The starting point is the GAMP4 Guideline with its basic principles and methods for computer validation. The Good Practice Guide takes up these principles and demonstrates how they can be applied to the various types of systems in process control technology. For this purpose, modifications, extensions, but also reductions of the GAMP4 models are given.

The structure of this Guide is orientated towards that of GAMP4 and consists of a main part and three sections with appendices. The main part includes general information and basic concepts, like a life cycle that can be adapted to the system type and the system complexity. The first appendix block compiles some specific topics (manufacturing parameters and data specifications for process control applications, software and hardware categories for process control systems, postal audits). Appendix block 2 introduces a number of recommendations of the German GMA/NAMUR group for the execution of projects that are subject to validation, for standard procedures regarding operation and maintenance as well as for validation support by control system functions and suppliers. Appendix block 3 contains instructions by the US JETT group for writing user requirement specifications for embedded systems (skid mounted systems).

Process control systems are used for the automation of manufacturing processes (data collection, data supply, monitoring and controlling of the manufacturing process, linking superimposed systems for manufacturing control [MES] and general data processing [ERP]). Process control systems encompass a wide range of systems: from small controls, e.g. built into manufacturing devices or equipment, to large, distributed control systems, like those for the operation of plants for manufacturing bulk materials or APIs. Correspondingly, the Guide defines the two main categories "embedded systems" (including built-in systems) and "standalone systems" (with their own housing).

Embedded and Standalone Systems

Examples for embedded systems are microprocessors, SPSs or PCs that are used exclusively for controlling and monitoring manufacturing equipment. Usually, they are delivered as built-in parts of a unit or a machine. For engineering, several disciplines are required; the life cycle documentation is largely created by the supplier.
Standalone systems are those systems that have their own housing, which is usually delivered separately for the connection to field instrumentation and equipment. Often they are also connected to superimposed systems (e.g. Supervisory Control and Data Acquisition (SCADA), Manufacturing Executing Systems (MES) or Enterprise Resource Planning (ERP)). So, individual project engineering and co-ordination are necessary.

GAMP Principles

The GAMP principles (e.g. life cycle, planning, including risk and impact assessment, user-supplier relationship, specifications, traceability, draft review, formal tests and verification, documented proof) can be transferred to these systems, however, some additional aspects have to be taken into account. During the planning phase, not only the software and the computer hardware have to be taken account of, but also the complete field instrumentation, the electrical devices and partly the mechanics of the plant.

The user requirement specification (URS) for a large application, as e.g. a DCS or SCADA, can be a separate document, for a small built-in application, it can be part of the device specification. In case of standalone systems, the functional design specification (FDS) is typically a separate document that lists functions, features, and design requirements for the DCS hardware and software. Like the URS, the FDS for an embedded system can be part of a superordinate device specification and refer to devices, electric and mechanical elements. In both cases, it is often written by the supplier on the basis of the URS and is mostly a contractual document.

As process control systems often contain pre-configured elements, the draft specifications indicate frequently how these elements and packages have to be configured. Such specifications are laid down not only for software (software modules) and computer hardware, but also for field instrumentation and devices. They are illustrated by means of process diagrams depicting the process routines as well as piping and instrumentation diagrams (P&ID), which show the function and location of the related control and monitoring loops.

Acceptance tests verify that the system works as it should and that the URS and FDS requirements on software, hardware, and instrumentation are fulfilled. The tests are based on approved formal test specifications and are as a rule carried out jointly by the supplier and the user (4-eyes principle). The results are formally documented and released and can be used as part of IQ and OQ. Especially in case of large systems, these very detailed tests are conducted in two steps. The Factory Acceptance Test (FAT) is carried out at the supplier's premises before delivery, for standalone systems without field connection, if necessary with appropriate field simulation. The FAT already includes extensive tests of the system installation and function. The Site Acceptance Test (SAT) is meant to prove that the delivered system is undamaged and identical with the system tested at the factory. Parts of the FAT may have to be repeated. In general, additional tests have to be carried out during the SAT when all field instruments, interfaces, and service connections have been established. These tests can be conducted when the system is commissioned for operation.

Appendices

The GMA/NAMUR appendices compile recommendations for validating process control systems. They comprise instructions for the execution of projects concerning new and revamped plants subject to validation (NE58), SOPs for operating and maintaining validated process control systems (NE71) as well as advice on validation support by use of control systems as support for planning and operation (NE72). 

A specific software model for process control systems is introduced. Software for control systems is characterised by the fact that, when the control system is adapted to an individual application, programming is reduced to a minimum; instead, standard functions are used that can be modified individually by means of parameter sets. Such functions are called pre-configured software modules or pre-configured functions; they are not application-specific. The pre-configured functions are, for their part, based on - also non-specific - control system operating systems, which may themselves be based on commonly used standard operating systems. The contribution introduces the corresponding layer model. It shows schematically the mentioned software classes, their logic structure and the person responsible for qualification.

For the purpose of project execution, the individual activities for planning and qualification/validation, the input documents necessary for this and the output documents to be created are represented in the form of a table, based on the life cycle model. A checklist serves for project management and indicates which activities have to be done when and by whom as well as the activities' degree of completion.

The generic standard operating procedures (NE71) concern process control facilities (to be equated with the electrical, measuring and control engineering facilities) of processing plants. They include 8 SOPs for operation, maintenance and change of process control systems and supplement the GAMP4 SOPs. The topics are structure and maintenance of the process control system documentation, preventive maintenance and change management, access control for process control systems, modem operation, re-verification, procedures in case of system failures and system faults, release changes, upgrade of hardware, update of firmware as well as training.

Control systems can effectively support the qualification of the whole plant or the validation of the manufacturing process, the operation and the maintenance of the validated state by means of appropriate functions. From the qualification requirements it results that - apart from their reputation - suppliers of control systems can offer corresponding services for the assistance in qualification. These functions and services are summarised in the recommendation "Validation Support by Use of Control Systems" (NE72). They are classified in the recommendation according to their significance for validation.

The appendices by the JETT group (JETT: Joint Equipment Transition Team) deal with embedded systems. Originally, the group was founded by Lilly, P&U and Rockwell in 1996 in order to improve the documentation provided by equipment suppliers. To reach this aim, the group intended to develop methods for creating URSs and FDSs, project planning, draft specifications as well as acceptance tests (hardware, software, system) at the supplier's factory and on site. The appendices contain instructions for the creation process of URSs, for integrated (embedded) control systems (built-in systems) as well as an example for the up-to-now created URS templates (18 of 30) for pure steam generators, fluid-bed driers, filling machines, blenders, freeze dryers, tablet coaters, multiple-effect stills, labelers, glassware washers, bioreactors, HVAC systems. Additional documents are planned for 12 further device categories. 

It remains to say that the GAMP principles can be applied efficiently both to embedded and to standalone control systems. Good Engineering Practice and the usual initial operation activities can support the call for formal qualification.

Specifically on the 'Validation of Process Control Systems,' we are organising a GMP Education Course of the same title in Berlin, Germany, on 31 March and 1 April 2004. Please click here to view the programme.

Author:
Prof. Dr.-Ing. Hartmut Hensel, Hochschule Harz, Wernigerode, Germany 
The above text is a summary of his lecture given on the occasion of the CONCEPT HEIDELBERG seminar "GAMP 4" held on 17-18 November 2003.