Exception Handler

An exception handler is a named, recipe-defined sequence that activates when a specified exception condition occurs during normal phase or operation execution. ISA-88 treats exception paths as first-class — every recipe defines what to do when things go wrong, with the same rigour as the happy path.

• Trigger — the condition that activates the handler (named interlock trip, permissive timeout, IPC out of range, operator abort, equipment failure code).
• Scope — the procedural element the handler attaches to (phase, operation, unit procedure, procedure).
• Response — the sequence of phases or operations the handler executes.
• Outcome — the state the recipe reaches after the handler completes (resume, advance, hold for disposition, abort).

• Recovery is repeatable — operators do not invent recovery on the spot; the recipe specifies it.
• Disposition is explicit — handler outcomes tell QA what state the material is in, enabling clean release-or-reject decisions.
• Audit is clear — every exception path is recorded with trigger, actions taken and outcome.
• Validation is bounded — the exception paths are part of the recipe scope; PPQ challenges them.
• CPV is meaningful — exception frequency by handler reveals process noise and CAPA candidates.

• Hold-investigate-resume — phase holds; engineer investigates; operator restarts on resolution; batch continues.
• Hold-disposition-route — phase holds; QA decides reprocess, rework, divert or reject; recipe branches accordingly.
• Safe-state-abort — phase aborts with safe-state sequence (cool jacket, stop agitator, close valves); batch is lost; equipment safe.
• Reroute-to-alternate — recipe takes a pre-validated alternative path (e.g. extended drying time on moisture-high IPC).
• Retry-with-degraded-parameters — phase retries with recipe-defined fallback parameters (e.g. slower mixing speed on torque-high alarm).
• Escalate-to-supervisor — handler signals supervisor via system; supervisor decides next action with full context displayed.

Scope determines which handler activates when multiple are eligible. ISA-88's principle: nearest scope wins. A phase-level handler trumps an operation-level handler; an operation-level handler trumps a unit-procedure handler. Recipe authors use this to provide:

• Phase-specific responses for known phase failure modes.
• Operation-level fallback when phase-level handler does not match or is exhausted.
• Unit-procedure-level catastrophic handlers ("safe-state and abort").
• Procedure-level handlers for cross-unit coordinated abort (release all units, no orphans).

When an exception fires, the operator UI presents:

1. What triggered the exception (named condition with rationale).
2. Which handler is now active.
3. What the handler is doing currently and what it will do next.
4. What operator action (if any) is required (acknowledge, confirm, escalate).
5. Live status of the recovery sequence as it progresses.

The anti-pattern: a beep, a code, and an operator left to recall the recovery from training.

• Trigger event captured with timestamp, source, condition value, batch and phase context.
• Handler activation recorded — which handler at which scope.
• Each handler step logged with timestamp and outcome.
• Handler outcome recorded — resumed, advanced, held, aborted — with material disposition implication.
• eBR section per exception aggregating the trace, visible at review-by-exception scan.
• Aggregated across batches for CPV — exception count by trigger by recipe by equipment.

• Pharma — moisture-high after drying triggers extended-dry handler with re-sampling; recurring trigger flags drier performance trend.
• Biopharma — pH out of range during fermentation triggers controlled-feed-adjustment handler before escalating to hold-for-investigation.
• Food — pasteuriser temperature dip triggers flow-divert handler returning product to balance tank; recipe re-pasteurises automatically.
• Cosmetics — viscosity-low after emulsification triggers extended-mix handler; persistent fail routes to rework recipe.
• Chemicals — exotherm rate above limit triggers feed-stop and cooling-ramp handler; pressure spike beyond second threshold triggers safe-state abort.

• No handlers defined — every exception holds for engineering intervention, killing throughput and creating ad-hoc deviation entries.
• Handlers only for safety, none for operational exceptions — recoverable trips become wasted batches.
• Handler logic baked into phase code — invisible to recipe reviewers, validation gap.
• Handler outcomes not recorded — eBR shows 'exception occurred' with no record of what was done.
• Operator UI does not surface handler progress — operators panic, abort handlers, defeat their value.
• No CPV analysis of exception frequencies — process noise normalised, recurring trips never investigated.
• Disposition decisions inside handlers without QA gate — material moves forward without quality oversight.