MD 37 REV.

4, 29/09/2008

FUNCTIONAL HW & SW DESIGN SPECIFICATION

for

PSG 750 DTS

JOB No.: 10/C083

CUSTOMER : LABORATORIOS INIBSA

DOCUMENT No.: 2983-FDSP-Z2

PRODUCED BY THE ENGINEERING DEPARTMENT,

STILMAS S.P.A.

REVISION HISTORY

Revision: Date: For: Issued by:

ST
0 26/04/2011 1 issue M. Cusinato

Page 1 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

TABLE OF CONTENTS

1. INTRODUCTION, SCOPE, OBJECTIVE................................................. 5

2. OVERVIEW ............................................................................................. 6
2.1. ASSUMPTIONS ..................................................................................... 6
2.2. GENERAL ............................................................................................ 6
2.2.1. Performance and Utilities Requirements ...................................................7
2.2.2. Operation ......................................................................................................8
2.2.2.1. Initial Startup ...........................................................................................8
2.2.2.2. Shutdown ................................................................................................8
2.2.2.3. Alarm Signal............................................................................................8
2.2.2.3.1. Critical Alarms.....................................................................................8
2.2.2.3.2. Non-Critical Alarms .............................................................................8
2.2.3. Risk Assessment..........................................................................................9
2.2.4. Power Failure................................................................................................9
2.3. COMPONENTS, VALVES, INSTRUMENTS .................................................. 9
2.4. ELECTRICAL HARDWARE DESIGN SPECIFICATION .................................... 9
2.4.1. Wiring ............................................................................................................9
2.5. PLC PROGRAM AND OPERATOR INTERFACE CONFIGURATION ................ 10
2.6. GAMP & 21 CFR PART 11 STILMAS APPROACH .................................. 11
2.6.1. Hardware/Software (GAMP) Categorization.............................................11
2.6.2. 21 CFR Part 11 Applicability......................................................................11
2.6.3. HW & SW Configuration ............................................................................12
2.6.4. Control System Lay Out.............................................................................12
3. FUNCTIONS AND SOFTWARE DESIGN SPECIFICATION ................. 13
3.1. FUNCTIONAL SPECIFICATION (A) .......................................................... 13
3.2. STRUCTURED MODULAR PROGRAMMING LANGUAGE AND TECHNIQUE (B) 14
3.3. LOGICAL AND PHYSICAL STRUCTURE OF THE PROGRAM (C) ................... 15
3.3.1. Module 1 Digital Input Processing............................................................15
3.3.2. Module 2 Analogue Input Processing ......................................................16
3.3.3. Module 3 Operator Selection Processing ................................................18
3.3.4. Module 4 Operator Set Points Processing...............................................19
3.3.5. Module 5 Alarms Management..................................................................19

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 2 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

3.3.6. Module 6 Running Phases Management..................................................20

3.3.7. Module 7 Digital Output Activation ...........................................................22
3.3.8. Module 8 Regulation Management ...........................................................23
3.3.9. OIT Program Structure...............................................................................23
3.4. FILE NAMING (D), LABEL ALLOCATION (E) AND MODULE NAMING (F). ..... 24
3.4.1. Revision Numbering & Change Control ...................................................24
3.5. ANNOTATION (G)................................................................................ 25
3.6. NON STD SW REQUIREMENT (H) ......................................................... 25
4. DATA .................................................................................................... 27
5. INTERFACES........................................................................................ 27
5.1. OPERATOR INTERFACE TERMINAL........................................................ 27
5.1.1. Alarm Window ............................................................................................28
5.1.2. System Parameters Screen .......................................................................28
5.1.2.1. Parameters Screen ...............................................................................28
5.1.2.2. PID Loop Screen...................................................................................28
5.1.3. Password ....................................................................................................29
5.1.4. Alarm History Screen .................................................................................31
5.1.5. OIT SW Program Structure and OIT SW Design Specification ..............31
5.2. INTERFACE WITH EXTERNAL INPUTS AND OUTPUTS ................................ 33
5.2.1. Digital Input.................................................................................................33
5.2.2. Analog Input ...............................................................................................33
5.2.3. Digital Output..............................................................................................34
5.2.4. Analog Output ............................................................................................34
5.3. INTERFACE OF DATA TRANSMISSION .................................................... 34
5.3.1. Input /Output Data Transmission..............................................................34
6. NON-FUNCTIONAL ATTRIBUTES ....................................................... 35
6.1. AVAILABILITY OF THE SYSTEM ............................................................. 35
6.1.1. Power Failure Recovery.............................................................................35
6.1.1.1. System State After a Power Failure ......................................................35
6.1.1.2. Restart After a Power Failure................................................................35
6.1.1.3. Application SW Retention During a Power Failure................................35
6.1.1.4. Data Retention During a Power Failure.................................................35
6.1.2. Redundancy of the Control System Program ..........................................36

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 3 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

6.1.3. Control System – Self Error Checking .....................................................36

6.1.3.1. PLC/OIT System ...................................................................................36
6.1.3.2. Analog Input/Output ..............................................................................36
6.1.4. Standby Operation .....................................................................................36
6.2. MAINTAINABILITY ............................................................................... 37
7. GLOSSARY .......................................................................................... 38
8. APPENDIXES ....................................................................................... 40
9. APPROVALS ........................................................................................ 41

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 4 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

1. INTRODUCTION, SCOPE, OBJECTIVE

This document has been produced and issued by the Engineering Department of STILMAS S.p.A.
(hereafter identified as the “Supplier”) in accordance with GAMP5 and the GAMP Good Practice
Guide “Validation Of Process Control Systems 2003”.
The scope of this document is to describe the function of the Equipment and the design of the HW
and of the SW necessary to automates it.
This document defines the functional objectives and design solutions for the PSG 750 DTS
(hereafter referred to as the “Equipment”) for
1. mechanical components;
2. electrical hardware;
3. embedded software.
This documents refers also to the following document already issued :
Installation Drawing, Utilities & Boundaries Specification (TIE-IN)
• 2983-M3-Z2

Piping & Instrumentation Diagram (P&ID)

• 2983 sheet 2

Mechanical components list & specification (Components, Instrumentation and Valves)

• 2983-STC-Z2, 2983-STI-Z2, 2983-STV-Z2

Electric wiring diagram

• 2983-CB-Z2

Hardware specification (Electric Material List)

• 2983-SE-CBZ2, 2983-CS-CBZ2

Current GAMP
cGMP Risk Analysis: GMP_RA (Standard Stilmas Document)

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 5 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

2. OVERVIEW

2.1. ASSUMPTIONS
This document assumes that the Supplier will implement the design phase in compliance with
current GMP regulatory requirements applicable to the fluids for Pharmaceutical use technology.
This document further assumes that the operators, supervisors, and other involved personnel
have good vision (20/30 acuity, corrected, or better) and good hearing.

2.2. GENERAL
Functional Objective. The Equipment shall produce up to 1088 kg/h of PS the quality of which
shall meet current USP requirements.

Design Resolution.

PURE STEAM GENERATOR – P&ID NO. 2983-Z2

The Pure Steam production process consists on Purified Water evaporation followed by pure
steam separation and condensation, according to the following process steps:
1. The feed water is pumped by a centrifugal pump P09-1 inside the evaporator (ER20)
column from the bottom, filling the evaporator column itself and the exchanger (E20) tubes
(the exchanger is piped “in parallel” with the evaporator column).
2. Plant steam in the exchanger (E20) shell shall flash the feed water to vapor. The vapor, the
clean steam, shall enter the upper half of the evaporator column through a tangential port.
The height of the evaporator column and the low velocity of the clean steam inside it shall
effect the separation of the pyrogens and other contaminants and the entrained water
droplets from the clean steam, yielding pyrogen-free, WFI-quality pure steam.
3. The contaminants removed shall return to the feed-water in the lower half of the evaporator
column. A small quantity of the feed-water shall be removed through intermittent blow-
down, ensuring that the concentration of contaminants does not become excessive.
4. When the pressure into the evaporator reaches the set-point (tolerance ± 0,1 barg) the
modulating valve PCV20-14 (industrial steam regulation valve) starts closing, according to
the signal coming from pressure regulator PIC20-14.
5. A heat exchanger with Double Tube Sheet design (E20-2) condense the clean steam
sampled on the outlet. A conductivity cell (not temperature compensated), installed on the
outlet of the condensed clean steam, monitors continuously its quality.
6. The PSG production outlet feeds a header which distribute it to user points.

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 6 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

2.2.1. Performance and Utilities Requirements

Functional Objective. It describes performances and lists characteristics and consumption of
utilities necessary to run the Equipment.
Design Resolution. Here below performances and utilities are listed. The same are also listed
and specified into relevant P&ID and TIE-IN drawings, where all details of connections, flows,
pressure & temperatures are specified.
PSG
Product Parameter Value Unit

Flow Rate 1088 Kg/h

Pure Steam Pressure 3 barg

Temperature 143 °C

Condensed Pure Steam Temperature 85÷97 °C

(Water for Injection) Conductivity according to USP µS/cm

Utility Parameter Value Unit

Feed Water Pressure 1÷2 barg
Flow Rate 1198 lt/h
Temperature 20 °C

Plant Steam to Pressure 8 barg

Exchanger E 20 Flow Rate 1300 Kg/h
Temperature 175 °C

Cooling Water to E20-2 Pressure in - out 3-2 barg

Flow Rate 25 lt/h
Temperature in - out 15-85 °C

General utilities
Electric Supply Voltage 400 VAC
Frequency 50 Hz
Power 1/2 KW / A

Compressed Air Flow Rate 10 Nl/h

Pressure Max 6 barg

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 7 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

2.2.2. Operation
Functional Objective. To operate the Equipment in alternate mode to satisfy all loads conditions
related to storage tank’s demand.
Design Resolution. The Equipment is controlled by a PLC/OIT. The software shall provide all the
operations needed to control the Equipment in a safe and reliable mode using its physical input
and output. The software design shall ensure that operation continues, with minimal operator input
required, between the start time and the shutdown of the unit, as long as the process remains
within the set parameters. The software functions must ensure the safe shutdown of the system
when the process’s critical parameters are out of their fixed limits for good operation.

2.2.2.1. Initial Startup

Functional Objective. To start Equipment operations when the operator presses the running
mode key.
Design Resolution. The Control system’s output, which activate devices corresponding to the
phase (see Appendix C), shall be set activated. The plant will proceed automatically, step by step,
to reach the production phase according to the flow chart (see Appendix A).

2.2.2.2. Shutdown
Functional Objective. To terminate Equipment operations when specific conditions, described in
the Flow Chart (see Appendix A), occur.
Design Resolution. All the control system’s output, which were activated, shall be set de-
activated according to the flow chart (see Appendix A & C).

2.2.2.3. Alarm Signal

2.2.2.3.1. Critical Alarms
Functional Objective. Manage the event of a critical alarm, stopping the Equipment and putting it
in safe condition.
Design Resolution. When a critical alarm occurs, (the critical alarms are listed into the Appendix
D) the output linked with the buzzer and the resuming alarm relay shall be activated. The related
alarm message shall be displayed by the OIT and an acoustic signal is given to the operator. All
the outputs relevant to the control devices which were activated shall be deactivated, except those
that are necessary to perform the Stop Action to terminate the Equipment operations in safe
conditions. Once the Stop Action has been carried out, all the operations shall be terminated. All
Alarms are generated and latched at PLC level, HMI being only a viewer.

2.2.2.3.2. Non-Critical Alarms

Functional Objective. To manage the event of a non critical alarm without putting out of
operation the Equipment.
Design Resolution. When a non critical alarm occurs, (the non critical alarms are listed into the
Appendix D) the output linked with the buzzer and the resuming alarm relay shall be activated. The
related alarm message shall be displayed by the OIT and an acoustic signal is given to the
operator. A non critical alarm does not require to terminate the Equipment operations.

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 8 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

2.2.3. Risk Assessment

Functional Objective. To run the Equipment in safe and reliable mode.
Design Resolution.: A Risk assessment related to PED and GXP has been conducted. Refer to
document GMP RA.

2.2.4. Power Failure

Functional Objective. To manage the Equipment in a safe mode in the event of a black out on
the electrical power line.
Design Resolution. In case of a black out all components shall fail into “safe” positions to avoid
Equipment damages.
Upon restoration of electrical power, the Equipment shall not restart but wait for the operator.
Components specifications must be configured to get the “fail safe” positions when de-energized
(with PLC Digital Outputs at “0” state).
The PLC will choose from which phase the Equipment has to restart, depending upon the
parameters conditions (temperature, external consent, etc.) when the power will be restored. No
action shall be required for full recovery from an electrical power failure.

2.3. COMPONENTS, VALVES, INSTRUMENTS

The control of the Equipment is made through components, valves and instruments. Lists of these
parts have been produced and, according with cGMP, they specify also the design criteria and the
manufacturer/model selected for each item. The mentioned list is composed of the relevant
Components list , Field Instruments list Valves list, as indicated at page 5 of this document.

2.4. ELECTRICAL HARDWARE DESIGN SPECIFICATION

Functional Objective. To describe the electrical hardware necessary for the control board in
terms of function and design Compliance with the GAMP5. Related to the content of a HW
specification in case of “Embedded systems“, it requires a document which specifies also the
manufacturer and model selected.
Design Resolution. Conformity to GAMP5 is achieved with the following documents (already
issued) :
• Reference to relevant Standard indicated in the document Q&PP MD08 § 3.1;
• Lay out diagram of the control panel, specifying also environmental conditions
(temperature, humidity, radio-frequency interference, electromagnetic interference,
physical security IP etc.), see Electric wiring diagram as indicated at page 5 of this
document
• Electric wiring diagram, as indicated at page 5 of this document
• Detailed Electric Material List, as indicated at page 5 of this document
The above package of documents completes the HW Specification.

2.4.1. Wiring
Functional Objective. To wire with appropriate cables in a neat and professional mode according
to established and distributed electrical schematics applying national standards, to ensure safe
and reliable operations of the Equipment.

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 9 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

Design Resolution. All wiring shall be bundled using “cable ties” and/or cable ways. Each
conductor shall be identified at each termination point (i.e., at both ends). All wiring shall be in
compliance to approved schemes, which must be issued before wiring beginning. Wire section
shall be in compliance with EN60204 standards.

2.5. PLC PROGRAM AND OPERATOR INTERFACE CONFIGURATION

Functional Objective. To provide through the Control System safe, reliable, automatic, and
continuous operation of the Equipment with minimal operations by the operator and with clear
information to him.
Design Resolution. All normal interactions between the operator and the system shall be
accomplished through messages displayed on the electronic Operator Interface Terminal (OIT).
All elements utilized in the control system shall be fully compatible each other, to ensure reliable
communication and operations.
The Equipment control system shall consist of a Programmable Logic Controller “PLC” and an
Operator Interface Terminal “OIT”. The PLC and the OIT shall be provided by the same
manufacturer or by different manufacturers with a “partnership” agreement to ensure compatibility.
The OIT interface shall be configured as a read/display/write device only. It shall have no actual
control functions. The PLC shall include a data communication interface to the OIT, utilizing PLC
manufacturer’s standard communication format and protocols.
The Application SW shall give the PLC direct control over all of the input and output. The
Application SW shall be developed by qualified personnel utilizing written programming
procedures (“GAMP 5 and “STILMAS Software Development Guideline).
The Application SW shall be developed utilizing the PLC/OIT manufacturers Operating System
Programming Tool (Source Code) software and Editor.
All functions performed by the PLC and OIT shall be tested during FAT prior to shipping the
Equipment.

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 10 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

2.6. GAMP & 21 CFR PART 11 STILMAS APPROACH

2.6.1. Hardware/Software (GAMP) Categorization

Functional Objective. To define in which category of GAMP 5 the HW & SW components are
classified (an example description of all categories is explained on internal procedure PR07.7 and
on GAMP5).
Design Resolution. The HW is Category 1 because all HW components utilized are CE marked
and they are available in the International Market; no craft components made only for the Supplier
are utilized.
The Operating System SW Source Code is Category 1.
The Application SW is category 4.
In fact, the Application SW of the Equipment is the “STANDARD” software, already fully tested in
several Equipments, where only some modifications are implemented to adapt it to the scope of
supply. These modifications are previously evaluated by the Project leader & the Automation
Department.
All the parts of the standard Application SW that have been modified to fulfill the scope of supply
are documented and tested during FAT and SAT (see SW Life Cycle MD 50).
The PLC/OIT Application SW of the STILMAS Equipment does not contain “Dead Codes”. The
“Dead Code“ is defined by GAMP5 Appendix D4 ( Management, Development and Review of
Software :Paragraph 3.1.6 Removal of Dead Code) as “a code that cannot be executed due to the
logic of the program, and should be removed. It is usually a symptom of poor maintenance, and
may have been left over by accident from development or code changes. Code that has been
included for purposes of testing or for later diagnosis during support work, and which can be
configured on or off, is not regarded as dead code. Any such code should be clearly documented.
If the code is configurable or general purpose code that may be used in many different project
each with different configuration of options, the unused options should not be removed”
STILMAS Application SW are developed accordingly.

2.6.2. 21 CFR Part 11 Applicability

Functional Objective. To define STILMAS position approach to the “CODE FEDERAL
REGULATORY 21CFR Part11“ for each Equipment.
Design Resolution. Stilmas approach is that because no data required from “Predicated Rules“
are electronically recorded in the PLC/OIT (see Section 4) the 21 CFR Part 11 is not applicable.

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 11 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

2.6.3. HW & SW Configuration

PLC HW CONFIGURATION OIT HW CONFIGURATION

Type : S7 300 Type : TP 177B
Manufacturer : Siemens Manufacturer : Siemens
PLC SOURCE CODE SW OIT SOURCE CODE SW
Operating System : STEP 7 Operating System: WIN CC FLEXIBLE
Developed by : Siemens Developed by : Siemens
Version : 5.4 SP5 Version : 2008 SP2

2.6.4. Control System Lay Out

The HW lay out is the following:

PLC CPU OIT

S7 300_ CPU 313C -64 MPI TP 177B

KB

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 12 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

3. FUNCTIONS AND SOFTWARE DESIGN SPECIFICATION

Functional Objective. To achieve the conformity with GAMP5 Good Practice Guide “Validation of
Process control Systems” (paragraph 9.5.5) in reference to “Embedded Systems“ (like PLC/OIT
are) for which is necessary :
QUOTE
The Software Design Specification (SDS) should unambiguously define how the SW implements
the requirement of the Functional Specification (a).
A structured modular programming language and technique should be used (b).
The SDS should define the logical and physical structure of the program (c), the standards to be
used for the file naming (d), label allocation (e) and module naming (f).
For an ease of understanding and testing the program code could be suitably annotated (g).
Any non standard SW requirement should be identified (h).
For systems it may be possible to incorporate the SW design into the Functional Specification (i).
The SDS forms the basis for the Software Test Procedure (l).
UNQUOTE

Design Resolution .The present document let the Equipment comply with the requirement “i”.
The FAT & SAT Protocols let the Equipment comply with the requirement “l”. The following
sections let the Equipment to comply with the requirements “a÷h“.

3.1. FUNCTIONAL SPECIFICATION (a)

The detailed information on the Equipment FUNCTIONS are fully explained in the following
documents :
• P&ID : Process & Instrumentation Diagram. It details components, valves and instruments
necessary to realize the process.
• FUNCTIONAL KEYS APPENDIX B. It describes the pushbuttons that operator uses to
start, to stop, and to control the Equipment.
• OIT STRUCTURE FLOW CHART APPENDIX E. It describes how the OIT SW must be
designed to enable the operator to :
o Monitor the Equipment operation;
o Read, acknowledge and reset alarms;
o View and set the Equipment parameters;
o Enter password to login and change set.

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 13 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

• RUNNING PHASES FLOW CHART AND TRANSITIONS APPENDIX A. Detailed

description of all the necessary steps to enable :
o The Equipment to start;
o The Equipment to produce;
o The Equipment to stop.
The Transitions are cross referenced with the Digital Inputs DI, Analog Inputs AI, running
keys etc.
• DIGITAL INPUTS DI LIST APPENDIX D. This document is cross referenced with the P&ID
with detailed information of :
o Their use and set to generate alarms and relevant alarm action and description.
• ANALOG INPUTS AI LIST APPENDIX D. This document is cross referenced with the P&ID
with detailed information of :
o The ranges;
o Their use and set to generate alarms and relevant alarm action and description.
• DIGITAL OUTPUTS DO LIST APPENDIX C. This document is cross referenced with the
P&ID with detailed information of :
o Status in each running phase;
o Interlocks.
• ANALOG OUTPUTS AO LIST APPENDIX C. This document is cross referenced with the
P&ID with detailed information of :
o The ranges;
o The necessary regulation setting during the different phases;
o The status in each running phase.
The PLC/OIT SW programmers will use all above information as reference for the Application SW.
This will be documented in the SW Life Cycle Report where all above documents will be traced
with its own revision number (refer to document 2983-Q&PP-Z2).

3.2. STRUCTURED MODULAR PROGRAMMING LANGUAGE AND TECHNIQUE (b)

The SW programmers, in accordance with IEC 1131.1, will use the following PLC/OIT basic
languages and techniques :
o Ladder Diagram;
o Instruction List;
o Structured Function Chart;
o Structured Text;
o OIT Editors

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 14 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

3.3. LOGICAL AND PHYSICAL STRUCTURE OF THE PROGRAM (C)

The Supplier has produced a program structure that is utilized in all OIT, irrespective of the
Manufacturer and the Equipment to be automated. The intention, in accordance with IEC1131.1
and GAMP5, of an unique program structure is to homogenize all SW Application produced by
every SW programmer of the Automation Dept., to obtain consequently a SW that is “readable
from who has not written it“.
The Program Structure is attached (see Appendix F) and all Equipment Application SW are
developed in accordance to the “SOFTWARE DEVELOMPENT GUIDELINE”, resident in the
Automation Dept.
As shown in the Program Structure document, the SW main functions are :
• Digital Input from Field processing;
• Analogue Input processing;
• Operator selections processing;
• Operator set points processing;
• Alarms management;
• Running phases management;
• Digital Output activation;
• Regulation management;
• Analogue Output activation.
For each function, defined as Module, a memory area is dedicated in the PLC.

3.3.1. Module 1 Digital Input Processing

Each single Digital Input listed in the Input List & Action (see Appendix D) is loaded onto a support
memory which is utilized inside the program.
This operation allows to modify the state and the address on the input card without modifying the
Application SW, where this input is used.
Before developing the PLC Application SW a symbolic list is prepared specifying :
• Tag Name of the input equal to the P&ID tag;
• Corresponding address of the Digital Input Card;
• Address type (Bool, Integer);
• Address description equal to the Input list description;
• Tag name and/or address of the PLC support memory;
• Support memory type (Bool, Integer, Real, etc.).
Utilizing the SW language selected (see section 3.2), each individual DI will be loaded in a
memory bit that will be utilized in all other modules when necessary.

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 15 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

3.3.2. Module 2 Analogue Input Processing

Each single Analogue Input listed in the Input List & Action (see Appendix D) is loaded onto a
support memory which is utilized inside the program.
Before developing the PLC Application SW a symbolic list is prepared specifying :
• Tag name of the Input equal to the P&ID tag;
• Corresponding address of the Analogue Input card;
• Address type (Bool, Integer);
• Address description equal to the Input list description;
• Tag name and/or address of the PLC support memory
• Support memory type (Bool, Integer, Real, etc.).
When the above list is completed each single input must be engineered.
The formula to be used is :

Y = X * (Max Value – Min Value) + Min Value

Input range
Where :
Y = Engineering value to be utilized in the program.
X = Digital conversion in the PLC of the 4-20 mA signal read in the Input card.
Max Value = Maximum value of the engineered measure.
Min Value = Minimum value of the engineered measure.
Input Range = Range of the Digital conversion that is different for each PLC HW:
Siemens : 0÷27.648
Allen Bradley : 0÷30.840
Telemecanique : 0÷10.000
Others.
The above formula depends also from the support memory type.
Type Integer : the value is a number with decimal numbers but without decimal point.
Type real : the decimal point position is automatically determined.
Therefore when the Integer conversion is used, it is necessary to multiply the Max and Min value
for 1;10;100;1000 to obtain 0;1;2;3;4 digits after the decimal point.
Otherwise, when the Real conversion is used, the Max and Min values remain unchanged and
equal to the range of the instrument.

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 16 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

Example :
Engineering, for a PLC, a temperature reading of 0÷200,0 °C corresponding to 4÷20 mA from a
field instrument.
As Stilmas uses real address type, to find the corresponding temperature of a reading integer type
from the Input card of 21095, the integer value of the card (21095) is first converted into real value
(21095,0) and then through the following formula the engineering of the value into physical
paramer (i.e. Temperature) is done:

Y = 21095,0 x (200,0 – 0,0) + 0,0 = 152,6 (for SIEMENS PLC)

27648,0

Y = 21095,0 x (200,0 – 0,0) + 0,0 = 152,6 (for ALLEN BRADLEY PLC)

30840,0

Y = 7630,0 x (200,0 – 0,0) + 0,0 = 152,6 (for TELEMECANIQUE PLC, example with 7630)
10000,0

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 17 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

3.3.3. Module 3 Operator Selection Processing

Each single operator selection made on the OIT with the relevant pushbuttons (which are listed in
the attached document “Functional Key“), is loaded onto a support memory which is utilized inside
the program.
Before developing the PLC Application SW a symbolic list is prepared specifying :
• Tag name of the selection equal to the “Functional Key”;
• Address memory in the dedicated area of PLC;
• Address type (Bool);
• Address description equal to the “Functional Key”;
• Tag name and/or address of the PLC support memory;
• Support memory type (Bool)
The SW of the operator selection is made as follow:

OIT
Memory 1

P
Memory 2 L
C

Memory 3

It must be defined in the OIT a memory area (Memory 1) where all operator selections are defined
and detailed (following instructions of the utilized OIT Editor)
This memory area, utilizing the specific interfacing PLC/OIT SW that must be compiled (following
the instruction of the Interface Editor), will be mirrored in an identical memory area of the PLC
(Memory 2) : in this area all characteristics of the Keys (i.e. one shot, retentive, not retentive, etc.)
are elaborated utilizing the selected language (see section 3.2).
The result of this elaboration is then loaded in another memory area (Memory 3), that is used in
the other SW modules, whenever this selection is needed (i.e. to start a running phase).
The above procedure allows to modify the address coding in the memory 1 & 2 without modifying
the rest of the Application SW where this address is utilized.

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 18 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

3.3.4. Module 4 Operator Set Points Processing

As indicated in the OIT Application SW Structure (see Appendix E) the operator can set:
• In the Process Values Screen
o The set points for the phases transitions
o The set points to generate alarms
• In the Alarm Delay Timers Screen
o The set points for the delays of each alarm
• In the Phase Transition Delay Timers Screen
o The set points for the delays in the passage from a phase to the following one.
Note : for PID regulations set, see “Module 8 Regulation Management”.
Before developing the Application SW a symbolic list must be prepared specifying :
• Description of the data value;
• Data type (Integer, Real, Timer, Counter);
• Address of data for set;
• Address of data as value (Measure).
With the above symbolic list, utilizing the selected language (see section 3.2 ), comparisons (> ,<
,= ) are elaborated and results are transferred in a memory register to be utilized in the other
modules when necessary (Alarms & Phases).
In addition to the the above the set and the process values are transmitted to the OIT to be
displayed utilizing the specific interfacing program PLC/OIT and OIT Editor.

3.3.5. Module 5 Alarms Management

The Alarm Task, executed by PLC program cyclically and shown in document 2983-FC-Z2,
consist of the following operations:
1. Monitoring of all input and output of the control system;
2. Checking whether an alarm condition exists, based on the Inputs & Action List. If an alarm
condition exists, undertake the following actions:
a. To activate the alarm buzzer and energize the resuming alarm relay;
b. To light the active alarm LED on the OIT (the active alarm led blinks to indicate an
unknown alarm);
c. To transfer the alarm code to the OIT and log the alarm in the alarm history file in the
OIT.
d. To allow the OIT to display the alarm message;
e. To maintain this status until the operator acknowledges the alarm;
f. Once the alarm is acknowledged, to silence the alarm buzzer through the reset key or
the acoustic alarm exclusion key. The resuming alarm led stops blinking and lights
steadily to indicate an acknowledged alarm;
g. To maintain this status until the operator reset the alarm.

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 19 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

3. Non critical alarms do not interrupt the operation of the equipment. Once the alarm is
acknowledged and reset, it provides the OIT to display the previous screen and to continue
operation as normal;
4. To interrupt operations for a critical alarm.
The presence of a critical alarm activates the Stop Action Sequence but with the following
differences (see Appendix A):
• The OIT does not display the actual screen until the alarm is acknowledged;
• The resuming alarm LED is not switched off until the alarm is acknowledged and reset.
Depending upon the type of alarm, procedure to be applied will be selected, either the auto reset
program or the manual reset by the operator.
Each single alarm listed in the Input List & Actions (see Appendix D) is loaded onto a memory
support which is utilized inside the program.
Before developing the PLC Application SW, a symbolic list is prepared specifying :
• Alarm Tag name equal to P&ID tag;
• Address of the memory where the alarm is loaded;
• Address Type (Bool);
• Alarm description that is equal to the alarm text displayed on the OIT.
Once the above symbolic list is completed, the SW developer compiles for each single alarm the
module already existing for any PLC, written with the selected language (see section 3.2) which is
the translation in SW terms of the Alarm Typical Flow Chart (see Appendix G).

3.3.6. Module 6 Running Phases Management

Before developing the PLC Application SW, a symbolic list is prepared of all running phases listed
in the Functional Flow Chart (see Appendix A) specifying :
• Tag name = Phase 1, 2, etc. according to Flow Chart;
• Address of the memory where the phase is loaded;
• Address type (Bool);
• Phase description that is equal to the phase text displayed on the OIT.

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 20 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

Once the above symbolic list is completed, the SW developer compiles for each single phase
the module already existing for any PLC written with the selected language (see section 3.2)
according to the following Flow Chart :

START
Is the phase NO
timed ?

Are the functional YES

NO
keys to start the
phase ON?

NO Is time phase
elapsed?

YES

YES

Are the
Conditions to
start (DI, Process NO
value, end of Are the
NO Conditions to end
previous Phase)
satisfied (DI, Process
value) satisfied?

YES YES PHASE ALARM

ACTIVE

PHASE START

PHASE END

END

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 21 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

3.3.7. Module 7 Digital Output Activation

Each single Digital Output listed in the Output List & Action (see Appendix C) is loaded onto a
support memory which is utilized inside the program.
This operation allows the modification of the state and the address on the output card, without
modifying the Application SW where this output is utilized.
Before developing the PLC Application SW, a symbolic list is prepared specifying :
• Tag name of the output equal to the P&ID tag;
• Corresponding address of the Digital Output card;
• Address type (Bool);
• Address description equal to the output list description;
• Tag name and/or address of the PLC support memory;
• Support memory type (Bool).
Once the symbolic list is prepared utilizing the selected language (see section 3.2), the logic of
activation of the auxiliary memory is developed, taking in consideration what is detailed in the
Output List & Action (see Appendix C), to say :
• When the output must be activated, phase by phase;
• The sequence and logic to activate the output.
The auxiliary memories obtained are then mirrored on the PLC output.

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 22 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

3.3.8. Module 8 Regulation Management

Each PLC, independently from the language selected (see section 3.2), has already in the SW
code a module to be compiled to realize a PID control.
The module is structured to realize the following flow chart :

FROM FROM
Module 6 Module 2

Activation Process

Phase Value
Set Point
TO
% OUTPUT
FROM OIT
Gain
OIT
PID Module TO
Integral % OUTPUT
AO Card

OUT Manual Manual /

Limits Set Auto

FROM
OIT

The SW developer must compile the address where required data are located.

3.3.9. OIT Program Structure

The OIT SW is developed according to the relevant instructions and the Editor of the selected
Manufacturer.
Section 5.1 provides more details about OIT Program Structure and OIT SW Design Specification.

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 23 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

3.4. FILE NAMING (D), LABEL ALLOCATION (E) AND MODULE NAMING (F).
The Application SW file is named as follow :
2983-PLC-Z2
2983-OIT-Z2
Where :
2983 = is the drawing series number common to all documents of the specific project.
PLC = means the reference to the PLC Application SW.
OIT = means the reference to the OIT Application SW.
Z2 = lists the sheet number of the P&ID. A PLC/OIT Application SW can control
more than one Equipment of a project and therefore Z2 identifies the different
sheets of the referenced P&IDs.
Each file has an individual label located in the file header.
This label shows :
• Project N°: 10/C083
• Customer: LABORATORIOS INIBSA
• Type of Equipments: PSG 750 DTS
• Serial numbers of the Equipments: 8757
• Revision No. of the PLC/OIT Application SW (see section 3.4.1)
All the above information is located in the file label and is also “mirrored” in the initial OIT screen
page.
The above specified SW Modules are named as indicated in the symbolic list of the Architecture
Tree (i.e. Module 1 Digital Input Processing). If an Application SW controls more than one
Equipment, the Equipment Module will be then named as 1.1, 1.2 etc.

3.4.1. Revision Numbering & Change Control

As indicated in the GAMP 5 more specifically in the Gamp Good Practice for Validation of Process
Control Systems 2003 (Appendix G1) for Embedded System (see Life Cycle Fig. 1.1.1), the
concept of Change Control applies only after SAT and it is under Customer responsibility with the
help of the Supplier, if needed.
According to the above mentioned norms, from the Project Development till FAT, it is required to
proceed with a design verification and review tracing of all documents numbering the revisions; for
each modification it is also necessary to indicate which are the differences compared with the
previous revision.
As indicated in the STILMAS ISO 9001:2000 Quality Management System, the Archiving &
Revision Control is obtained through a validated SW network called “ARDIS” resident in the Main
STILMAS Server. It controls and reports the whole documentation history for all Projects allowing
the full traceability and acting a Design Verification & Approval Record (PRO 7.3 IST 7.7 MD 71).

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 24 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

Specifically for the PLC/OIT Application SW the revision history and numbering is the following :
• The first version of the Application SW for a specific Equipment is issued from the SW
programmer as Rev 0.0 after “bench test” in the Automation Dept.
• The differences with the std SW utilized to develop the Application SW are documented in
the SW Life Cycle document (MD 50).
• All modifications made on the PLC/OIT Application SW, during following tests (Control
Board Test, FAT, SAT) are updated with the following revision numbering criteria :
DESCRIPTION PREFIX EXTENSION
Application SW issue 0 0
Revision during Control Board Test 1 0,1,2,etc
Revision during FAT 2 0,1,2,etc
Changes during SAT 3 0,1,2,etc

Examples :
Rev. 0.0 means after Application SW issue.
If no modification are made on the original Application SW, for example during the Control Board
Test, the Application SW takes the Rev. no. 1.0, once it is downloaded.
If a modification is made, the Prefix identifies when the modification has been executed (i.e. 2 for
FAT, 3 for SAT), the Extension identifies how many times the Application SW has been modified.
For example : the Rev. 2.3 identify that the Application SW has been changed 3 times during FAT.
The SW Modules or the OIT screens which have been modified are documented in the SW Life
Cycle document (MD 50).
Practically, the Procedure MD 51 “Change Control“ applies only after a positive SAT, if required by
Customer.

3.5. ANNOTATION (g)

The Application SW is duly commented to facilitate comprehension for those who have not
developed it. Quality and lay out of comments are more important than quantity.
Because of all Application SW are developed with the same structure, the Application SW is often
self-explanatory; therefore a brief and clear comments (in English language) resume is sufficient.

3.6. NON STD SW REQUIREMENT (h)

As mentioned in the Quality & Project Plan (section 4.2.5.4.1) the STILMAS Automation Dept., in
more than 20 years activity in SW for PLC/OIT, has developed and continuously improved the
standard Application SW for each type of Equipment (Water pre-treatment, RO, EDI, Water Stills,
PSG, Storage & Distribution Systems etc) and structured all as above described (see section 3.3.1
to 3.3.9).
A standard application SW is therefore available for each item of the equipment which refers to
the standard equipment, it is fully tested and traceable with its own revision number and date.

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 25 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

As a consequence the Application SW for the Equipment described in this specification will be
developed starting from the original standard Application SW with the following main modifications
requirement :

1. Pure Steam conductivity control

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 26 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

4. DATA
Functional Objective. The Equipment shall provide permanent logging of the data required from
Predicated Rules .
Design Resolution. The data required from Predicated Rules for this Equipment are :
• Conductivity
• Temperature
The record of above data is not maintained in the PLC memory, but in a strip chart recorder that
shall provide a permanent, real-time record of the data . The input to the chart recorder shall
record the same Analog Input that is sent to the PLC.

5. INTERFACES
Functional Objective. The Equipment shall include interfaces with the operator and external
Equipment, to ensure the safe, reliable, continuous, and automatic operation and/or configuration.
Design Resolution. Interfaces with personnel (the operator), shall be the OIT display and an
audible alarm horn. Interfaces with external Equipment shall be the input and output modules of
the PLC itself.

5.1. OPERATOR INTERFACE TERMINAL

Functional Objective. The Equipment shall include interfaces with the operator, which ensure
easy, safe, and reliable operation.
Design Resolution. The operating personnel shall have access, through the OIT screens, to the
following functions:
1) Start and stop of the Equipment;
2) View of the actual phase with process variables value;
3) View, acknowledgement and reset of the alarms;
4) View and set of the process parameters and delays timers;
The operator (trained people) must be able to check values of set points and other parameters
against known correct values and, if it is necessary, to get the attention of supervisory personnel
before or during the system’s operation. The operator must be able to correct process set values;
this activity must be carried out under supervision of dedicated personnel and these results must
be “cross-checked”.
The data displayed on the OIT screens must include all necessary instructions to do the above
listed operations for an operator with limited technical training, to ensure an easy operation. A
limited access to the configuration screens (with password) must be foreseen to enhance plant’s
safety. An operator with limited technical training cannot change critical parameters, to avoid the
system’s damage or personnel comments (increasing an alarm’s delay time, effectively disabling
it, for instance).

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 27 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

5.1.1. Alarm Window

Functional Objective. The OIT must include a dedicated “Alarm” screen to inform operating
personnel, if an alarm condition is present. It must be possible to check if there are acknowledged
alarms still active.
Design Resolution. The “Alarm” screen shall be a window that is opened automatically by the
PLC in case of a critical or non-critical alarm. If the screen displayed on OIT panel is not the
Resuming Alarm page, the alarm or the warning condition shall be displayed automatically in the
alarm message window. This alarm window shall remain until the alarm is acknowledged by the
operator. Alarm Acknowledge and Alarm Reset keys shall be active if there are alarms present.

5.1.2. System Parameters Screen

Functional Objective. The OIT shall include a “System Parameters” screen. The “System
Parameters” screen shall enable the operator to check the configuration and operating
parameters. It shall be possible to modify the parameters, if any, but only after a password
procedure (see Section 5.1.3).
Design Resolution. The “parameter” screen shall, in fact, consist of several screens. These
screens shall display the system parameters in related groups.
From the “System Parameters” screen it shall be possible to return to the Main Menu screen,
through an “ESC” key on the OIT.

5.1.2.1. Parameters Screen

The PARAMETERS screen shall display the following information:
• PARAMETERS process value time-out delay (PV)
The counting timer of a phase duration or an alarm delay
• PARAMETERS set point time-out delay (SET)
The set time of a phase or an alarm delay (for example : tank low temperature alarm delay
: 30 seconds)
• PARAMETERS process value (PV)
The measured process value (for example : tank temperature : 34°C)
• PARAMETERS set point (SET)
The set value of a process value (for example : tank high temperature alarm set : 100°C)
From the “System Parameters” screen it shall be possible to return to the Main Menu screen,
through an “ESC” key on the OIT. The presence of an alarm or a warning, shall override the actual
screen (see Section 5.1.1).

5.1.2.2. PID Loop Screen

The PID Loop screen shall display as minimum the following informations :
• The set point of the PID regulation (Temperature, pressure, flow etc.)
• The Proportional (P ) term (Gain)
• The Integral (I) term (Reset)
• The Input value (Process Value PV)
• The Output Value (in Percent)

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 28 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

The Derivative (D), which is an accelerator of the regulation, is not necessary to Supplier process
controls.
From the “System Parameters” screen it shall be possible to return to the Main Menu screen,
through an “ESC” key on the OIT. The presence of an alarm or a warning shall override the actual
screen (see Section 5.1.1).

5.1.3. Password
Functional Objective. The OIT includes a “password” allowing supervisory personnel to change
parameters. However, all the variables parameters are limited in a range which ensure the safe
and reliable running the Equipment.
Design Resolution. The modification of critical data/set points must be permitted only into
dedicate OIT pages; changes to these data sets will be possible only with password procedure.
Trying to change any values on the screen a window will appear with a cursor line waiting for the
password code; once entered, the password must be confirmed by “ENTER” key. For safety
reasons the entered number will not be displayed. Consequently, the OIT shall display the
previous screen and then it will be possible to change the selected parameters. The adjustable
parameters have to be among limits fixed by STILMAS technicians. In case of a data insertion out
of the fixed limits, a special page will appear showing the inscription ”VALUE OUT OF RANGE”.
In this case it will be necessary to enter again the data. To know the limits fixed by Supplier, check
the parameters enclosed into the FAT / SAT reports. There is only one valid password which is a
number composed of three digits. This password can be changed only through the PLC. The
Operator Panel foresees no functions to change the password. Once changed, the old password
is definitely deleted. No limitations have been applied to the number of attempts to enter a
password.

4 different access levels are foreseen, as follows :

LEVEL 1 LEVEL 2 LEVEL 3

GROUP ADMINISTRATORS GROUP SUPERUSER GROUP OPERATOR

User User User

• ADMIN • SUPERUSER • USER
• SERVICE • ………………
• ………………

Default Password logout time : 120 seconds

User password automatic update: Not Applicable

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 29 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

Level 1 is normally utilised by STILMAS. Two possible entry codes are available : ADMIN and
SERVICE.
Level 2 is normally utilised by Customer. Only one entry code is available : SUPERUSER.
Level 3 is normally utilised by Customer. The entry code OPERATOR is available, but others can
be added.
Level 4 is only for OIT visualization for guest.

AUTHORIZED OPERATIONS ADMINISTRATORS SUPERUSER OPERATOR GUEST

CONSULTATION
Users allowed for visualization of each H.M.I. X X X X
page, except SYSTEM and SERVICE pages.

PASSWORD MANAGING
Users allowed of management for password levels X X
and users creation / erasing

PLANT COMMAND X X X

ALARM RECOGNIZING AND

ACKNOWLEDGE
X X X
Users allowed to recognize, reset every alert and
action alarm, and to shutdown the buzzer.

ALARM BUFFER RESET

X X
Users allowed to reset the whole alarm buffer.

ALARM BUFFER DISPLAY

X X X X
Users allowed to visualize the whole alarm buffer.

SETTINGS X X X

ANALOG INPUT CALIBRATION

Users allowed to change the range of every analog X
input present in the H.M.I..

COMPLETE MANAGING
Users allowed to have the complete control of the
H.M.I. settings, included :
- Change of the language.
- H.M.I. restart.
X
- Forcing.
- Change of range for timer alarms and phase
delay time
- All the operations needed to Stilmas
Automation Dept. and Service included in the
pushbutton.

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 30 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

5.1.4. Alarm History Screen

Functional Objective. The OIT shall include an “alarm history” screen, which shall display the last
several alarms occurred (the buffer stores up to 256 alarms which cover all cases even over a
long week end in case of issue).
Design Resolution. The “Alarm History” screen shall enable the supervisor to view the contents
of the Alarm History file and to clear it. The “Alarm History” screen shall display the following
informations :
• Alarm identification;
• Event time;
• Event date;
• Acknowledge time;
• Acknowledge date.
Once completely filled, the function Last In First out (LIFO) will automatically delete the older
alarms, allowing the record of last occurred alarms. This page can be alternatively cleared
manually by the operator through the OIT using the function “Delete Buffer“.

5.1.5. OIT SW Program Structure and OIT SW Design Specification

Functional Objective. The OIT SW must be designed to realize the above described functions
(see sections 5.1.1 to 5.1.4).
Design Resolution. The Supplier has produced a program structure that is utilized in all OIT,
irrespective of the Manufacturer and the Equipment to be automated. The intention, in accordance
with IEC1131.1 and GAMP4, of an unique program structure is to homogenize all SW Application
produced by every SW programmer of the Automation Dept., to obtain consequently a SW that is
“readable from who has not written it“.
The OIT Application SW Structure is attached (see Appendix E).
To realize the above described structure it is necessary to compile the Editor SW delivered from
HW manufacturer. It must be provided, according to the Editor instructions, the following
informations, that are very similar for each HW manufacturer :
• DEFINITION OF DATA EXCHANGE AREA
Every OIT uses a defined protocol to communicate with the PLC and this Protocol is
manufacturer property, that cannot be modified. For example:
o Siemens uses MPI / DP PROFIBUS / ETHERNET
o Allen Bradley uses ETHERNET / RS232 / DH+
o Telemecanique uses RS232
Through the above protocol the OIT is able to read and write data into/from the PLC
memory. Therefore it is necessary to define :
o Which is the memory area or Tag where the OIT will read the alarms;
o Which is the memory area or Tag where the OIT will “write” the position of the
pushbuttons (membrane keyboard or Touch Screen ), to provide the information, if
they are pushed or not.
o Which is the memory area or Tag where the OIT will read the information to “light
ON” or “OFF“, the led installed behind the key’s membrane or the Touch Screen
keys.

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 31 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

• DEFINITION OF VARIABLES
Always utilizing the OIT Editor, it is necessary to prepare a data base for all variables that
will be read/written from/into the PLC memory.
These variables are :
o Phase Delay timer Counting (PV) ⇐ from PLC
o Phase Delay timers set point ⇒ to PLC
o Alarm Delay timer Counting (PV) ⇐ from PLC
o Alarm Delay timer Set point ⇒ to PLC
o Process values Parameters ⇐ from PLC
o Set point Parameters ⇒ to PLC
o Phase Value (see below *) to
identify the corresponding Phase
message ⇐ from PLC
For each variable it is necessary to define :
o Tag name;
o Address of the PLC support memory;
o Address type (Bool, Integer, Real);
o Controller, limit value.

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 32 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

DEFINITION OF PHASE MESSAGES (SYMBOLIC)

In the PLC program it has been defined how the Running Phases will be managed (see
section 3.3.6). Depending upon the active, a Value will be loaded in the address described
above in “DEFINITION OF VARIABLES” (see above*).
It is necessary to prepare a list of all Running Phase messages and corresponding values.
When this value will be written in the defined memory of the PLC, the OIT screen will
display the corresponding message.
Example : 0 = Out of Service
1 = Filling
3 = Heating
When OIT will read 3 on the PLC, Memory will display “Heating” on the screen.
• DEFINITION OF WARNING MESSAGES
It is necessary to write in “text“ format all the alarm messages which will be shown when
the corresponding address of the PLC memory area above defined (see Data Exchange
Area) will be active.
For each alarm message, the corresponding PLC address will be defined.
When the alarm bit will be active, immediately the OIT :
o Will overwrite the alarm message on actual screen;
o Will manage the alarm as per ISA norm, for Acknowledge and Reset;
o Will record the alarm in the Alarm Buffer.
• OIT PAGES
Once all above data have been defined, it is possible to “build“, always using the OIT
Editor, the different pages indicated in the OIT Program Structure (see Appendix E).
In each page it is possible to display texts to describe the functions and the Variables
previously defined and also specifying where the necessary information can be found in the
above mentioned Variables Data Base.

5.2. INTERFACE WITH EXTERNAL INPUTS AND OUTPUTS

Functional Objective. The PLC system shall include interfaces with external Equipment to ensure
safe, continuous, and automatic operation.
Design Resolution. The PLC shall accept inputs from external switches (SPDT or SPST type)
and sensors and shall produce output to control external devices such as control relays, solenoids
and modulating valves.

5.2.1. Digital Input

Digital input can have the value of 0 (Off) or 1 (On). A “0” value represents the voltage absence,
such as an open circuit or a switched off condition. A “1” value represents the presence of voltage
(24 VDC), such as a closed circuit or a switched on condition.

5.2.2. Analog Input

Analog input are variable signals (4÷20 mA), which are directly linked to physical variables
(pressure, temperature, flow etc.).

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 33 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

Analog input shall use the following input range: 4÷20 mA DC. RTDs (“Resistance Temperature
Detectors”) shall be connected to modules (Ω/mA converters) specifically designed to accept their
input directly with 3 wires connection. The analog input card of PLC contains A/D converters that
convert the current or voltage analog signal to an integer value inside the PLC memory. The PLC
logic program scales this value to Engineering units that will be used by the PLC and OIT (see
Input List ) for their functions.

5.2.3. Digital Output

Digital output can have the value of 0 (Off) or 1 (On). A “0” value represents the voltage absence,
so, the component connected to this output is not active or it is de-energized. A “1” value
represents the voltage presence (24 VDC), so, the component connected to this output is active or
it is energized. The corresponding digital output data shall be generated by the PLC based upon
the inputs status.

5.2.4. Analog Output

The PLC AO-Card directly generates analog output. This electronic card contains D/A converters
that convert the Integer data value generated by the program algorithm, to an analog signal
(typically 4÷20 mA) at the module terminals. These analog output shall be configured as mA or
VDC signals and controls the actuators for field Equipment (such as I to P transducers, Speed
controls and so on).

5.3. INTERFACE OF DATA TRANSMISSION

Functional Objective. The PLC/OIT SYSTEM must include the interface with customer control
system. [N/A]
Design Resolution. the PLC must be able to exchange data (signal and I/O external ) with an
external supervision control system. [N/A]

5.3.1. Input /Output Data Transmission

[N/A]

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 34 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

6. NON-FUNCTIONAL ATTRIBUTES

6.1. AVAILABILITY OF THE SYSTEM

6.1.1. Power Failure Recovery

6.1.1.1. System State After a Power Failure

Functional Objective. The Equipment shall automatically restart, through planned phases, after a
power failure condition.
Design Resolution. The PLC/OIT system shall be configured to obtain that the system conditions
must be restored as they were before the failure, after a power failure condition.

6.1.1.2. Restart After a Power Failure

Functional Objective. The Equipment must restart automatically after a power failure event,
without additional reset procedures and in safe condition.
Design Resolution. The PLC/OIT program and the related Equipment must be configured to
allow the automatic recovery from a power failure. The system has to go back to the same state in
which it was previously. This means that the Equipment will start by itself according to the selected
mode. If none of the running modes was selected, the Equipment will return in “out of service”.

6.1.1.3. Application SW Retention During a Power Failure

Functional Objective. The PLC/OIT system must be able to keep recovered (without data
corruption), the last revision of the Application SW, in case of a power failure.
Design Resolution. The Application SW is always downloaded & stored into the PLC MMC that
remains installed in the CPU: therefore the last Application SW version is reloaded automatically,
at any restart after power failure.

6.1.1.4. Data Retention During a Power Failure

Functional Objective. The PLC/OIT system shall prevent the loss or corruption of stored set
points data during a power failure.
Design Resolution. The set points data (that are the only data which can be modified during
Equipment setting and operation - see sections 5.1.2.1 and 5.1.2.2) are downloaded into the PLC
MMC after FAT and SAT. They are therefore protected against power failure as the Application
SW.
Nevertheless, the Customer operators are always allowed, with password protection and within
admitted ranges, to modify these values during Equipment operations (see section 5.1.3).
These new values are loaded into the RAM memory of the PLC and in case of power failure are
retained for 5 full days.
If power is restored after 5 days off, the Equipment will restart with the “default“ set which has
been originally downloaded after FAT or SAT (if Supplier was responsible also for SAT or not).
If Customer wants to keep permanently the new set points modified with password from the
operator, it is necessary, once these new values are accepted with an internal change procedure,
to download them with a specific procedure into the MMC.
This will allow the Equipment to restart, after a power failure, with the new set points modified by
the Customer operator and not with the original set points introduced by the Supplier technician
during FAT and/or SAT.

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 35 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

6.1.2. Redundancy of the Control System Program

Functional Objective. The PLC / OIT Application SW shall be stored into discrete memory
devices which can keep the original application program even if they are removed from the rest of
the system.
Design Resolution. The PLC Application SW shall be stored in a removable memory device
(MMC type). This device is left installed in the PLC so that the program may be loaded
(immediately and automatically) after recovery from a power failure.
The OIT Application SW shall be stored in an internal memory device (MMC). This device is left
installed in the OIT so that the program may be loaded (immediately and automatically) after
recovery from a power failure.
In addition to the removable memory device, for both systems, a CD copy of the PLC & OIT
Application SW is supplied, with specific recovery procedures for system restart after a crash
event.

6.1.3. Control System – Self Error Checking

6.1.3.1. PLC/OIT System

Functional Objective. The PLC/OIT system shall include an automatic error-checking function.
Design Resolution. The PLC/OIT system shall run self-diagnostic routines, at power on phase
and continuously, to ensure that the system is under control and that the main functions are well
operating. These routines must be specified and implemented by the PLC and OIT manufacturer.
An automatic self check function must be present also for the communication ports between the
PLC and OIT.

6.1.3.2. Analog Input/Output

Functional Objective. All analog input/output signals shall be checked for valid input range (4÷20
mA).
Design Resolution. Analog I/O signals must be checked automatically by the I/O card of the PLC
(when the I/O Module includes this function). The I/O Module does not include this function, the
PLC program is written to include it. The current value will be checked and, if this is out of range,
the value will be not accepted and the old value will be retained or the minimum (or maximum)
value will be loaded to maintain the Equipment in safe condition.

6.1.4. Standby Operation

Functional Objective. The PLC/OIT system shall be designed to maintain a “ready to start” state
when the electric power is available.
Design Resolution. The PLC/OIT system is configured to “start” action at any time when the
electrical power is applied. This state is the same as the “ready” state after a normal shutdown
sequence.

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 36 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

6.2. MAINTAINABILITY
Expansion/Spare Capacity
Functional Objective. The PLC/OIT system shall be configured so that function upgrades may be
accomplished without system physical redesign.
Design Resolution. The PLC/OIT system shall be supplied according to document 2983-CB-Z2
with at least 20% spare I/O point for each type of I/O provided.

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 37 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

7. GLOSSARY

(This section shall include definitions of terms which may be unfamiliar to the reader or
terminology which have meanings specific to this document or application.)
PED Pressure Equipment Directive

CPU Central Processing Unit

EPROM Erasable Programmable Read Only Memory

FDA Food and Drug Administration (USA)

GAMP Good Automated Manufacturing Practices

GMPs Good Manufacturing Practices

ISA Instrument Society of America Standards

ISPESL Istituto Superiore per la Prevenzione E Sicurezza sul Lavoro (ISPESL) code

MS Multi Stage Distillation Unit

OIT Operator Interface Terminal (also known as HMI, Human Machine

Interface).

P.& I.D. Piping & Instrumentation Diagram (Ref. To ISA standard).

PHARMASTILL Distilled water production plant by STILMAS S.p.A.

PLC Programmable Logic Controller.

PSG Pure Steam Generation unit

PW Purified Water

R.O. Reverse Osmosis Unit

SCADA Supervisory Control And Data Acquisition

SPDT Single Pole Double Throw

SPST Single Pole Single Throw

TIE IN Utilities & boundaries connections diagram.

AI Analog input

AO Analog Output
DI Digital input

DO Digital Output

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 38 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

USP United States Pharmacopoeia

WFI Water for Injection

MPI Multi Point Interface

I/O Input/Output
PID Proportional Integral Derivative

PV Process Value
Q&PP Quality & Project Plan

RA __________________ Roughness

CD Compact disc

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 39 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

8. APPENDIXES

The following documents are considered to be an integral part of this Specification.

Flow Chart, doc. no. 2983-FC-Z2, including :
Appendix A. Functional Flow Chart
Appendix B. Functional Keys
Appendix C. Output List and Action
Appendix D. Input List and Action
OIT SW Application Structure
Appendix E
PLC SW Application Structure
Appendix F
Alarms Typical Flow Chart
Appendix G

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 40 of 41
 STILMAS FUNCTIONAL HW AND SW DESIGN SPECIFICATION

9. APPROVALS

This document has been reviewed and approved by the Supplier for submission to the Customer
Representative.

Reviewed and Approved by : __________________________________ _____________

Supplier Project Manager Date

Upon approval by the Customer Representative, this document becomes an element of a legal
contract which is binding on the Supplier and the Customer.

Reviewed and Approved by : __________________________________ _____________

Customer Representative Date

Doc. 2983-FDSP-Z2 Rev. 0, 26/04/2011

Page 41 of 41