-SEPHARMAMANUFACTURING-013 | REQ-SEPHARMAMANUFACTURING-025 | derives | STK pharmacopoeial compliance derives to SYS tablet rejection |
| REQ-SEPHARMAMANUFACTURING-003 | REQ-SEPHARMAMANUFACTURING-016 | derives | STK PAT monitoring need derives to SYS PAT data acquisition |
| REQ-SEPHARMAMANUFACTURING-002 | REQ-SEPHARMAMANUFACTURING-015 | derives | STK EBR compliance need derives to SYS EBR generation |
| REQ-SEPHARMAMANUFACTURING-012 | REQ-SEPHARMAMANUFACTURING-024 | derives | STK LOTO need derives to SYS electronic LOTO enforcement |
| REQ-SEPHARMAMANUFACTURING-005 | REQ-SEPHARMAMANUFACTURING-018 | derives | STK emergency stop need derives to SYS emergency stop response |
| REQ-SEPHARMAMANUFACTURING-004 | REQ-SEPHARMAMANUFACTURING-017 | derives | STK OEL containment derives to SYS negative pressure isolation |
| REQ-SEPHARMAMANUFACTURING-006 | REQ-SEPHARMAMANUFACTURING-015 | derives | EU GMP Annex 11 EBR compliance obligation drives SYS EBR generation requirement |
| REQ-SEPHARMAMANUFACTURING-006 | REQ-SEPHARMAMANUFACTURING-015 | derives | Regulatory compliance requirement derives EBR system requirement |
| REQ-SEPHARMAMANUFACTURING-013 | REQ-SEPHARMAMANUFACTURING-025 | derives | Pharmacopoeial tablet specification compliance drives automated in-process rejection with defined tolerances |
| REQ-SEPHARMAMANUFACTURING-012 | REQ-SEPHARMAMANUFACTURING-024 | derives | LOTO safety requirement drives system-enforced electronic lockout registry with restart prevention |
| REQ-SEPHARMAMANUFACTURING-008 | REQ-SEPHARMAMANUFACTURING-023 | derives | DSCSA/EU FMD serialisation mandate drives automated DataMatrix barcode application requirement |
| REQ-SEPHARMAMANUFACTURING-009 | REQ-SEPHARMAMANUFACTURING-022 | derives | Degraded-mode production continuity drives PAT fallback to manual in-process testing specification |
| REQ-SEPHARMAMANUFACTURING-007 | REQ-SEPHARMAMANUFACTURING-021 | derives | Validated changeover and cross-contamination limit drives system-guided cleaning verification requirement |
| REQ-SEPHARMAMANUFACTURING-010 | REQ-SEPHARMAMANUFACTURING-020 | derives | Bidirectional material traceability requirement drives batch genealogy database with complete linkage |
| REQ-SEPHARMAMANUFACTURING-011 | REQ-SEPHARMAMANUFACTURING-019 | derives | ISO Class 7 GMP cleanroom specification drives continuous environmental monitoring with alarm thresholds |
| REQ-SEPHARMAMANUFACTURING-005 | REQ-SEPHARMAMANUFACTURING-018 | derives | Emergency stop safety need drives controlled de-energisation time limit and ordered shutdown |
| REQ-SEPHARMAMANUFACTURING-004 | REQ-SEPHARMAMANUFACTURING-017 | derives | OEB 4/5 potent compound containment drives active negative-pressure enclosure requirement |
| REQ-SEPHARMAMANUFACTURING-003 | REQ-SEPHARMAMANUFACTURING-016 | derives | PAT real-time QA monitoring need drives multi-modal sensor acquisition and CQA model evaluation |
| REQ-SEPHARMAMANUFACTURING-002 | REQ-SEPHARMAMANUFACTURING-015 | derives | 21 CFR Part 11 EBR compliance mandate drives system-level EBR generation and archival |
| REQ-SEPHARMAMANUFACTURING-001 | REQ-SEPHARMAMANUFACTURING-014 | derives | OEE target drives full-sequence production orchestration requirement |
| Requirement | Verified By | Type | Description |
|---|---|---|---|
| VER-REQ-024 | SUB-REQ-027 | verifies | VER-REQ-024 verifies tablet press guard interlock and LOTO restart prevention SUB-REQ-027 |
| VER-109 | SUB-REQ-065 | verifies | SUB-REQ-065 safe state transition → VER-109 30-second response test |
| VER-108 | SUB-REQ-063 | verifies | SUB-REQ-063 HVAC cleanroom conditions → VER-108 FAT acceptance test |
| VER-114 | SUB-REQ-064 | verifies | SUB-REQ-064 pressure cascade → VER door disturbance test |
| VER-REQ-001 | SUB-REQ-003 | verifies | CQA model evaluation timing test |
| VER-REQ-002 | SUB-REQ-004 | verifies | Diversion valve actuation time and fail-safe test |
| VER-REQ-003 | SUB-REQ-005 | verifies | Sensor degradation detection test |
| VER-REQ-006 | SUB-REQ-008 | verifies | 21 CFR Part 11 e-signature enforcement test |
| VER-REQ-007 | SUB-REQ-011 | verifies | LOTO restart prevention test |
| VER-REQ-008 | SUB-REQ-010 | verifies | SHA-256 hash chain tamper detection test |
| VER-REQ-010 | SUB-REQ-002 | verifies | Raman spectrometer OQ performance test |
| VER-REQ-011 | SUB-REQ-007 | verifies | Laser diffraction OQ particle size accuracy test |
| VER-REQ-012 | SUB-REQ-015 | verifies | Paper backup fallback demonstration on integrity failure |
| VER-REQ-015 | SUB-REQ-016 | verifies | End-to-end G&B cycle test verifies HSG endpoint detection as first criterion |
| VER-REQ-015 | SUB-REQ-017 | verifies | End-to-end G&B cycle test verifies FBD LOD drying endpoint |
| VER-REQ-019 | SUB-REQ-009 | verifies | VER-REQ-019 verifies MES tamper-evident audit trail |
| VER-REQ-020 | SUB-REQ-020 | verifies | VER-REQ-020 verifies IBC Blender blend uniformity RSD criterion |
| VER-REQ-021 | SUB-REQ-001 | verifies | VER-REQ-021 verifies NIR spectrometer spectral acquisition parameters |
| VER-REQ-023 | SUB-REQ-024 | verifies | VER-REQ-023 verifies quantified PAT sensor-degraded performance floor |
| VER-REQ-023 | SUB-REQ-006 | verifies | PAT channel-degraded CQA suspension verified by induced degradation test |
| VER-REQ-007 | SUB-REQ-012 | verifies | LOTO event logging verified as part of LOTO registry and restart-prevention test |
| VER-REQ-016 | SUB-REQ-013 | verifies | MES batch genealogy recording verified by end-of-cycle genealogy record inspection |
| VER-REQ-012 | SUB-REQ-014 | verifies | EBR backup and recovery capability verified as part of data integrity failure simulation |
| VER-REQ-015 | SUB-REQ-018 | verifies | FBD temperature control tolerance verified within end-to-end G&B cycle test |
| VER-REQ-015 | SUB-REQ-019 | verifies | Granule sizing D90 limit verified within end-to-end G&B cycle IPC measurements |
| VER-REQ-016 | SUB-REQ-021 | verifies | G&B step-mass recording verified by post-cycle batch genealogy record inspection |
| VER-REQ-022 | SUB-REQ-022 | verifies | PAT NIR blend-endpoint unavailability fallback verified by degraded-mode transition test |
| VER-REQ-015 | SUB-REQ-023 | verifies | G&B containment under OEB 3 potency conditions verified within end-to-end cycle test |
| VER-REQ-024 | SUB-REQ-027 | verifies | Guard door LOTO interlock test verifies SUB-REQ-027 |
| VER-REQ-025 | SUB-REQ-028 | verifies | Containment pressure test verifies SUB-REQ-028 |
| VER-REQ-102 | SUB-REQ-062 | verifies | Inspection protocol for environmental sensor installation commissioning |
| VER-REQ-101 | SUB-REQ-061 | verifies | Test verification of MES watchdog timer and E-STOP safety functions |
| VER-REQ-100 | SUB-REQ-060 | verifies | Test verification of PCS power supply and UPS performance |
| VER-REQ-099 | SUB-REQ-059 | verifies | Inspection verification of granulation bay installation standards |
| VER-REQ-098 | SUB-REQ-058 | verifies | PAT autonomy override mechanism Test (IEC 61508 Functional Autonomy Safety Constraint) |
| VER-REQ-083 | SUB-REQ-056 | verifies | MES batch review package and QA sign-off workflow |
| VER-REQ-082 | SUB-REQ-055 | verifies | LIMS sample request receipt within MES 30-minute SLA |
| VER-REQ-081 | SUB-REQ-054 | verifies | Packaging vision inspection 100 percent coverage |
| VER-REQ-079 | SUB-REQ-052 | verifies | Tablet Compression metal detection per-tablet check |
| VER-REQ-076 | SUB-REQ-049 | verifies | CEC continuous air monitoring frequency and data logging |
| VER-REQ-074 | SUB-REQ-047 | verifies | Degraded Production mode batch quarantine and QA release gate |
| VER-REQ-073 | SUB-REQ-044 | verifies | Startup mode entry criteria and production mode gate |
| VER-REQ-072 | SUB-REQ-043 | verifies | MES server hardware rack and environmental controls |
| VER-REQ-070 | SUB-REQ-041 | verifies | Film Coating Subsystem 400V power supply |
| VER-REQ-069 | SUB-REQ-040 | verifies | Granulation and Blending Subsystem 400V power supply |
| VER-REQ-068 | SUB-REQ-039 | verifies | Tablet Compression Subsystem EPO power interruption response |
| VER-REQ-055 | SUB-REQ-026 | verifies | Tablet IPC system sampling rate at nominal press speed |
| VER-REQ-049 | SUB-REQ-013 | verifies | MES batch genealogy and material lineage tracking |
| VER-REQ-048 | SUB-REQ-006 | verifies | PAT subsystem degraded-mode NIR channel failure alert |
| VER-REQ-080 | SUB-REQ-053 | verifies | Dust explosion inerting and LEL monitoring (SIL-2 H-003) |
| VER-REQ-075 | SUB-REQ-048 | verifies | CEC airborne API concentration breach auto-response (SIL-2 H-001) |
| VER-REQ-071 | SUB-REQ-042 | verifies | CEC subsystem UPS power supply (SIL-2 H-001) |
| VER-REQ-066 | SUB-REQ-046 | verifies | Maintenance LOTO MES display enforcement (SIL-2 H-007) |
| VER-REQ-065 | SUB-REQ-045 | verifies | Emergency Stop mode exit criteria (SIL-2 H-001) |
| VER-REQ-064 | SUB-REQ-038 | verifies | MES watchdog timer EBR processing (SIL-2 H-006) |
| VER-REQ-054 | SUB-REQ-023 | verifies | OEB-3 containment during G+B operations (SIL-2 H-001) |
| VER-REQ-053 | SUB-REQ-021 | verifies | G+B mass balance recording (SIL-2 data integrity) |
| VER-REQ-052 | SUB-REQ-019 | verifies | Granule sizing mill PSD requirement (SIL-2) |
| VER-REQ-051 | SUB-REQ-018 | verifies | FBD inlet air temperature control (SIL-2) |
| VER-REQ-050 | SUB-REQ-017 | verifies | FBD LOD drying target (SIL-2 product quality) |
| VER-REQ-084 | SUB-REQ-057 | verifies | VER-REQ-084 verifies PAT audit log 30-day rolling archive integrity requirement (SIL-3 H-004) |
| VER-REQ-078 | SUB-REQ-051 | verifies | VER-REQ-078 verifies two-person independent verification for API dispensing (SIL-3 H-002) |
| VER-REQ-077 | SUB-REQ-050 | verifies | VER-REQ-077 verifies MES cleaning validation failure quarantine enforcement (SIL-3 H-002) |
| VER-REQ-067 | SUB-REQ-047 | verifies | VER-REQ-067 verifies the Degraded Production mode real-time release block (SIL-3 H-004) |
| VER-REQ-063 | SUB-REQ-037 | verifies | VER-REQ-063 verifies the PAT manual CQA override access control requirement (SIL-3) |
| VER-REQ-062 | SUB-REQ-036 | verifies | VER-REQ-062 verifies the PAT subsystem dedicated UPS power supply requirement (SIL-3 H-004) |
| VER-REQ-047 | SUB-REQ-031 | verifies | VER-REQ-047 verifies the SIL-3 HFT≥1 architectural redundancy requirement for PAT CQA evaluation |
| VER-REQ-015 | SUB-REQ-016 | verifies | VER-REQ-015 verifies complete G&B cycle from API charge to IBC seal meeting all CQA specifications |
| VER-REQ-025 | SUB-REQ-028 | verifies | VER-REQ-025 verifies tablet compression containment pressure differential and alarm response SUB-REQ-028 |
| VER-REQ-037 | SUB-REQ-012 | verifies | VER-037 verifies SUB-012 LOTO event logging completeness |
| VER-REQ-038 | SUB-REQ-014 | verifies | VER-038 verifies SUB-014 EBR backup interval and restore time |
| VER-REQ-039 | SUB-REQ-016 | verifies | VER-039 verifies SUB-016 HSG endpoint response timing |
| VER-REQ-040 | SUB-REQ-022 | verifies | VER-040 verifies SUB-022 PAT-unavailable degraded blend safety gate |
| VER-REQ-041 | SUB-REQ-025 | verifies | VER-041 verifies SUB-025 compression force rejection gate and timing |
| VER-REQ-042 | SUB-REQ-029 | verifies | VER-042 verifies SUB-029 RFID tooling lifecycle gate and read-failure block |
| VER-REQ-043 | SUB-REQ-030 | verifies | VER-043 verifies SUB-030 IPC degraded mode response across all three channel failures |
| VER-REQ-001 | SUB-REQ-003 | verifies | VER-REQ-001 verifies NIR model evaluation latency requirement SUB-REQ-003 |
| VER-REQ-002 | SUB-REQ-004 | verifies | VER-REQ-002 verifies diversion valve actuation time requirement SUB-REQ-004 |
| VER-REQ-003 | SUB-REQ-005 | verifies | VER-REQ-003 verifies sensor degradation detection requirement SUB-REQ-005 |
| VER-REQ-006 | SUB-REQ-008 | verifies | VER-REQ-006 verifies 21 CFR Part 11 authentication enforcement on EBR critical actions |
| VER-REQ-007 | SUB-REQ-011 | verifies | VER-REQ-007 verifies MES LOTO restart prevention requirement SUB-REQ-011 |
| VER-REQ-008 | SUB-REQ-010 | verifies | VER-REQ-008 verifies EBR hash chain integrity detection SUB-REQ-010 |
| VER-REQ-010 | SUB-REQ-002 | verifies | VER-REQ-010 verifies Raman spectrometer spectral range and resolution SUB-REQ-002 |
| VER-REQ-011 | SUB-REQ-007 | verifies | VER-REQ-011 verifies laser diffraction analyser accuracy and repeatability SUB-REQ-007 |
| VER-REQ-012 | SUB-REQ-015 | verifies | VER-REQ-012 verifies MES paper backup mode switchover on data integrity failure SUB-REQ-015 |
| VER-REQ-019 | SUB-REQ-009 | verifies | VER-REQ-019 verifies EBR tamper detection via direct DB modification SUB-REQ-009 |
| VER-REQ-020 | SUB-REQ-020 | verifies | VER-REQ-020 verifies IBC blend uniformity acceptance criterion SUB-REQ-020 |
| VER-REQ-021 | SUB-REQ-001 | verifies | VER-REQ-021 verifies NIR spectrometer spectral range and SNR in production simulation SUB-REQ-001 |
| VER-REQ-023 | SUB-REQ-024 | verifies | VER-REQ-023 verifies PAT channel degradation response timing and two-sensor safe state SUB-REQ-024 |
| VER-110 | IFC-021 | verifies | IFC-021 EMS-MES OPC UA → VER-110 integration latency test |
| VER-111 | IFC-022 | verifies | IFC-022 hardwired safety bus → VER-111 fail-safe disconnection test |
| VER-113 | IFC-023 | verifies | IFC-023 dP Controller-HVAC 4-20mA interface → VER PID response test |
| VER-REQ-004 | IFC-REQ-001 | verifies | CQA alarm delivery and soak test |
| VER-REQ-005 | IFC-REQ-003 | verifies | Diversion acknowledgment delivery test |
| VER-REQ-013 | IFC-REQ-006 | verifies | Integration test for G&B-to-PAT NIR interface latency |
| VER-REQ-014 | IFC-REQ-007 | verifies | Integration test for MES-to-G&B recipe delivery and EBR feedback |
| VER-REQ-016 | IFC-REQ-008 | verifies | Inspection test for G&B-to-Compression sealed IBC handoff |
| VER-REQ-017 | IFC-REQ-002 | verifies | VER-REQ-017 verifies PAT sensor health status publishing via OPC UA |
| VER-REQ-018 | IFC-REQ-004 | verifies | VER-REQ-018 verifies CQA measurement stream latency and diversion trigger |
| VER-REQ-022 | IFC-REQ-009 | verifies | VER-REQ-022 verifies quantified degraded mode MES-PAT interface |
| VER-REQ-005 | IFC-REQ-005 | verifies | MES diversion command transmission latency verified by CQA alarm-to-acknowledgment timing test |
| VER-REQ-026 | IFC-REQ-010 | verifies | OPC-UA data stream test verifies IFC-REQ-010 |
| VER-REQ-027 | IFC-REQ-011 | verifies | MES EBR write test verifies IFC-REQ-011 |
| VER-REQ-009 | IFC-REQ-001 | verifies | VER-REQ-009 verifies the end-to-end PAT-to-diversion chain cumulative latency |
| VER-REQ-027 | IFC-REQ-011 | verifies | VER-REQ-027 verifies rejection events and state transitions are written to MES EBR within latency bound |
| VER-REQ-026 | IFC-REQ-010 | verifies | VER-REQ-026 verifies IPC OPC-UA data stream rate, timestamp accuracy, and channel completeness |
| VER-REQ-022 | IFC-REQ-009 | verifies | VER-REQ-022 verifies degraded-mode transition latency and CQA continuity on IFC-REQ-009 |
| VER-REQ-018 | IFC-REQ-004 | verifies | VER-REQ-018 verifies real-time CQA measurement stream latency on PAT-to-MES interface IFC-REQ-004 |
| VER-REQ-017 | IFC-REQ-002 | verifies | VER-REQ-017 verifies PAT-to-MES sensor health status OPC-UA update IFC-REQ-002 |
| VER-REQ-016 | IFC-REQ-008 | verifies | VER-REQ-016 verifies IBC handoff seal inspection and batch genealogy record IFC-REQ-008 |
| VER-REQ-014 | IFC-REQ-007 | verifies | VER-REQ-014 verifies MES-to-G&B recipe delivery and EBR feedback latency IFC-REQ-007 |
| VER-REQ-013 | IFC-REQ-006 | verifies | VER-REQ-013 verifies G&B-to-PAT NIR interface data integrity and latency IFC-REQ-006 |
| VER-REQ-005 | IFC-REQ-003 | verifies | VER-REQ-005 verifies MES diversion acknowledgment latency on IFC-REQ-003 |
| VER-REQ-004 | IFC-REQ-001 | verifies | VER-REQ-004 verifies CQA alarm transit time and loss rate on PAT-MES OPC-UA interface |
| VER-REQ-036 | IFC-REQ-020 | verifies | VER-036 verifies IFC-020 LIMS batch release interface |
| VER-REQ-035 | IFC-REQ-019 | verifies | VER-035 verifies IFC-019 ERP production order interface |
| VER-REQ-034 | IFC-REQ-018 | verifies | VER-034 verifies IFC-018 material identity gate |
| VER-REQ-033 | IFC-REQ-017 | verifies | VER-033 verifies IFC-017 dispensing interface |
| VER-REQ-032 | IFC-REQ-016 | verifies | VER-032 verifies IFC-016 containment halt timing |
| VER-REQ-031 | IFC-REQ-015 | verifies | VER-031 verifies IFC-015 coating release gate |
| VER-REQ-030 | IFC-REQ-014 | verifies | VER-030 verifies IFC-014 packaging serialisation |
| VER-REQ-029 | IFC-REQ-013 | verifies | VER-029 verifies IFC-013 transfer gate |
| VER-REQ-028 | IFC-REQ-012 | verifies | VER-028 verifies IFC-012 Film Coating MES timing |
| VER-REQ-115 | SYS-REQ-030 | verifies | VER-REQ-115 verifies SYS-REQ-030 PCS cybersecurity |
| VER-112 | SYS-REQ-013 | verifies | SYS-REQ-013 OEL containment → VER-112 end-to-end safety chain test |
| REQ-SEPHARMAMANUFACTURING-026 | SYS-REQ-028 | verifies | Rack inspection VER → SYS-REQ-028 physical rack embodiment |
| VER-REQ-107 | SYS-REQ-025 | verifies | VER-107 → SYS-025 environmental sensor placement inspection |
| VER-REQ-106 | SYS-REQ-022 | verifies | VER-106 → SYS-022 facility layout inspection |
| VER-REQ-105 | SYS-REQ-023 | verifies | VER-105 → SYS-023 operator override test |
| VER-REQ-009 | REQ-SEPHARMAMANUFACTURING-016 | verifies | System-level PAT diversion chain integration test |
| VER-REQ-104 | SYS-REQ-027 | verifies | Hardware override test verifies PCS manual override and E-stop timing |
| VER-REQ-103 | SYS-REQ-026 | verifies | Calibration test verifies cleanroom sensor accuracy |
| VER-REQ-094 | REQ-SEPHARMAMANUFACTURING-015 | verifies | EBR lifecycle test verifies system EBR integrity requirement |
| VER-REQ-097 | REQ-SEPHARMAMANUFACTURING-025 | verifies | System-level IPC automated rejection verification |
| VER-REQ-096 | REQ-SEPHARMAMANUFACTURING-023 | verifies | System-level packaging serialisation and aggregation verification |
| VER-REQ-095 | REQ-SEPHARMAMANUFACTURING-022 | verifies | System-level PAT degraded-mode transition and manual sampling frequency verification |
| VER-REQ-094 | REQ-SEPHARMAMANUFACTURING-015 | verifies | System-level EBR lifecycle and 21 CFR Part 11 compliance verification |
| VER-REQ-093 | REQ-SEPHARMAMANUFACTURING-014 | verifies | System-level throughput and OEE verification via continuous production run |
| VER-REQ-092 | REQ-SEPHARMAMANUFACTURING-024 | verifies | System-level LOTO electronic lockout enforcement verification |
| VER-REQ-091 | REQ-SEPHARMAMANUFACTURING-017 | verifies | System-level containment negative pressure and HVAC verification |
| VER-REQ-090 | REQ-SEPHARMAMANUFACTURING-016 | verifies | System-level PAT CQA model accuracy verification |
| VER-REQ-089 | REQ-SEPHARMAMANUFACTURING-020 | verifies | End-to-end batch genealogy verification (SYS-REQ-007) |
| VER-REQ-088 | SYS-REQ-017 | verifies | OEE dashboard update latency confirmation |
| VER-REQ-087 | SYS-REQ-021 | verifies | Shift handover supervisor capability and pending action transfer |
| VER-REQ-060 | SYS-REQ-017 | verifies | OEE tracking per SEMI E10 equipment availability standard |
| VER-REQ-058 | SYS-REQ-015 | verifies | EU FMD serialisation and unit-level 2D code generation |
| VER-REQ-057 | SYS-REQ-014 | verifies | ICH Q8/Q11 process validation data recording |
| VER-REQ-085 | SYS-REQ-019 | verifies | Automatic deviation record on CPP exceedance (SIL-2) |
| VER-REQ-059 | SYS-REQ-016 | verifies | EN ISO 13849-1 machine safety PLd/PLe (SIL-2 H-007) |
| VER-REQ-056 | SYS-REQ-013 | verifies | OEL containment system requirement (SIL-2 H-001) |
| VER-REQ-086 | SYS-REQ-020 | verifies | VER-REQ-086 verifies the cleaning status registry system requirement (SIL-3 H-002) |
| VER-REQ-061 | SYS-REQ-018 | verifies | VER-REQ-061 verifies the SIL-3 PAT qualification enforcement system requirement |
| VER-REQ-046 | REQ-SEPHARMAMANUFACTURING-021 | verifies | VER-REQ-046 verifies MES-guided changeover workflow and electronic release gate |
| VER-REQ-045 | REQ-SEPHARMAMANUFACTURING-019 | verifies | VER-REQ-045 verifies system-level cleanroom environmental alarm and halt response times |
| VER-REQ-044 | REQ-SEPHARMAMANUFACTURING-018 | verifies | VER-REQ-044 verifies system-level emergency stop timing across all three activation paths |
| Ref | Document | Requirement |
|---|---|---|
| STK-REQ-001 | stakeholder-requirements | The manufacturing line SHALL achieve a minimum Overall Equipment Effectiveness (OEE) of 75% during Normal Production mod... |
| STK-REQ-002 | stakeholder-requirements | The manufacturing line SHALL maintain electronic batch records (EBRs) that fully comply with FDA 21 CFR Part 11 and EU A... |
| STK-REQ-003 | stakeholder-requirements | The manufacturing line SHALL perform continuous real-time in-process quality monitoring using Process Analytical Technol... |
| STK-REQ-004 | stakeholder-requirements | The manufacturing line SHALL maintain containment integrity for potent compounds with Occupational Exposure Limit (OEL) ... |
| STK-REQ-005 | stakeholder-requirements | When an emergency condition is detected, the manufacturing line SHALL achieve a full controlled stop of all process equi... |
| STK-REQ-006 | stakeholder-requirements | The manufacturing line SHALL comply with EU GMP Annex 1 (for sterile areas if applicable), EU GMP Annex 15 (validation),... |
| STK-REQ-007 | stakeholder-requirements | The manufacturing line SHALL support validated product changeover procedures that achieve cross-contamination residue le... |
| STK-REQ-008 | stakeholder-requirements | The manufacturing line SHALL integrate with the external drug serialisation system to apply unique identifiers to 100% o... |
| STK-REQ-009 | stakeholder-requirements | When a non-critical equipment fault or PAT sensor degradation is detected, the manufacturing line SHALL maintain product... |
| STK-REQ-010 | stakeholder-requirements | The manufacturing line SHALL maintain bidirectional traceability of all raw materials, intermediates, and finished produ... |
| STK-REQ-011 | stakeholder-requirements | While operating in Normal Production mode, the manufacturing line SHALL maintain cleanroom conditions at ISO Class 7 (EU... |
| STK-REQ-012 | stakeholder-requirements | The manufacturing line SHALL provide documented lockout/tagout (LOTO) procedures and physical isolation points for all e... |
| STK-REQ-013 | stakeholder-requirements | The manufacturing line SHALL produce finished drug products that comply with pharmacopoeial specifications for tablet ha... |
| SYS-REQ-001 | system-requirements | The system SHALL operate the production sequence — from raw material dispense through granulation, blending, compression... |
| SYS-REQ-002 | system-requirements | The system SHALL generate, execute, and archive electronic batch records (EBRs) with electronic signatures, access contr... |
| SYS-REQ-003 | system-requirements | The system SHALL acquire PAT sensor data (NIR, Raman, laser diffraction) at a minimum sample interval of 30 seconds, eva... |
| SYS-REQ-004 | system-requirements | The system SHALL maintain negative pressure isolation in potent compound processing enclosures (OEB 4/5 compounds, OEL <... |
| SYS-REQ-005 | system-requirements | When an emergency stop is triggered (by operator actuator, interlock, or automatic safety function), the system SHALL de... |
| SYS-REQ-006 | system-requirements | While in Normal Production mode, the system SHALL continuously monitor cleanroom differential pressure, temperature (20±... |
| SYS-REQ-007 | system-requirements | The system SHALL record and maintain a full batch genealogy database linking every finished product unit to its input ra... |
| SYS-REQ-008 | system-requirements | The system SHALL guide operators through validated cleaning procedures during product changeover, verify cleaning comple... |
| SYS-REQ-009 | system-requirements | When the PAT subsystem enters sensor-degraded mode, the system SHALL automatically switch to manual in-process testing m... |
| SYS-REQ-010 | system-requirements | The system SHALL apply 2D DataMatrix barcodes encoding a unique serial number, GTIN, lot number, and expiry date to 100%... |
| SYS-REQ-011 | system-requirements | The system SHALL enforce electronic lockout verification for maintenance activities, preventing equipment restart while ... |
| SYS-REQ-012 | system-requirements | The system SHALL enforce an automated in-process rejection of any tablet with weight outside ±5% of target, hardness out... |
| VER-REQ-108 | verification-plan | The verification activity for SYS-REQ-028 SHALL perform a physical commissioning inspection of the GMP equipment rack ho... |