White Paper

Industry Solution Blueprint for Environmental Monitoring Systems (EMS)

Requirements

Author: Roberto Zerbi, Global Industries Solutions–Life Sciences, Invensys

What’s Inside:
I. Introduction
II. Requirements
III. References
Industry Solution Blueprint for Environmental Monitoring Systems (EMS)
Requirements

I. Introduction
This white paper describes the relevant aspects and common requirements to be considered when specifying sensors for an
Environmental Monitoring System (EMS), including the necessary functions to satisfy the Good Engineering Practices (GEP) and
validation requirements of the regulatory and predicate rules. A similar approach could be applied when designing a Heating,
Ventilation and Air Conditioning (HVAC) System or a Building Management System (BMS), with the difference here being the absence
of validation and the ability to adopt less than industrial grade instruments/sensors.

II. Requirements

Requirements should be described in the User Requirement Specification (URS) and Quality Plan documents (they are also described
in the Request For Quote as “Scope of Supply”). It may be worthwhile to create a separate document listing all requirements to be
added to a generic URS.

1. Monitoring of Critical Parameters 1

When specifying sensors and devices for Critical Process Parameter (CPP) monitoring, the main factors to consider that are Good
Manufacturing Processes (GMP) relevant are:

• Accuracy and repeatability • Design tolerance (Hi-Lo range)

• Stability (drift) and failure modes
• Clean-up (recovery) times from in-use to at-rest
(classified spaces)
• Alarm actions
• Design point (often defined as the expected “center” value)
• Accepted normal operating thresholds
(Alert Hi–Alert Lo range)
• Validated acceptance criterion (Critical Hi–Critical Lo range)
• Maintenance and calibration requirements

Instrumentation requirements should consider selecting the most cost-effective type and defining the appropriate calibration regime.
Industrial grade instruments/sensors are usually employed, as they are typically more reliable and more robust, though more expensive.

Adherence to 21 CFR Part 11 (or equivalent) must be considered for an EMS managing GMP critical records. Adopting a dedicated
EMS for “GMP relevant” data facilitates the adoption of remote access for maintenance of BMS/HVAC control systems. In fact, the
BMS/HVAC need not be 21 CFR Part 11 compliant.

Page 1
Industry Solution Blueprint for Environmental Monitoring Systems (EMS)
Requirements

2. Functions
2.2 – Sensor Operating Mode
Each sensor/device could be in three different conditions (states): Operation, Maintenance and Disconnected. Proper state
management should be provided–change of state should be recorded and a user comment for explanation must be provided.

Changing sensor status should not affect the remainder of the system. In Maintenance or Disconnected state, alarms and events
should be inhibited as well as all changes on sensor/device parameters (threshold, hysteresis, priority and delay).

2.3 – Alarm Management

Some EMS sensors/devices could be for monitoring and recording only, without any associated alarm or event (e.g., sensors added
to facilitate operations but not related to critical process parameters).

A brief description about the purpose of each alarm should be provided. More information on defining alarm strategies is available.2

Alarm logic shall include software delay timers and hysteresis functions to ensure alarms are only triggered when true out-of-spec
conditions have occurred (e.g., rapidly changing parameters, such as room pressure, have the potential to create frequent nuisance
alarms, such as when a door is opening). Filtering is another solution to avoid nuisance alarms. Using a rolling time-weighted
average signal reading from 4 to 10 seconds is typically sufficient to smooth out signal noise without missing significant failure
events. More information on parameter alarming is available.3

Acknowledgement (acceptance) of alarms and events must be performed on the central EMS (BMS) system.

Each alarm must be capable of being accepted by a suitable person logged onto the system. The acceptor’s identity, the date and
the time must be recorded.

Each sensor or device should be described by the following value parameters:

• Critical Hi alarm • Design Lo target
• Alert Hi alarm • Alert Lo alarm
• Design Hi target • Critical Lo alarm

“Alert limits for pressurization may have the same pressure

value as action alarm limits. Typically, what distinguishes a
pressure alert limit from a critical alarm limit is the length
of time that is allowed to pass before signaling an alert and
then an action alarm (time delay)…”3

The system shall provide a method to identify and organize

alarms into severity (or priority) levels (e.g., Safety Critical,
Process Critical, Process Warning, System Warning and
General Information). The priority of alarms will also
determine who reviews and responds to the alarms. More
information on defining alarm strategies is available.2

The system shall provide a method to group and filter alarms by plant or process area. Alarm activity (generation and
acknowledgement) shall be time-stamped and a log created. The alarm log shall contain (as a minimum) the following fields:
• “In Alarm” or “Out of Alarm” date and time • Event type (e.g., “In Alarm” or “Out of Alarm”)
• Equipment ID • Alarm “purpose” description
• Tag name • Engineering value for the device in alarm

Critical alarms shall override non-critical alarms and warning messages.

Page 2
Industry Solution Blueprint for Environmental Monitoring Systems (EMS)
Requirements

Beacon and audible signals should be provided. For example, the system must initiate an amber beacon when either the Alert
Lo or Alert Hi alarm point is passed and a red beacon and audible alarm when the Critical Lo or Critical Hi alarm point is passed.
Audible alarms are silenced when acknowledged. The amber or red beacons will only be extinguished when acknowledged and
the process value has returned to the design target range (a green beacon will then be turned on). Flashing could be used if all the
sensors in one room or area are in Maintenance or Disconnected state.

Alarm management should be defined according to the standard ISA 18.2 - 2009, “Management of Alarm Systems for the Process
Industries.”

2.4 – Local Display

Process values and Critical alarms could be displayed locally. The local unit could display values and conditions derived from the
central EMS (BMS) system or used for sensor conditioning (including calibration), local storage and connection to the EMS (BMS)
system (by cable or wireless, serial or network). In this case Date/Time Stamp and Time Synchronization must be provided. Alarms
and events could be displayed locally, but they must be managed according to what is stated in section 2.3.

2.5 – Time Stamp

All data received from sensors (process data, alarms, events) should be linked to date and time.

2.6 – Reports/Electronic Batch Records

Pre-defined custom reports should be pre-configured. These will include automatic daily printouts of alarms and operator actions.
The system should be capable of exporting reports in an open format like MS Office or PDF. The system software should allow the
user to produce customized reports, including:
• Graphs of sensor readings against time
• Tables of sensor readings against time
• The duration for which any out-of-limit data was recorded

The system must provide comprehensive system reports with full operator search (query) capability. These will include alarms,
events, audit trails and operational data. The operational interface must be graphical with drop-down selection menus.

Any system report must be generated in real-time. Web server report capability is preferred.

2.7 – Access Level

The EMS and BMS should have the same access control and functions. For example, alarm override or inhibit functions must only
be configurable with “Engineer Level” access, and all changes to configuration must require a password and comment.

The system must provide Windows® Active Directory Integration and provide user synchronization between local application
security groups and domain security groups. The system must allow User Security Groups to be defined (e.g., View Only, Operator,
Supervisor, Maintenance and Administrator). For example, when logged on as an Operator, access must be limited to the following
functions:
• View area environmental conditions • View historical data and print charts
• Acknowledge alarms and add comments • View and print alarm logs
• Add notes

As another example, when logged on as an Administrator, the following functions must be available, depending on individual user
access configuration:
• Full configuration • Authorize user actions
• Full security (add/remove user, reset logins/access)

Page 3
Industry Solution Blueprint for Environmental Monitoring Systems (EMS)
Requirements

2.8 – Color Standardization

All process variables must have the same color coding. For example, value color should be black when the point is healthy, amber
if the Alert alarm point is passed and red when the Critical alarm point is passed. Flashing is permitted to request operator action.
A flag should track the states.

2.9 – Failure Detection

Failures include: sensor/device break, individual component power loss (including redundant power supply units and
uninterruptible power supply states), network connections and individual system component failure.

The system shall generate an electronic “heartbeat” indicating that the monitoring unit is on and executing its tasks.

On loss of communications to central computer systems, distributed monitoring units must remain capable to guarantee
environment monitoring even if alarms will not be displayed (unless there is a local interface in place) under full control of the
process. Setpoints should generally remain at “last state” unless specifically changed via local operator interface.

2.10 – Data Archiving

The system must allow data archiving to a secure server. The data must be able to be restored from the archive to the system
human machine interface (HMI).

The system must be capable of reprocessing and trending previously acquired data.

Requirements for retention of alarm history should be defined, too.

2.11 – Record Requirements

The frequency of data collection is dependent on the parameter being measured. There is no regulatory guidance regarding
frequency of monitoring although U.S. Pharmacopeia states that the user must consider how rapidly the monitored condition is
likely to change, suggesting that for storage conditions, a response time of 15 minutes may be appropriate, whereas for transport
of product a more rapid response time of five minutes may be required. In a manufacturing area, there are unlikely to be sources of
heat energy or humidity that can create instant changes, considering the thermal mass and sizes of the monitored areas. Therefore,
temperature and humidity will change very slowly and could be recorded on two- or three-minute intervals (or longer) and still
provide an accurate record of the environmental conditions. Room pressure changes quickly, so data intervals may be very short,
perhaps seconds, during an out-of-specification state. For classified spaces without airlocks, differential pressure will drop to zero
soon after the door is opened. This drop should be recorded, but the alarm should be on a time delay to permit the door to close
within a validated time. It may be acceptable to have a record of alarms (or lack thereof) only during manufacturing, recorded on
the batch record sheet.

2.12 – Redundancy
The system must be interfaced to a Local Area Network (LAN) using Ethernet Transmission Control Protocol / Internet Protocol
(TCP/IP), utilizing redundant central processing units (CPUs) and redundant Ethernet ports. Changeover must be automatic in
the event of a CPU or communications failure. The system must support the use of redundant servers and incorporate automatic
changeover in the event of a device failure. The I/O hardware must be powered from redundant power supplies.

2.13 – Back-up and Recovery

It must be possible to make copies of the system configuration files to both USB (Universal Serial Bus) memory and CD/DVD
(compact disc/digital video disc) devices.
It must be possible to re-install the configuration files and application software from the network, CD/DVD or USB memory device.
Data should be backed up daily (back-up period adjustable) to two separate secure data historian servers.
Recovery Time Objective (RTO) for the system should be defined (e.g., 4 hours).
Recovery Point Objective (RPO) for the system should be defined (e.g., near zero hours for the High Availability architecture).
Page 4
Industry Solution Blueprint for Environmental Monitoring Systems (EMS)
Requirements

2.14 – Calibration
Three-point calibration may be required, but single-point calibration may be justifiable.

The calibration adjustment setting used to ensure sensor and device accuracy will be Indirect or No Impact from a GMP
perspective (i.e., records do not have to be 21 CFR Part 11 compliant). “GMP decisions are not made on calibration adjustment
parameters. Change control or standard operating procedures (SOPs) should be used. Calibration adjustment parameters should
be secure from unauthorized or inadvertent change.”4

3. Airborne Particle Monitoring

According to the U.S. Food and Drug Administration (FDA), “Regular monitoring should be performed during each production
shift.”5 The European Commission EudraLex also provides guidance.6 “Based on this guidance, there is a trend toward the
installation of continuous monitoring systems since they provide a better understanding of the process, and the data can be used
to support a reduced frequency of testing while assuring continued levels of control.”7

4. Maintenance
Maintenance and operational control requirements are no different than with other computerized systems, but there are two special
aspects to consider:8
• Disaster recovery and business continuity
• Risk assessment for acceptable downtime and recovery rates

III. References
1. ISPE Good Practice Guide, “Heating, Ventilation, and Air Conditioning (HVAC),” Appendix 2, pg 188, October 2009.
2. ISPE Pharmaceutical Engineering, “Positioning Paper: Use of Building Management Systems and Environmental Monitoring Systems
in Regulated Environments,” Defining BMS Alarm Strategies, Vol. 25, No. 5, September/October 2005.
3. ISPE Good Practice Guide, “Heating, Ventilation, and Air Conditioning (HVAC),” pg 33, October 2009.
4. ISPE Pharmaceutical Engineering, “Positioning Paper: Use of Building Management Systems and Environmental Monitoring Systems
in Regulated Environments,” Table E, Vol. 25, No. 5, September/October 2005.
5. U.S. FDA Guidance for Industry, “Sterile Drug Products Produced by Aseptic Processing–Current Good Manufacturing Practice,”
Chapter IV-A, Critical Area–Class 100 (ISO 5), September 2004.
6. “EU Guidelines to Good Manufacturing Practice Medicinal Products for Human and Veterinary Use,” Annex 1–Manufacture of Sterile
Medicinal Products, Reference 8, 1 March 2009.
7. ISPE Good Practice Guide, “Heating, Ventilation, and Air Conditioning (HVAC),” pg 192, October 2009.
8. ISPE Pharmaceutical Engineering, “Positioning Paper: Use of Building Management Systems and Environmental Monitoring Systems
in Regulated Environments,” Maintenance and Operational Controls, Vol. 25, No. 5, September/October 2005.

Invensys Operations Management • 5601 Granite Parkway III, #1000, Plano, TX 75024 • Tel: (469) 365-6400 • Fax: (469) 365-6401 • iom.invensys.com

Invensys, the Invensys logo, ArchestrA, Avantis, Eurotherm, Foxboro, IMServ, InFusion, SimSci-Esscor, Skelta, Triconex, and Wonderware are trademarks of Invensys plc, its subsidiaries or affiliates.
All other brands and product names may be the trademarks or service marks of their representative owners.

© 2011 Invensys Systems, Inc. All rights reserved. No part of the material protected by this copyright may be reproduced or utilized in any form or by any means, electronic or mechanical, including
photocopying, recording, broadcasting, or by any information storage and retrieval system, without permission in writing from Invensys Systems, Inc.
Rel. 09/11 PN IN-0192 Page 5