Paperless recorder for tamper-proof recording of product process information

Information

  • Patent Application
  • 20040006486
  • Publication Number
    20040006486
  • Date Filed
    May 29, 2002
    22 years ago
  • Date Published
    January 08, 2004
    20 years ago
Abstract
A method for paperless recording in a production or measuring process is provided. The method includes the steps of receiving data from a continuous or discontinuous process, e.g., for a milk product, recording the data on a paperless data storage medium, and recording an electronic signature on the paperless data storage medium in association with at least a portion of the data. An apparatus for tamper-proof/sealable paperless recording in a process is also provided. The apparatus includes a paperless data storage medium and a processor. The processor is configured to receive data from a continuous or discontinuous process, is further configured to record the data on the paperless data storage medium, and is further configured to record an electronic signature on the paperless data storage medium in association with at least a portion of the data.
Description


BACKGROUND OF THE INVENTION

[0001] 1. Field of the Invention


[0002] The present invention relates generally to the field of product processing, and, more particularly, to methods and apparatus for paperless recording of information such as data for critical control points in continuous +batch (discontinuous) product processes.


[0003] 2. Brief Description of the Prior Art


[0004] In the interest of public health, various regulatory agencies have required product processors, such as dairy and food producers, to maintain records related to the measurement and control of their processes, e.g., pasteurization processes. Historically, these records have been made and retained on paper, typically, using circulator or strip chart paper recorders. In practice, an operator often makes handwritten notations onto the paper chart itself, documenting various details about the specific production run at the time of recording. These notations are followed by the operator's handwritten signature or initials and, in some cases, by a supervisor's signature or initials as well. The specific forms of the notations vary broadly—both within companies and among them. Nevertheless, they give regulatory inspectors confidence that producers are closely monitoring their processes and are in compliance with applicable regulations.


[0005] Instrument manufacturers offer several different recorder models that can be used to maintain the permanent records, including HTST (High-Temperature, Short-Time), STLR (Safety Thermal Limit Recorder), and pasteurization flow versions. The commercially available models may record one or more of the following measurements: hot product temperature, hot water temperature, cold product temperature, digital reference temperature at the divert valve, flow rates and/or system pressures (high and low), trends or event marks to indicate divert, process CIP (Clean In Place), or secondary divert.


[0006] Many designs have lights to visually indicate the flow of product through a flow divert valve. Some models include PID controller capabilities to control the hot water flow or system backpressure. Most designs use a circular or strip chart with a selectable time base (e.g. 8 or 12 hours) for each chart. Circular chart recorders are used to satisfy the legal recording requirements for most applications, and the PMO guideline lists various equipment and procedure requirements for paper chart recorders.


[0007] A paperless or videographic recorder is an instrument that resembles a traditional strip chart or circular chart recorder. However, instead of recording a trace with pen and paper, a paperless recorder displays the trace and/or numeric value on a display screen and records the measured values to electronic memory. Paperless recorders have made significant advancements in recent years. Typically, an electronic paperless recorder can handle more inputs than a paper and pen recorder. Also, many paperless recorders can create text event logs. Further, since paperless recorders typically store data to a memory device, they allow users to sort, graph, and print data for trend information and further evaluation.


[0008] During the past decade, several interested parties have engaged the U.S. Food & Drug Administration (“FDA”) in discussions regarding the use of paperless record systems in FDA regulated environments. The interested parties have included pharmaceutical, biological, and medical device companies; food manufacturers; trade associations; and other Federal agencies. Responding to this interest, the FDA issued a ruling on electronic records and electronic signatures, effective Aug. 20, 1997. The regulation, “21 CFR Part 11,” is a reference to Title 21 (Volume 1) of the Code of Federal Regulations, Part 11. Often, this is abbreviated to 21 CFR Part 11 or, when the context is understood, it is referenced simply as “Part 11.” Part 11 defines broad requirements under which electronic records will be acceptable in lieu of paper records, and electronic signatures will be equivalent to handwritten signatures or initials on documents and records.


[0009] Part 11 does not mandate electronic record keeping, nor does it mandate any particular method for electronic signatures. However, Part 11 does list some criteria for different types of electronic signatures. For instance, Part 11 distinguishes between biometric and non-biometric electronic signatures, and its Preamble makes further distinctions among “electronic signatures that are executed repetitively during a single, continuous controlled period of time (logged on period)” and those that are not so executed. Part 11 defines a biometric electronic signature as a method of identifying an individual's identity based on measurement of the individual's physical features or repeatable actions where the features and/or actions are both unique to that individual and measurable. A nonbiometric electronic signature is an electronic signature that is not a biometric electronic signature. Depending on a variety of factors, an operator using a nonbiometric electronic signature might need to enter his/her personal password several times during a production shift. Additionally, there may be instances in which a supervisor must also certify the record with his/her own electronic signature.


[0010] During recent years, several regulatory agencies, especially departments of environmental protection at the state and local levels, have increasingly accepted paperless records. Also, the pharmaceutical and biotech industries have become active with paperless recording by offering an increasing number of solutions advertised as meeting FDA regulations governing Current Good Manufacturing Practices (“CGMP”). Like traditional paper recorders, paperless recorders differ in the options and features available. Some paperless recorder solutions address Part 11 requirements directly at the recorder, some via the accompanying personal computer (“PC”) application software, and some cover the requirements at both the recorder and the PC. Some may have green (forward flow) and red (divert) indicator lights, while others may only record the position of the flow divert valve in the PC viewable data. Unfortunately, Part 11 solutions targeted specifically towards Grade “A” Pasteurized Milk Ordinance (“PMO”) regulated continuous flow pasteurization applications have not been widely addressed.


[0011] One problem has been that many industrial instruments, including computer based and paperless recording instruments, offer only a single level password or pass code option. This feature often consists of a single alphanumeric entry (or multiple entries in the case of a supplier's “backdoor” pass code) useable by any and all users. However, Part 11-defines an electronic signature as being the legally binding equivalent of an individuals handwritten signature. Universal password-pass code combinations are not unique to a specific individual and thus do not satisfy Part 11's definition for a unique signature.


[0012] Another challenge for instrument manufacturers has been to develop a paperless recording format that allows a user to match electronic notations to recorded events without compromising the tamper-proof integrity of the entire electronic record. The measured values themselves must remain secure from manipulation.


[0013] Thus, there is a need for a method and apparatus that provides paperless recording of data from critical control points in continuous or discontinuous processes. Further, there is a need for a method and apparatus that provides electronic records and signatures that meet Part 11 requirements.



SUMMARY OF THE INVENTION

[0014] The present invention provides a method for paperless recording in a production or measuring process. The method includes the steps of receiving data from a continuous or discontinuous process, e.g., for a milk product, recording the data on a paperless data storage medium, and recording an electronic signature on the paperless data storage medium in association with at least a portion of the data.


[0015] In an alternative embodiment, the present invention provides an apparatus for tamper-proof/sealable paperless recording in a process. The apparatus includes a paperless data storage medium and a processor. The processor is configured to receive data from a continuous or discontinuous process, is further configured to record the data on the paperless data storage medium, and is further configured to record an electronic signature on the paperless data storage medium in association with at least a portion of the data.


[0016] The features and advantages of the present invention described above, as well as additional features and advantages, will be readily apparent to those skilled in the art upon reference to the following detailed description and the accompanying drawings.







BRIEF DESCRIPTION OF THE DRAWINGS

[0017]
FIG. 1 is a front view of a paperless recorder assembly according to the present invention


[0018]
FIG. 2 is a rear view of a paperless recorder assembly according to the present invention showing certain subassemblies removed from the housing.


[0019]
FIG. 3 is a hardware block diagram for a paperless recorder according to the present invention.


[0020]
FIG. 4 is a block diagram representing inputs to and outputs from a recorder according to the present invention.


[0021]
FIG. 5 shows a block diagram representing the interconnections between an electronic memory management software module and related memory components.


[0022]
FIG. 6 illustrates schematically the flow of information derived from measured data values, user input, processed and stored data, and outputs produced by a recorder according to the present invention.


[0023]
FIG. 7 is a diagram of functions prescribed during the setup procedure showing the functional relation of the setup options to data acquisition, processing, analysis and storage for a paperless recorder according to the present invention.


[0024]
FIG. 8 is a functional flow diagram representing a method of operating a paperless recorder according to the present invention.







DETAILED DESCRIPTION OF EXEMPLARY EMBODIMENTS

[0025] Referring first to FIG. 1, a videographic, paperless recorder 18 according to this invention displays signals, monitors limits, analyses measuring points, stores data internally and archives data on memory devices and a computer. Located at the front of the housing is a monitor or screen 20 for displaying selectable drop down menus, process trends and event marks. A frame 22, preferably of die cast metal or stainless steel, encircles the screen and carries a transparent display cover. Push buttons 24, located below the screen, are used for setup of the recorder and product and for operating the recorder. Located to the left of the push buttons are LEDs 26, which provide visual indications to the user of important variables related to the process, to which the recorder is being applied. Adjacent the screen is a receptacle 28 for receiving secondary memory, such as a diskette drive or a PC memory card.


[0026] In normal operation and on sealed operation, the six function keys 24 are labeled: Login, Product, Text, Group, Extras and Setup. During unlocked recorder operation, special functions may be accessible e.g. giving access to “Setup” or other functions, such as “ATA Flash”.


[0027] The softkeys or function keys 24 make accessible to the user the following, respectively:


[0028] “Login”—the functions required for log in/log out.


[0029] “Group”—the available group of inputs to be displayed on the video screen.


[0030] “Setup”—here special setup changes can only be processed during unlocked recorder operation.


[0031] “Text”—the selection and entry window of short text messages.


[0032] “Products”—the selection list of products allocated in the related process


[0033] “Extras”—selection list for a particular product batch. The information is supplemented with a comment on data integrity. The batch analysis has an additional selection list of all found batches. A memory search and a “Scroll” (“<< >>”) function are also integrated. The search function is expanded with a “Batch search function, which jumps to the respective batch start, with a possibility to scroll further. In addition to this, all further functions, such as contrast settings and information display.


[0034] Referring next to FIG. 2, a steel casing 29 contains various electronic circuit boards. The casing is preferably formed of stainless steel, safe from entry of dust and water and protected against undetected opening after being sealed following closure by lead-covered screws.


[0035] The boards contained in the casing include a universal analog input board 30; analog output board 32 including relay outputs; a board 34 supporting a ATA flash memory card 35 and driver 36, a CPU board 38, and input and output serial interfaces 40; and a power supply board 42 carrying digital input 43 and output connections. A rear cover 44 closes the rear of the housing 29 using lead-covered screws. Access to the ATA flash drive 36 is mechanically sealed. Access to the interior of the casing is protected behind a lead sealed rear panel cover 44, thereby guarding against unauthorized access.


[0036] Depending on the application, the recorder records power failures and the signals from digital inputs, such as flow quantities, pump running times, events and faults such as plant down time. In addition, the recorder has analog measuring points or analog inputs, to record electric currents, preferably in the ranges from +/−1 mA to +/−40 mA, voltages from +/−50 mV to +/−10V, thermocouples, and RTDs. The recorder produces digital and analog outputs, and control outputs.


[0037] By operating a push button on the unit, the recorder allows the operator to select the correct form of display easily: a numeric value or a curve, analog and digital signals separately or together, high resolution curves, curves in single zones and overlapping signals. When event list is selected it displays limits and power failures. The signal-grouping feature enable fast grouping of several inputs per group.


[0038]
FIG. 3 shows in a block diagram the CPU board 38 having an optional galvanic isolation feature, and various inputs and outputs connected to the CPU board. The board 38 carries a buffered real time clock 50, SRAM electronic working memory 52, the CPU and its peripheral circuits 54, measured data memory 56, and program memory 58, preferably Flash or ROM. Input to the CPU includes AC and DC power supply circuits 42, analog input circuits 30, digital inputs 43, and serial interface circuits 40.


[0039] CPU inputs include analog output circuits 32, digital output circuits 60, serial interfaces 40, and serial interfaces circuits 40. User interfaces communicating with the CPU and each of the inputs and outputs include a keyboard 62 having function keys, a color graphic display 20, LEDs 26, and ATA Flash memory card and its associated drive 36. Housing 29 and cover 44 entirely enclose all but the electronics except the keyboard, the display and LEDs. The combination of hardware, software and mechanics is designed a s a full safety concept to be tamper proof and to prevent unauthorized access to the instrument and recorded data.


[0040]
FIG. 4 shows in a block diagram the user interfaces including the keyboard 62, LEDs 26, and an ATA flash memory card 36. Also shown there are digital inputs and outputs 43, an analog module 45 accessible to analog inputs 30 and analog outputs 32, and interface circuits 40, which include a standard serial interface 66, universal serial interface 68 and communication bus interface 70. Each universal analog input signal, selectable from a drop down-style menu selection list on screen 20 including ma, mV, V, RTDs, and thermocouples, can be connected directly to the recorder without the need for separate transmitters or transducers.


[0041] The recorder system recognizes a faulty serial data transmission using checksums (e.g. CRC) accessible using ReadWin® 2000 application software, a proprietary PC software package available commercially from Endress+Hauser having a business office located at 2350 Endress Place, Greenwood, Ind. ReadWin® 2000 then sends a corresponding message (e.g. a defined serial command) to the recorder informing that a faulty data transmission has occurred. The recorder reacts to the message by setting relays and trying again.


[0042]
FIG. 5 is a block diagram illustrating schematically the interconnections among an electronic memory management software module 72 resident in the recorder, and its connections to an input-output buffer 74, an ATA buffer 76, and internal ring memory 78, which stores data and other information preferably on a first-in-first-out basis in SRAM. The ATA memory buffer 76 is accessible to the ATA flash memory card 35 through an ATA flash driver 36.


[0043] Advanced Technology Attachment ATA is a disc drive standard interface for storage devices such as disc drives or flash memory cards. The ATA specification deals with the power band data signal interfaces between a motherboard and the integrated disc controller and drive. ATA drives may use any physical interface a manufacturer desires, provided the embedded translator is included with the proper ATA interface.


[0044] The ATA Flash memory card driver 36 of the recorder has a sealable cover that prevents unauthorized removal of the memory card. A minimum of three months recording and process evidence can be realized depending on the application.


[0045] All inputs are recorded, e.g. every second. Envelope curves, instantaneous-, average-, minimum- and maximum values as well as quantities and events are stored in presettable time cycles. The large internal memory operates as a ring or stack memory. If the ring memory is full, then the oldest data are overwritten using the FIFO principle. Therefore, the most recent data are always available. Data are also constantly and independently being copied in blocks to the ATA flash memory disc 35. A check for faults in the information copied is performed then internally or at a PC upon storing the data into ReadWin 2000. The data are available and safe from manipulation. If required, the data can then be exported to other programs such as MS-Excel without losing the protected database.


[0046]
FIG. 6 illustrates schematically the exchange of information from the various external connections and interfaces and information flow within the recorder derived from measured data values, user input, processed and stored data, and outputs produced by the recorder. The measured analog values, such as voltages, currents, and analog values from thermocouples and RTDs, present in analog modules 45 are processed at a measured value processing module 80 and transmitted to module 82. Digital inputs, such as logic voltage levels, at ports 43 are processed at 84 and transmitted as digital values to module 84. Similarly, digital output values, such as those connected to relays, are transmitted from module 82 to 84 where they are converted to produce digital outputs at the digital input/output ports 43. Module 82 also receives input and delivers output through an external communication input and output module 86, which communicates through a serial message module 88 and interface drivers 90 to the universal interface 66, standard interface 68 and communication bus interface 70.


[0047] The actual instantaneous process values, produced as output from module 82 as raw data, are processed at process management module 92, which produces encrypted output process values. These process values are transmitted through input/output buffer 74 to interaction operation display module 94 and to ATA flash memory 35 through the memory management module 72. Also module 94 is in serial communication with serial messages received through the interfaces 66, 68, 70. In response to user input transmitted from the keyboard 62 and pushbuttons 24 and serial messages, the output of module 94 is sent to the display screen 20, and LEDs 26 also respond to the output produced by module 94.


[0048] The upper portion 100 of FIG. 7 groups the digital inputs and outputs, analog inputs and outputs, mathematical functions, settings, signal analysis routines, and the data interfaces that a user specifies during the procedure for setup of the recorder to record data associated with particular measured data values of the process to be recorded.


[0049] The recorder provides automatic signal analysis 101, which creates easily read conditions. Actual and previous signal quantities and peaks are listed in tables. This gives a fast overview of the process, e.g., during a batch previous work shift, day or month. The signal analysis function automatically evaluates averages, minimum values, maximum values for analog measurement points; calculates intermediate, daily, monthly, yearly analysis; and displays counter values, operation times and quantities. The user can specify particular message settings, product settings and the associated setpoint management and administer personal identifications and passwords during setup.


[0050] Each product of several different products produced by a process to which the recorder is applied can be allocated up to different set points and its own display grid and/or limit lines presented on the screen 20. For example, product “1” might have a 10-grid display and a limit line at 80%, product “2” a 12-grid display and a limit line of 90%. The selection and setup of the different products are done as follows: An authorized administrator having a valid login and password can configure the product specific parameters in the Setup menu. Multiple alarm set points can be allocated per analog, math and digital channel. These set points can then be allocated to the product in the respective screens.


[0051] The responsible operator selects a specific product during production using a valid login, the integrated push button (key “Product”) and selection list. Or, the product can be selected by using the serial interface, e.g., using ReadWin® 2000. On request, this selection can also be done using BCD coded digital inputs.


[0052] When the operator selects a product, the selection is stored as a message in the event list. A report on the selected product can be displayed both on the screen 20 as well as in ReadWin® 2000. Additionally, a clear allocation of stored measured data and operator can be guaranteed.


[0053] After the product has been selected, the allocated alarm set points and the display grid and limit lines become active. The production process is monitored by the active alarm set points. Alarm conditions are stored in the event list. A heating set point, which is product dependent, can be recorded as a virtual channel.


[0054] The lower portion of FIG. 7 illustrates schematically the communication of inputs data and measured values during acquisition, processing, storage and analysis of data to produce a measured data 102, its associated time stamp, limit check value 104, and its associated time stamp, which are stored in electronic memory 78. Digital input data 106 and measured analog values 108, mathematical functions 110, and digital combination control functions 112 in cooperative combination produce at 92 the measured value 102 and at 114 the limit check value 104. The check value is converted to a digital form as digital output 116; analog outputs 118 are produced from the corresponding analog input 108. Product selection occurs at setup 120, as described above, and its selected limit 122 is used to determine the check limit 104. Electronic signature, timestamp and product selection information 124 pass to memory 78. Similarly, any user messages 126, login and logout information 128, together with the electronic signature, timestamp associated with the message and log information are passed to memory 78.


[0055] Digital discrete inputs 116, such as on/off contact or pulse input, may represent such recorder functions as control inputs to control defined unit functions (e.g. lock unit setup, time synchronization, start/stop recording, forward flow/production start/stop, etc.); data produced by a pulse counter to count production quantities; event inputs to record events such as a “pump start” or “valve closure” event; an operation time counter to calculate total operation times; BCD coded control inputs to select a product and process parameters related to the product to be recorded; and BCD coded control inputs to select a text to be stored in the internal memory.


[0056] Analog universal inputs 108 may represent such process variables as: differential pressure across a heat exchanger; a magnetic flow meter controlling the flow rate through a hold tube; dual RTD input for a safety thermal limit recorder (STLR); dual and single RTD for cold milk temperature on outlet from pasteurizer; and pressure on outlet from a pasteurizer. Analog outputs 118 in the range 4-20 mA retransmission, may represent pasteurized pressure and differential pressure, temperature of product; product flow rate; and pasteurized pressure after outlet. For SPDT applications, as many as seven “on/off” relay outputs, each relay being assignable to a setpoint used for various process purposes such as for: divert valve; “OK to run pumps” confirmation; maximum pressure cut off; differential pressure limit; and loss of signal on flow rate.


[0057] Mathematics functions 110 can be used to linearize quadratic signals and are used for quantity calculation. Basic mathematical calculations link analog measurement points with each other. Trigonometric, absolute, square root and quadratic functions are available. Integration calculates quantities from analogue values. Square root extraction linearizes quadratic signals. Also available are functions to add/subtract counters, calculate sums and averages, calculate total running times, and create logical combinations.


[0058] After login, which is automatically stored with date and time, a user can operate the plant, select different types of products, and the parameters to be recorded and controlled against exceeding the predetermined check limits for each parameter by the recorder instrument. With the built-in features of the recorder, the responsible user, produced product, assigned setpoint, inspection status of the plant, events, etc. can be assigned to the recorded data at each occurrence. This procedure and information results in an audit trail, which is stored in memory 78.


[0059] The Administrator, whose function is described next, can program setup during installation in the recorder 31 different messages, each having a maximum of 22 characters. The recorder provides drop down menus, to which many of the common event terms can be added, such as “CIP ON or CIP OFF,” to minimize the number of events that would need to be manually entered. The user can “mark” recorded data with the predefined texts/event messages. These messages are selectable from the list of programmed messages during the normal operation mode using a drop down menu. Examples of such messages include “valve blocked”, “pH electrode changed,” etc. When a logged in user selects one of the text messages, it is stored in the event list 130 and the internal ring memory 78 together with date, time and user ID. In this manner the responsible user and the selected text can be assigned to the recorded data at each time. Analysis of the recorded and stored information, data and measured values can be performed externally at a PC 134 using the ReadWin® 2000 application program or another suitable software application.


[0060] The operator's identification (ID is used for clear identification of a responsible operator. The combination of ID and password is used as an “electronic signature” and are used for releasing various authorization levels.


[0061] There are three authorization levels, which are accessible only with a correct combination of ID and password and sealable units/rear side cover: Administrator level; Inspector level; and User level.


[0062] The Administrator level authorizes: making changes to one's own password; maintenance of all ID's (change, add, delete), with the exception of the inspector ID; making changes in Service 132; making changes in Setup 100; and operating the plant (product change, batch start/stop, etc.).


[0063] The “Inspector level” authorizes: making changes to one's own password; maintaining inspector ID (change, add, delete); setting the software and hardware seals once the plant has been approved.


[0064] The “User level” authorizes: changing one's own password; and operating the plant (product change, batch start/stop, etc.)


[0065] A maximum of 20 ID and password combinations are maintained. An ID consists of up to ten alphanumeric characters, must be exclusive, and will be allocated by the administrator (administrator ID and user ID's) or inspector (inspector ID).


[0066] The password consists of up to ten alphanumeric characters, and a password itself can occur more than once. This is allocated only by the user and never is visible. However, an ID-password combination can occur only once.


[0067] The combination of ID and password must be clear and exclusive. The warning message “not valid/already allocated” appears for passwords already used. The ID and password combination is used as the electronic signature.


[0068] When creating each ID and password combination, an authorization level is also allocated using an additional selection field. The respective authorization level can be accessed using the correct ID and password combination.


[0069] ID and password combinations can be exported to other units in case of a defective unit or an exchange unit. They must not be altered by a RESET/PRESET.


[0070] All IDs and passwords can be maintained both at the unit and at the PC using ReadWin 2000, or another PC application program. Transmitted IDs and passwords are coded, i.e., encrypted. Passwords are not visible.


[0071] The first user of the recorder unit is, by definition, the administrator who can open the administrator level using a predetermined or factory password (e.g. ADMIN00). At this time the administrator ID and password are empty. Next, the administrator creates his/her own ID and password, at which point the initial password (e.g. ADMIN00) becomes invalid.


[0072] A “General Key” is also available so that the unit can be opened to the administrator level on a “forgotten” administrator password. Only certain authorized service personnel will know this “General Key”.


[0073] The administrator sets the IDs for the lower user level. The IDs must be unique. The responsible plant operators use their IDs to log on and open the respective authorization level using their own password.


[0074] The administrator level, accessible only by using the administrator ID and password, authorizes maintenance (change, add, delete) of all IDs with the exception of the inspector ID; changing his/her own password; making changes in Service and Setup (Plant approval must then be renewed by an-inspector); and operating the plant (product change, batch start/stop, etc.). If an ID is deleted, the respective password also is deleted;


[0075] Initially, the inspector level is opened using a fixed predetermined password (e.g. INSPECTOO). Afterwards, the inspector must set up his/her own ID and password, and the predetermined password (e.g. INSPECTOO) becomes invalid.


[0076] A “General Key” is also introduced so that the unit can be opened to the administrator level on a “forgotten” inspector password. Only authorized service personnel will know this “General Key”. They can only access when the sealable cover is removed.


[0077] The inspector level, accessible only by using the inspector ID and password, authorizes maintenance (change, add, delete) of the inspector ID, and changing his/her own password; and Setting the software and hardware seals once the plant has been approved. The CPU number will also be indicated. If an ID is deleted, the respective password also is deleted.


[0078] Users or operators log on for the first time using the ID allocated by the administrator. At this time, the respective password is still empty. After the initial log on, the operators create their own personalized passwords. It is allowable for different IDs to use identical passwords.


[0079] The user level, accessible only by entering an authorized user ID and password, enables: changing one's own password; and operating the plant by inputting product change, batch starts/stops, etc.


[0080] At the inspector level, which can only be accessed using the inspector ID and password, the FDA inspector can release the plant for operation. This is done by setting a lead seal on the rear panel of the recorder casing 29 and a software seal once the plant has been approved. The software seal is placed as an identifier in,a non-volatile flash memory area. This identifier contains the inspector ID. As an alternative, the inspector sets a sealable (rear side) cover which is automatically detected by the instrument.


[0081] The identifier is reset on each change to the system settings (SETUP/SERVICE). This serves the same function as breaking a lead seal. Changes to the system settings are placed on the data carrier as a message in the event listing, and on the ring memory 78.


[0082] After the software seal has been broken or the cover has been removed, the plant is then in a “non approved” state. This condition is regularly indicated on the unit display as an information message and highlighted in each data block header. Additionally, a message is placed in the ring memory event list.


[0083] Using a LOGIN/LOGOUT screen, each responsible operator must login and logout using an ID and password. LOGIN and LOGOUT are only possible using an ID and password. LOGIN and LOGOUT are also possible using a PC interface connection cable and RS-232/422/485 serial communication between the recorder and a computer system, e.g., having access to the “ReadWin 2000” application software.


[0084] Measured values are also recorded even without a valid LOGIN (unit condition logout). The ID of the responsible operator is then set as <NO NAME>. This is also indicated on the recorder as an information message.


[0085] Each LOGIN and LOGOUT is saved to the data carrier as a message in the event list (audit trail), which includes date, time, and the responsible operator ID. Identical information is retained within ring memory. A “Log book” can be displayed both at the recorder screen and within the PC ReadWin 2000. A change of responsible person can be made using a further LOGIN.


[0086] At the end of processing a product batch or during a power outage, the actual condition and responsible person may remain active following resumption of power service.


[0087]
FIG. 8 is a diagram representing a method of setting up and operating the recorder to acquire, process, store and analyze data associated with a plant where a product is processed continuously or in batches. At step 150 the recorder is setup by assigning digital and analog inputs and outputs to specific variables of the process, specifying general parameters of the process, and preparing user messages. Each digital input can be configured as a control input such as time synchronization, impulse counter, on/off event recorder, and/or operation time counter. The BCD logic can be used to select or specify short text messages and/or products, e.g. using 5 BCD coded digital inputs to specify common event messages. During setup, a short text message can be made by using a dedicated “acknowledgement” digital input, or the entry could be made once the BCD coded digital input has the same condition for at least 3 seconds.


[0088] During the setup procedure at step 150, an authorized administrator can define as many as 31 short text messages, each with a maximum of 22 alphanumeric characters, e.g. valve broken, changed RTD, etc. Using a valid login, these short text messages can be selected using the integrated push button (key “Text”) and list selection by the responsible operator, or by using the serial interface and appropriate software such as ReadWin 2000. On request, this selection can also be done using BCD coded digital inputs. During operation, the selected short text is stored as a message, including the date/time and ID of the responsible operator, in the event list and in the ring memory. A report on the operation events can be displayed both on the recorder and ReadWin® 2000. Additionally, a clear allocation of stored measured data and assigned operator is assured.


[0089] Setup continues at 152 where the product name is selected, its code determined, and the setpoints of the process for the selected products are set. Access rights to the recorder are set at 154, whereby the administrator, inspector and user IDs and passwords are selected or assigned, as described above.


[0090] To assure that access to the recorder is limited to authorized individuals, access is limited by setting at 156 a sealable rear cover 44, such as a lead seal, providing a physical lockout protection against unauthorized manipulation or access to electronic terminals located at the rear of the recorder. This can be detected automatically by the instrument. No user, administrator or operator is permitted access to the data manager's operational setup, provided the sealable cover is in place. The data manage software module records an audit trail message whenever the rear cover is removed and whenever the setup configuration is modified. The ATA Flash memory card drive 36 has a sealable cover that prevents unauthorized removal of the memory card.


[0091] The recorder and ReadWin 2000 recognizes and assures data integrity, in part by blending in every data display, including graphic/tabular display, statistics, analysis, etc., a corresponding reference or hint to the quality of data, such as “Data O.K.,” thereby validating the integrity of the data. Otherwise, another appropriate message such as “Data manipulated” is blended in.


[0092] Next, at 158, all outputs and relays are set in safe operational mode, i.e., records cannot be modified or deleted, except to add notations or comments after user login, and then only after using a unique ID/password combination. Generally, changes to the system settings (SETUP) can be made only after a valid ID and password combination is entered. Afterwards, the plant must be given an inspector's approval again. If a unit setup is created or stored using an ATA Flash card, e.g. for a defective unit replacement or exchange, a valid ID+password combination of an Administrator must be entered before activating this function. All changes to the system settings are saved on the data carrier as a recorded message in the events list, as well as in the internal memory ring. Thus, both the recorder and ReadWin 2000 can display a change in protocol. The corresponding message contains: date and time of the change; the ID and name of the responsible operator; and the type of change made. If the change was done using the serial interface 68 or ATA Flash card 36, then SETUP change is always displayed.


[0093] Once the input is switched from circulation (“L,” logic low “0”) to throughput (“H,” logic high “1”), batch production starts at 160. Based on the digital discrete signals for product selection, all relevant product setup data are activated, including all alarm set points, the associated display grid, and set point management. The operator always maintains control and responsibility for signaling the digital discrete signals to serve as control inputs for the batch production runs.


[0094] As the plant is started once a day or once per work shift, and need for a recalibration procedure is indicated in response to the inquiry at step 162, the following actions occur: using a valid login entry, the responsible plant operator initiates a recalibration operation either by using the recorder push buttons 24, by using ReadWin® 2000 on a serial communication link, or by a using a control input. The functions that occur during the recalibration operating mode are:the operator checks the functions of the total plant; and a comparison temperature is set.


[0095] This temperature is read out at 164 from an external reference thermometer and is entered at 166 using the push buttons in response to a message on a suitably configured screen 20, or the temperature can be taken over from one of the connected input channels. The recorder compares the reference temperature to a measured heater temperature at 168, and calculates at 170 the difference between the comparison temperature and the actual heater temperature. This difference is the OFFSET to which the measured heater temperature is added.


[0096] The OFFSET is valid for all batches until the next LOGOUT (operator change) or until the next recalibration (automatic offset without memory reset). Once the recalibration operating mode has ended, the plant start is stored in the event list and ring memory 78, including date/time and the ID of the responsible operator. With this message, the calculated offset and comparison temperature are also stored.


[0097] If a recalibration procedure is not required, or after the cut-in procedure is completed if it is required, the user at 172 chooses the product and the associated process parameters specified during setup 152. Choosing the product automatically starts the setpoint management routine. Each digital input can be configured as a control input, e.g. time synchronization, impulse counter, on/off event recorder, and operation time counter. The recorder can be configured to recognize and differentiate among batches of different products, e.g. vitamin A and B, by using binary coded data (BCD) logic using four digital bits. Thus, a user can use combinations of digital discrete inputs to specify different product streams in the batch process. The selected product is activated on batch start using a throughput/circulation digital input, as described below.


[0098] Then, at 174, a user-specific electronic signature entry is entered.


[0099] At step 176, the recorder immediately begins automatically to sample periodically and record measured values, timers, comments, and signatures, which information is stored in internal memory 78 and on ATA flash memory 35 cards. Event log entries and audit trail entries are generated and stored in these memory locations at step 178.


[0100] Product quality is checked at step 180 by the recorder system performing a comparison to the limit check 104 in the manner described with reference to FIG. 7. If product quality is positive, control passes to step 182. At 182, the recorder is set to indicate that a normal or safe product has resulted from the process being monitored and recorded.


[0101] Batch production stops upon switching the digital input from “Throughput” (H or 1) to “Circulation” (L or 0) or using the push buttons. If product processing is to stop, at step 186 control is directed to step 190. Otherwise, if product processing is to continue, control passes to step 176 and the procedure is repeated until the digital input goes low, thereby stopping product processing.


[0102] If product quality is negative upon checking process limits, control passes from step 180 to step 184, where an alarm state is set. An example of such an alarm condition can result from temperature monitoring using a connection for a double resistance thermometer. Both temperatures and their difference can be recorded as measured values. Each resistance is connected as an analog input, and both channels are recorded. The deviation is recorded by difference measurements per second and is recorded on a virtual mathematics channel. If the deviation exceeds the present alarm set point, a message “Temperature fault” is displayed and requires acknowledgment by the operator. This message is stored in the event list and in the memory. An event protocol is displayed on the recorder screen and in ReadWin 2000. The respective relays operate as configured by the user. At 185, the state of the digital input is checked to see if product processing is to stop, as described with reference to step 186. If so, steps 190, 192 and 194 are performed. Otherwise, if product processing is to continue, control passes to step 176 and the procedure is repeated until the digital input goes low, thereby stopping product processing.


[0103] Then a product report is produced at step 190, the user logout procedure is activated and completed at step 192, and the recordation is stopped at 194. Reports, which include batch number, product identification, operator ID, date and time, are created and placed in memory. Data recording to memory remains active or else stops, depending on the selection. Upon every product change and batch end, the data block is closed. When active, the Recording Stop feature stops the data recording to ring memory. A warning, “No data recording,” which will be recorded and must be acknowledged, is displayed on screen 20. Data on the ATA Flash cards are updated, and the recorder displays on screen 20 an information message “Production of <product> completed.”


[0104] Each screen header includes the following information: recorder CPU number; product number; identification of the inspector (plant approved/not approved); and ID of the responsible plant operator(User ID). When using a serial communication interface, ReadWin 2000 uses the CPU number of the recorder to positively find the respective data bank when storing the measured values to the correct data bank.


[0105] Each data block is tagged with the ID of the responsible operator, the identifier of the FDA inspector, and the product number. In this manner, each data set's attribute information can be positively identified. Additionally, all measured values are time stamped in the recording process, thereby securing the association of each value to the responsible operator. Each measured value is attributed to an operator, date, and time.


[0106] All system, event, and messages (e.g. alarm set point conditions, changes to the system settings, etc.) are added to the event list. The most recent 30 events can be immediately displayed. Once the actual event list is full, either it is coded and transferred as a file to the ATA Flash card, or it is added to an existing file. The file then can be accessed at the instruments or within PC ReadWin® 2000 using a search function. This search feature allows the user to search for specific events (e.g. all changes to the system settings). It is possible to view all events (complete or filtered) that occurred during a specific time span.


[0107] From the foregoing description it can be seen that the paperless recorder according to this invention provides the following advantages. Data can be formatted and evaluated electronically. Often, data can be exported to other commercially available applications such as MS-Excel® or other PC applications. Users can recall several recording periods of data, rather than the prior eight or twelve hours only. Users can observe trends that might otherwise be overlooked between several different charts. Event lists are informative and summarize important data using minimum/maximum/average calculations, extended mathematical functions, and text messages. Users can reduce or even eliminate their paper handling and need not manage, store, or maintain large numbers of paper records. The recorder is virtually maintenance-free, with no pens, paper drives, or motor mechanisms.


[0108] Users may want to maintain some spare inputs boards, power supply boards, and/or secondary memory storage drives for emergency replacement, but these components are not moving parts and do not suffer wear, as do traditional chart recorders with moving pens and charts. The recorder allows several selectable display modes for viewing trends and data from a variety of perspectives, providing additional information and details. The videographic display screen feature provides drop-down menu lists and help screens, providing easier recorder setup and operation for increased operator comprehension and understanding.


[0109] The foregoing description of the invention is illustrative only, and is not intended to limit the scope of the invention to the precise terms set forth. Although the invention has been described in detail with reference to certain illustrative embodiments, variations and modifications exist within the scope and spirit of the invention as described and defined in the following claims.


Claims
  • 1. A electronic paperless recorder for recording and retrieving data and other information related to a product process, the recorder comprising: a paperless information storage medium; a processor configured to receive, store and retrieve data and other information related to the process, further configured to record the data and other information on the paperless data storage medium, and further configured to record an electronic signature on the paperless data storage medium in association with at least a portion of the data and other information.
  • 2. The recorder of claim 1, wherein: said processor comprises an electronic central processing unit CPU; and said paperless information storage medium comprises main memory and replaceable flash memory accessible to the CPU for electronically storing information related to the process, the flash memory being fixed against removal from the recorder while the recorder is recording information, the recorder further comprising: analog input and output circuits for communicating between the CPU and various process sensors information representing measured values of parameters of the process; digital input and output circuits for communicating between the CPU and various process sensors information representing measured values of process parameters and the logical state of process conditions; a keyboard and function keys for use by the user to communicate information to the CPU; and a graphic display communicating with the CPU for displaying information to and requesting information from the user.
  • 3. The recorder of claim 1, further comprising: communication interface circuits accessible to the CPU and main memory; and a digital computer communicating through the serial communication interface circuits to the CPU and main memory, the computer having software accessible thereto adapted to search and retrieve process information from the main memory, and to present process information to the user, the main memory being accessible to the computer for purposes of retrieving process information from the main memory and communicating said retrieved process information to the computer, the main memory being inaccessible to receive process information from the computer.
  • 4. The recorder of claim 2, wherein the recorder is configured to perform multiple functions, the recorder being further configured to provide: an access control that identifies recorder operators with reference to a user ID-password combination that is unique to each user, limits operator access to specific recorder functions assigned to each operator with reference to said user ID-password combination, and recognizes and records each operator's access to the recorder.
  • 5. The recorder of claim 4, wherein the recorder is further configured to provide: an administrator level access control that contains user IDs unique to each operator and permits an operator having access to the administrator level access control to add, change and delete each user level ID and administrator level ID, to change an administrator level password, to change plant setup, and to operate the process plant; an inspector level access control that permits an operator having access to the inspector level access control to add, change and delete inspector level ID-password combinations; and a user level access control that permits the user to create and change a user level password combination corresponding to an assigned user level ID, and to operate the process plant.
  • 6. The recorder of claim 2, further comprising: a casing enclosing the CPU, main memory, flash memory, analog input and output circuits, and digital input and output circuits, the casing sealed by a seal against undetected entry to the casing after the seal is applied; a flash memory card drive; a sealable cover covering the flash memory card drive, said cover preventing unauthorized removal of a flash memory card; and the CPU being further configured to record an audit trail message indicating removal of said sealable cover.
  • 7. The recorder of claim 4, wherein the processor is further configured to detect a malfunction of the recorder or the product process and to set the recorder and its output to a safe operation mode wherein information in main memory cannot be modified or deleted except to add notations or comments by an user.
  • 8. The recorder of claim 4, wherein: the processor is further configured to execute a setup routine wherein a product to be processed is selected, and setpoints of the process corresponding to the selected product are set; and the processor is further configured continually to periodically sample and store in memory the setpoints, to compare periodically the setpoints against corresponding measured values of the process, and to store in memory comments entered on the keyboard by a user relating to corresponding to process events and process data, and to store in main memory and flash memory the ID-password combination of the user.
  • 9. The recorder of claim 4, wherein the CPU is further configured to produce a product report from the data and information contained in said paperless information storage medium.
  • 10. A recorder system for recording and retrieving information related to a product process, the recorder comprising: an electronic central processing unit CPU; and main memory and replaceable flash memory accessible to the CPU for electronically storing information related to the process; analog input and output circuits for communicating between the CPU and various process sensors information representing measured values of parameters of the process; digital input and output circuits for communicating between the CPU and various process sensors information representing measured values of process parameters and the logical state of process conditions; a keyboard and function keys for use by the user to communicate information to the CPU; a graphic display communicating with the CPU for displaying information to and requesting information from the user; communication interface circuits accessible to the CPU and main memory; a casing enclosing the CPU, main memory, flash memory, analog input and output circuits, and digital input and output circuits, the casing sealed by a seal against undetected entry to the casing after the seal is applied; a flash memory card drive; a sealable cover covering the flash memory card drive, said cover preventing unauthorized removal of a flash memory card; and a digital computer communicating through the serial communication interface circuits to the CPU and main memory, the computer having software accessible thereto adapted to search and retrieve process information from the main memory, and to present process information to the user, the main memory being accessible to the computer for purposes of retrieving process information from the main memory and communicating said retrieved process information to the computer, the main memory being inaccessible to receive process information from the computer.
  • 11. A method for recording data and other information related to a product process with the aid of an electronic recorder adapted to receive input from the process and to produce output to the process, the method comprising the steps of: receiving data and other information from a process; recording the data and other information on a paperless electronic data storage medium; and recording an electronic signature on the paperless data storage medium in association with at least a portion of the data and other information.
  • 12. The method of claim 11, further comprising the steps of: inputting into the recorder a database for the process including at least a recorder and plant setup control defining recorder inputs from the process and recorder outputs, process parameters, and predetermined user messages, a setpoint management control containing product names and setpoints for the process corresponding to each product name, and administration and user access control containing user ID-password combinations that are each an unique to each user, inputting into the recorder a user ID-password combination; permitting a user access to the recorder provided the entered user ID-password combination corresponds to a user ID-password contained in the administration and user access control; inputting to the recorder a product name and determining the corresponding setpoints for the process with reference to the setpoint management control; sampling periodically while the process is running and recording on the electronic data storage medium measured values of the process and comments input to the recorder by a user.
  • 13. The method of claim 12, further comprising defining within the administration and user access control of the recorder an administrator level, inspector level and user level; inputting into the recorder an administrator level access control containing user IDs unique to each operator; permitting an operator having access to the administrator level to add, change and delete each user level ID and administrator level ID, to change an administrator level password, to change plant setup, and to operate the process plant; inputting into the recorder an inspector level access control that permits an operator having access to the inspector level to add, change and delete each inspector level ID-password combination; and inputting into the recorder a user level access control; and permitting a user to create and change a user level password combination corresponding to an assigned user level ID.
  • 14. The method of claim 12 wherein the recorder includes a sealable casing and a cover covering a replaceable flash memory card drive, further comprising: inputting into the recorder database a manipulation protection control; if the casing is removed, recording on the data storage medium through operation of the manipulation protection control, a message indicating removal of the sealable cover; and if the cover is removed, recording on the data storage medium through operation of the manipulation protection control, a message indicating removal of said sealable cover.
  • 15. The method of claim 12, further comprising: periodically sampling and storing on the data storage medium the setpoints; comparing periodically the setpoints against corresponding measured values of the parameters of the process; recording on the data storage medium comments entered into the recorder by a user relating to process events and process data; and recording on the data storage medium the ID-password combination of the user.
  • 16. The method of claim 12 further comprising: inputting into the recorder database a report preparation procedure; and producing with reference to the report preparation procedure and the data and information contained on the data storage medium a product report of the process data and recorded events, messages and comments.
Provisional Applications (1)
Number Date Country
60294508 May 2001 US