Beruflich Dokumente
Kultur Dokumente
What’s Inside:
I. Introduction
II. Requirements
III. References
Industry Solution Blueprint for Environmental Monitoring Systems (EMS)
Requirements
I. Introduction
This white paper describes the relevant aspects and common requirements to be considered when specifying sensors for an
Environmental Monitoring System (EMS), including the necessary functions to satisfy the Good Engineering Practices (GEP) and
validation requirements of the regulatory and predicate rules. A similar approach could be applied when designing a Heating,
Ventilation and Air Conditioning (HVAC) System or a Building Management System (BMS), with the difference here being the absence
of validation and the ability to adopt less than industrial grade instruments/sensors.
II. Requirements
Requirements should be described in the User Requirement Specification (URS) and Quality Plan documents (they are also described
in the Request For Quote as “Scope of Supply”). It may be worthwhile to create a separate document listing all requirements to be
added to a generic URS.
Instrumentation requirements should consider selecting the most cost-effective type and defining the appropriate calibration regime.
Industrial grade instruments/sensors are usually employed, as they are typically more reliable and more robust, though more expensive.
Adherence to 21 CFR Part 11 (or equivalent) must be considered for an EMS managing GMP critical records. Adopting a dedicated
EMS for “GMP relevant” data facilitates the adoption of remote access for maintenance of BMS/HVAC control systems. In fact, the
BMS/HVAC need not be 21 CFR Part 11 compliant.
Page 1
Industry Solution Blueprint for Environmental Monitoring Systems (EMS)
Requirements
2. Functions
2.2 – Sensor Operating Mode
Each sensor/device could be in three different conditions (states): Operation, Maintenance and Disconnected. Proper state
management should be provided–change of state should be recorded and a user comment for explanation must be provided.
Changing sensor status should not affect the remainder of the system. In Maintenance or Disconnected state, alarms and events
should be inhibited as well as all changes on sensor/device parameters (threshold, hysteresis, priority and delay).
A brief description about the purpose of each alarm should be provided. More information on defining alarm strategies is available.2
Alarm logic shall include software delay timers and hysteresis functions to ensure alarms are only triggered when true out-of-spec
conditions have occurred (e.g., rapidly changing parameters, such as room pressure, have the potential to create frequent nuisance
alarms, such as when a door is opening). Filtering is another solution to avoid nuisance alarms. Using a rolling time-weighted
average signal reading from 4 to 10 seconds is typically sufficient to smooth out signal noise without missing significant failure
events. More information on parameter alarming is available.3
Acknowledgement (acceptance) of alarms and events must be performed on the central EMS (BMS) system.
Each alarm must be capable of being accepted by a suitable person logged onto the system. The acceptor’s identity, the date and
the time must be recorded.
The system shall provide a method to group and filter alarms by plant or process area. Alarm activity (generation and
acknowledgement) shall be time-stamped and a log created. The alarm log shall contain (as a minimum) the following fields:
• “In Alarm” or “Out of Alarm” date and time • Event type (e.g., “In Alarm” or “Out of Alarm”)
• Equipment ID • Alarm “purpose” description
• Tag name • Engineering value for the device in alarm
Page 2
Industry Solution Blueprint for Environmental Monitoring Systems (EMS)
Requirements
Beacon and audible signals should be provided. For example, the system must initiate an amber beacon when either the Alert
Lo or Alert Hi alarm point is passed and a red beacon and audible alarm when the Critical Lo or Critical Hi alarm point is passed.
Audible alarms are silenced when acknowledged. The amber or red beacons will only be extinguished when acknowledged and
the process value has returned to the design target range (a green beacon will then be turned on). Flashing could be used if all the
sensors in one room or area are in Maintenance or Disconnected state.
Alarm management should be defined according to the standard ISA 18.2 - 2009, “Management of Alarm Systems for the Process
Industries.”
The system must provide comprehensive system reports with full operator search (query) capability. These will include alarms,
events, audit trails and operational data. The operational interface must be graphical with drop-down selection menus.
Any system report must be generated in real-time. Web server report capability is preferred.
The system must provide Windows® Active Directory Integration and provide user synchronization between local application
security groups and domain security groups. The system must allow User Security Groups to be defined (e.g., View Only, Operator,
Supervisor, Maintenance and Administrator). For example, when logged on as an Operator, access must be limited to the following
functions:
• View area environmental conditions • View historical data and print charts
• Acknowledge alarms and add comments • View and print alarm logs
• Add notes
As another example, when logged on as an Administrator, the following functions must be available, depending on individual user
access configuration:
• Full configuration • Authorize user actions
• Full security (add/remove user, reset logins/access)
Page 3
Industry Solution Blueprint for Environmental Monitoring Systems (EMS)
Requirements
The system shall generate an electronic “heartbeat” indicating that the monitoring unit is on and executing its tasks.
On loss of communications to central computer systems, distributed monitoring units must remain capable to guarantee
environment monitoring even if alarms will not be displayed (unless there is a local interface in place) under full control of the
process. Setpoints should generally remain at “last state” unless specifically changed via local operator interface.
The system must be capable of reprocessing and trending previously acquired data.
2.12 – Redundancy
The system must be interfaced to a Local Area Network (LAN) using Ethernet Transmission Control Protocol / Internet Protocol
(TCP/IP), utilizing redundant central processing units (CPUs) and redundant Ethernet ports. Changeover must be automatic in
the event of a CPU or communications failure. The system must support the use of redundant servers and incorporate automatic
changeover in the event of a device failure. The I/O hardware must be powered from redundant power supplies.
2.14 – Calibration
Three-point calibration may be required, but single-point calibration may be justifiable.
The calibration adjustment setting used to ensure sensor and device accuracy will be Indirect or No Impact from a GMP
perspective (i.e., records do not have to be 21 CFR Part 11 compliant). “GMP decisions are not made on calibration adjustment
parameters. Change control or standard operating procedures (SOPs) should be used. Calibration adjustment parameters should
be secure from unauthorized or inadvertent change.”4
4. Maintenance
Maintenance and operational control requirements are no different than with other computerized systems, but there are two special
aspects to consider:8
• Disaster recovery and business continuity
• Risk assessment for acceptable downtime and recovery rates
III. References
1. ISPE Good Practice Guide, “Heating, Ventilation, and Air Conditioning (HVAC),” Appendix 2, pg 188, October 2009.
2. ISPE Pharmaceutical Engineering, “Positioning Paper: Use of Building Management Systems and Environmental Monitoring Systems
in Regulated Environments,” Defining BMS Alarm Strategies, Vol. 25, No. 5, September/October 2005.
3. ISPE Good Practice Guide, “Heating, Ventilation, and Air Conditioning (HVAC),” pg 33, October 2009.
4. ISPE Pharmaceutical Engineering, “Positioning Paper: Use of Building Management Systems and Environmental Monitoring Systems
in Regulated Environments,” Table E, Vol. 25, No. 5, September/October 2005.
5. U.S. FDA Guidance for Industry, “Sterile Drug Products Produced by Aseptic Processing–Current Good Manufacturing Practice,”
Chapter IV-A, Critical Area–Class 100 (ISO 5), September 2004.
6. “EU Guidelines to Good Manufacturing Practice Medicinal Products for Human and Veterinary Use,” Annex 1–Manufacture of Sterile
Medicinal Products, Reference 8, 1 March 2009.
7. ISPE Good Practice Guide, “Heating, Ventilation, and Air Conditioning (HVAC),” pg 192, October 2009.
8. ISPE Pharmaceutical Engineering, “Positioning Paper: Use of Building Management Systems and Environmental Monitoring Systems
in Regulated Environments,” Maintenance and Operational Controls, Vol. 25, No. 5, September/October 2005.
Invensys Operations Management • 5601 Granite Parkway III, #1000, Plano, TX 75024 • Tel: (469) 365-6400 • Fax: (469) 365-6401 • iom.invensys.com
Invensys, the Invensys logo, ArchestrA, Avantis, Eurotherm, Foxboro, IMServ, InFusion, SimSci-Esscor, Skelta, Triconex, and Wonderware are trademarks of Invensys plc, its subsidiaries or affiliates.
All other brands and product names may be the trademarks or service marks of their representative owners.
© 2011 Invensys Systems, Inc. All rights reserved. No part of the material protected by this copyright may be reproduced or utilized in any form or by any means, electronic or mechanical, including
photocopying, recording, broadcasting, or by any information storage and retrieval system, without permission in writing from Invensys Systems, Inc.
Rel. 09/11 PN IN-0192 Page 5