Phase State Model

ISA-88 defines a canonical state machine for every phase. The model recognises stable states (Idle, Held, Stopped, Aborted, Complete) and transient states (Running, Holding, Restarting, Stopping, Aborting, Completing). Transitions are triggered either by commands (Hold, Restart, Stop, Abort, Reset) or by internal completion.

• Idle — phase exists but no execution; ready to start.
• Running — phase is executing normally.
• Holding → Held — Hold command received; phase is suspending; once safe state reached, Held.
• Restarting → Running — Restart command from Held; phase resumes.
• Stopping → Stopped — controlled stop; phase ends without completing its work.
• Aborting → Aborted — uncontrolled stop; phase abandons work, leaving the process in a potentially unsafe state.
• Completing → Complete — phase finished its work normally.

• Predictability — every operator and reviewer knows the legal states and transitions; no surprises.
• Recovery — Hold/Restart is a defined, documented recovery path, distinct from Stop and Abort.
• Audit trail — every transition is captured with timestamp, trigger and actor, producing a defensible execution record.
• Safety — Abort vs Stop is a meaningful distinction; Abort signals "unsafe state possible, investigate".
• Reuse — phase code written against the standard model ports between platforms without rework.

Mixing these is one of the most common ISA-88 misuses. Operators trained on the difference make better recovery decisions; reviewers trained on the difference detect when the operator chose wrong.

The phase state model is the same in every mode, but mode determines who or what can issue commands and transitions:

• Auto — recipe sequences phases; operator can Hold/Abort but not bypass.
• Semi-auto — recipe sequences but operator confirms each transition (training, qualification batches).
• Manual — operator drives transitions phase-by-phase; recipe is a guide, not a controller.
• Out-of-service — phase cannot execute regardless of command (maintenance, calibration).

Mode change itself is audited — a switch from Auto to Manual mid-batch is a deviation event.

The phase state model lives at the procedural layer; the equipment-state machine lives at the equipment layer. A Hold at the phase level may or may not put the equipment into a safe physical state — that depends on the phase logic's hold response. Common patterns:

• Hold-in-place — agitator continues, jacket maintained, no material movement; resume picks up exactly where left.
• Hold-to-safe — jacket cooled to safe temp, agitator stopped, valves closed; resume requires re-establishing setpoints.
• Hold-abort-fallback — Hold attempted, fails timeout, escalates to Abort with full safety sequence.

• Every state transition recorded with UTC timestamp, prior state, new state, trigger (command/internal), actor (user ID or system), and reason code if commanded.
• Hold/Restart cycles aggregated for the eBMR — "phase held 3 times totalling 47 min".
• Abort events flagged for QA review and trigger automatic deviation creation.
• Phase entry/exit signatures recorded per Part 11 when SOPs require dual-witness or supervisor sign-off.
• State-machine traces are forensic evidence — "who restarted that phase at 02:14 and why?" must be answerable.

• Using Stop where Hold is correct — eats the phase's progress, recipe wrongly advances.
• Using Abort routinely instead of Hold — masks safety distinction; reviewers lose signal.
• Custom states bolted on ("Paused", "Suspended") — breaks portability and audit clarity.
• Phase transitions not audit-trailed because the PLC SFC is the source of truth instead of the MES — review evidence gap.
• Mode-change events not deviation-flagged — Auto→Manual mid-batch slips through.
• Hold response not designed — phases held in undefined state; resume produces non-reproducible results.