3. Utilities Required demands6 4. Process Description7 5 ... · FUNCTIONAL DESIGN SPECIFICATION...

FEDEGARI STERILIZER FOAF

FUNCTIONAL DESIGN SPECIFICATION NA1343AN

Doc. no. 147854-3 of 26

CONTENTS 1. Scope of Supply ........................................................................................................4

2. Operational ................................................................................................................5

3. Utilities Required demands ......................................................................................6 3.1 Environmental Conditions Requested for Installation............................................................................6 3.2 Others ....................................................................................................................................................6 4. Process Description..................................................................................................7 4.1 Saturated Steam Cycles........................................................................................................................8 4.2 Air-over-steam cycles ..........................................................................................................................10 4.3 Programs Included in Delivery.............................................................................................................11 4.4 Autoclave Performances .....................................................................................................................12 5. Mechanical Construction........................................................................................13 5.1 Pressure Vessel...................................................................................................................................13

5.1.1 Chamber..........................................................................................................................................13 5.1.2 Jacket ..............................................................................................................................................13 5.1.3 Doors...............................................................................................................................................13

5.2 Insulation .............................................................................................................................................14 5.3 Machine Frame....................................................................................................................................14 5.4 Panels..................................................................................................................................................14 6. Mechanical Components ........................................................................................15 6.1 Pipes and Valves .................................................................................................................................15 6.2 Vacuum and Drain System..................................................................................................................16 6.3 Incoming Air to Chamber.....................................................................................................................16 6.4 Internal plates heat exchangers cooling/drying system.......................................................................17 6.5 Chamber’s Internal Circulation Fans ...................................................................................................17 6.6 Spray washing/rinsing System ............................................................................................................17 7. Electrical Components ...........................................................................................18 7.1 Required Connections .........................................................................................................................18 7.2 Control System ....................................................................................................................................18 7.3 Panel and Indicators on loading side...................................................................................................18 7.4 Indicators on unloading side................................................................................................................18 7.5 Indicators in Service Area....................................................................................................................19 7.6 Temperature and pressure transducers ..............................................................................................19 8. Extra features ..........................................................................................................21

9. Documentation ........................................................................................................21 9.1 Installation Drawing, P&ID...................................................................................................................21 9.2 Pressure Vessel Documentation .........................................................................................................21 9.3 Documents supplied on Completion....................................................................................................21 10. Standards & Codes .................................................................................................23

11. Glossary...................................................................................................................24



Doc. no. 147854-3 of 26

Appendix 1 TN-102081– TH4 - Report of Pressure and Temperature Measurement Appendix 2 SP-102190– TH4 – Extract from Functional Design Specification



Doc. no. 147854-3 of 26

1. Scope of Supply 1.a The machine has to be in accordance with this specification that defines the main characteristics of the

machine for STERILYO (FRANCE). However this specification is not intended to provide a complete list of all machine characteristics: some details or additional features can be omitted, but the non-mentioned characteristics cannot affect the compliance to the requirements declared in this document.

1.b The autoclave shall be complete in all respects, comply with current cGMP standards for clean, efficient, safe and secure operation, maintenance; it will comply with the current GAMP, having its control systems tested and verified to enable full process validation to be performed.

1.c FEDEGARI shall provide an autoclave system, fully piped, wired, instrumented and tested, consisting of the following as a minimum: - Sterilizing chamber (pressure vessel with external jacket) - Facing loading/unloading side panels, with bio-seals on both sides - Two horizontally sliding doors - Thermal insulation with external sheathing - Pipes and valves - Frame for chamber and valves - Control devices and instrumentation - Thema4 process controller - No. 2 liquid ring vacuum pump systems for mechanical air removal, as described in section 6.2 - No. 1 intake air filter equipped with connections suitable to perform manually the WIT test - Washing/rinsing spray system - Electrical panel in technical area - Operating panel on loading side - Thermal paper printer, on loading side - Indicators at loading/unloading side, as described in section 7.3 and 7.4 - Indicators in service area, as described in section 7.5 - Temperature and pressure transducers, as described in section 7.6 - External trolley(s), as described in section 2 - Internal trolley(s), as described in section 2 - Drain cooler, as described in section 6.2 - Air/water separator on the general drain - Internal plates heat exchangers cooling/drying system - No. 2 fans for internal air circulation - Thema4 validation package (shared with NA1341AN and NA1342AN sterilizers) - Remote GUI license

1.d FEDEGARI will supply the documentation, as specified in Section 9 of this document, and the autoclave qualification documents, including all factory tests, pre-delivery tests and results and input into PQ.



Doc. no. 147854-3 of 26

2. Operational 2.a Loading component processor/autoclave

The autoclave is a two-door unit. It shall normally be loaded from SIDE 1 and unloaded into SIDE 2. The inversion of the loading/unloading flow is possible in some cases (for further details refer to Annex 2, SP-102190–TH4–Extract from Functional Design Specification, section 7 “Doors management”). The autoclave loading and unloading operations are completely manual. The autoclave is equipped with the following handling devices: - no. 8 external trolleys type “A” in AISI 304, equipped with two swivelling wheels1 - no. 8 internal trolleys/pallets type “E” in AISI 3041, each suitable for loading 3 columns of 18

cassettes with one removable side. The length of each trolley is 1/2 of the usable depth of the chamber. The internal trolleys are equipped with adjustable vertical angles to place the cassettes. The internal trolleys are properly designed to vertically place the removable sides of the cassettes in such a way that they can be easily washed. The bottom of the chamber is provided with two pairs of removable guide rails in AISI 304 to guide the loading trolley.

2.b Process configuration All cycles, except the Leak Rate Test, include: - pre-treatment - sterilization at desired temperature - post-treatment The pressure inside the chamber is measured by a precision absolute pressure transducer to properly control the steam supply to the chamber, in order both to ensure a repeatable sterilization process and not to damage the product. The process description is specified in Section 4.

2.c Safety & Interlocking The fully automatic sliding doors are provided with a containment cabinet that prevents access to the mechanisms. The control system interlocks shall prevent the autoclave doors from being opened if a potentially dangerous condition exists within the autoclave, and cycles from being initiated until the doors are closed and locked, thus isolating and sealing the chamber. The autoclave doors can never be opened while the chamber is under pressure and while a cycle is being executed (for emergency reasons a cycle can be aborted in controlled and safe conditions: see TH4 User’s Manual). As an active protection for the operator, the doors can be closed only by a continuous pressure on closing button (if it is released, the door will automatically reverse its direction motion). A safety thermometer (TESIC), connected to an independent chamber temperature probe (TE5) and equipped with independent digital display located on the loading side fascia panel, prevents the opening of the doors in case of too high temperature (minimum set level) in the chamber. If during the process the temperature in the chamber exceeds the safety temperature (maximum set level), TESIC locks any energy supply to the chamber by closing the steam inlet valve(s) and the compressed air inlet valve(s). The TESIC temperature set configuration is accessible only through password.

1 Interchangeable with NA1341AN and NA1342AN sterilizers.



Doc. no. 147854-3 of 26

3. Utilities Required demands 3.a Details on the required and available utilities can be found on the installation drawing (FEDEGARI dwg.

no. GA011575).

3.1 Environmental Conditions Requested for Installation 3.1.a Limit environmental conditions for the autoclave:

- Temperature, including maintenance area and electric panel: 5 ÷ 40 °C. - Relative humidity max.: 85%, T≤ 40 °C. - Powder concentration max.: 2 x 106 cu ft.

3.2 Others 3.2.a Heat radiation to loading side (door closed) 1,2 kW

Heat radiation to unloading side (door closed) 1,2 kW Heat radiation to technical area 4,3 kW Weight (empty) 5500 kg Weight (hydrostatic test) 12300 kg



Doc. no. 147854-3 of 26

4. Process Description 4.a Loading the product, selecting the cycle to be performed, closing and locking the doors: these

operations precede the sterilization cycle in strict sense, as well as final door opening and unloading the product. These operations are not automatically performed by Thema4 process controller.

4.b A typical sterilization cycle always includes the following steps: - Starting the cycle - Pre-conditioning - Heating up to the exposure temperature - Exposure/sterilizing - Post treatment - Atmospheric balance Each cycle phase can be individually configured within the options of the supplied software. “Service” cycles as chamber tightness (or leak rate) test and chamber draining do not include heating or sterilization phases. For the details about the programmed cycles to be included in the delivery see Section 4.3.

4.c Pre- conditioning The pre-conditioning step may include pre-heating and/or air removal from the chamber and the product.

4.d Heating up to the exposure temperature The chamber and load are heated and pressurized to the required parameters by the heating medium relevant to the selected cycle.

4.e Exposure/sterilizing Exposure phase begins when all the process monitoring probes have reached the lower temperature threshold; this starts the counting of the exposure time. The chamber temperature is held within a selectable temperature range for a selectable period of time. Exposure duration control may be based on “time within temperature range”, with or without calculation of the F0 value summed up, or directly on “F0 target”. The physical parameters for sterilization (temperature range, duration, F0 target, excess of duration, maximum F0 spread, etc.) have to be defined according to load characteristics and probe positions. The success of the process is monitored by dedicated Pt100 probes. In any case, temperature probes are no longer considered if they are detected to be failed, i.e. if they return a measurement value outside the temperature range regarded as meaningful (-20 °C ÷ 160 °C). Dedicated alarms monitor the value of all designated probes over the sterilization period and record incidents such as power blackouts, as specified by programmable parameters.

4.f Post Treatment The purpose of the post treatment is to cool and/or to dry the product/equipment after sterilization.

4.g Atmospheric balance This step equilibrates the internal pressure of the chamber with the atmospheric pressure of the site, either by pressure release via VP4 valve or by vacuum break via VPX and VP3 valves.



Doc. no. 147854-3 of 26

4.1 Saturated Steam Cycles 4.1.a General

Saturated steam cycles require the evacuation of air from the chamber prior to the sterilization phase. The air removal from the chamber and, if necessary, from the load can be obtained by the methods described below, to be chosen according to the characteristics of the load to be processed. A one-to-one relationship exists between temperature and pressure of the pure saturated steam, so that the control of chamber pressure may be used to reach and maintain the temperature set. This control method has the advantage to use a physical parameter that has an uniform value inside the autoclave chamber, and is measured by a quick response instrument-in-the-field. The degree of control is precise and responsive enough to maintain a temperature distribution better than ±1,0 ºC both in empty and in loaded chambers, both throughout the load and over time. Heat is effectively transferred to the load as the steam in the chamber condenses on it, releasing its latent heat. Condense is continually drawn out of the chamber by the vacuum pump through a small valve (VP7). The removal of condensate causes the continuous demand of new steam, in order to keep the chamber pressure constant; it also helps to draw out any accumulation of non-condensable gases which may be entrained in the steam. During the phases that perform heating of the jacket, the jacket temperature is controlled by the temperature probe TE8 actuating the on/off inlet steam valve VP1.

4.1.b Air removal: dynamic vacuum (applicable to non-porous and not hollow loads) Vacuum is performed by vacuum pump down to a target value (0,06 ÷ 0,10 bar abs), through vacuum pump PV and full size valve VP6. At vacuum target, a bleed of steam is injected in chamber while the vacuum pump PV maintains a set vacuum value for a target time. Around 90% of air is evacuated during the first pull; the residual air is carried out, together with some steam, during the steam bleed. Initial vacuum rate may be reduced by using the vacuum pump PV7 coupled to the small size valve VP7 down to a programmable intermediate target.

4.1.c Air removal: steam/vacuum pulses (suitable to porous and hollow loads) Vacuum is performed by vacuum pump down to a target value (0,10 ÷ 0,12 bar abs), through vacuum pump PV and full size valve VP6. At vacuum target, steam is fed to the chamber while the vacuum pump PV7 maintains the suction through the reduced size valve VP7, up to a pressure target. At set value of pressure, vacuum is performed again through vacuum pump PV and full size valve VP6, down to a vacuum target. The vacuum rate down to a programmable intermediate target may be reduced by using the vacuum pump PV7 coupled to the small size valve VP7. This pulsing process may be repeated for a selectable number of times. The actual sequence of pulses can also consist out of initial sub-atmospheric pulses followed by final super-atmospheric ones. Around 90% of air is evacuated during the first pull; the subsequent repeated extraction of steam/air mixture, progressively poorer in air, assures complete air removal.

4.1.d Air removal: by gravity (suitable to loads that can be damaged by pressure differences or liquid loads in small sealed containers) The air displacement is performed by steam injection while the drainage valve VP4 is maintained open to allow the direct evacuation of air (mixed with steam). The phase is ended by reaching a target duration or a target drain temperature.

4.1.e Heating phase Steam is injected in chamber up to a target temperature. The steam injection valve is controlled by using as pressure set point the saturated steam pressure corresponding to the sterilization temperature.



Doc. no. 147854-3 of 26

4.1.f Sterilization phase The temperature control is performed in the same way as during the heating phase, i.e. using as pressure set point the saturated steam pressure corresponding to the sterilization temperature. The phase is ended by reaching the exposure time target within sterilization temperature range, or the minimum F0 value calculated by the selected probes.

4.1.g Cooling phase with pressure control Steam inlet to chamber and jacket is switched off, and compressed air is fed to the chamber via VP3 valve, to remove the steam from the chamber in order to allow the cooling without excessive pressure drop. Next to steam removal, cooling water is fed to the internal plates heat exchangers. Cooling phase can be performed either by keeping the pressure constant or by progressively reducing it as a function of the temperature. The control of the chamber pressure is obtained by simultaneously modulating air inlet valve VP3 and vent valve VP4.

4.1.h Vacuum drying phase Steam inlet to chamber is switched off, but the jacket is heated to provide some drying energy to the load and to the chamber walls. Vacuum helps to speed the drying process by lowering the steam pressure in the chamber, thus allowing the evaporation of water surrounding the load, provided this is still warm enough. Vacuum is performed by vacuum pump PV down to a pressure target through full size valve VP6. Initially, the vacuum rate may be reduced by using the vacuum pump PV7 coupled to the small size valve VP7 down to a programmable intermediate target. Finally, target vacuum is maintained until a target time.

4.1.i Drying by vacuum/air pulses Steam inlet to chamber is switched off, but the jacket is heated to provide some drying energy to the load and to the chamber walls. The energy transfer for drying the product may be enhanced by air pulses to the chamber. Vacuum is performed by vacuum pump PV down to a target value (0,10 ÷ 0,12 bar abs), through full size valve VP6. At set vacuum, air is fed to the chamber up to a pressure target. At pressure target, air may be circulated until a target time; then vacuum is performed again through vacuum pump PV and full size valve VP6 down to a target value and vacuum target may be maintained until a target time. This pulsing process may be repeated for a selectable number of times. Finally, target vacuum may be maintained until a target time.

4.1.j Drying by air circulation The jacket is heated to provide some drying energy to the load and to the chamber walls. The energy transfer for drying the product is obtained by air circulation in the chamber. The pressure in the chamber may be either super-atmospheric (outlet via VP4 valve) or sub-atmospheric (outlet via VP6 or VP7 valves and vacuum pumps). Sub-atmospheric air circulation may used either compressed air fed by VP10 valve, or ambient air sucked by vacuum pump via VPX valve. Air circulation is maintained until a target time.



Doc. no. 147854-3 of 26

4.2 Air-over-steam cycles1 4.2.a General

It is well known that the internal pressure of a tight sealed container containing an homogeneous liquid is equal to the sum of: - the steam pressure of the liquid at its actual temperature; - the initial pressure of the air inside the container, multiplied for the ratio of its actual absolute

temperature and its initial (i.e. when the container was closed) absolute temperature, and divided for the ratio of the actual head space and the initial head space ("head space" is the difference between the internal volume of the container and the volume of the liquid contained in it);

- the fugacity (i.e. the escaping pressure) of the gases initially solved by the liquid. The ratio between the actual head space and the initial one obviously depends on the difference between the thermal expansion of the liquid and the thermal expansion of the container; it has a meaningful effect in the case of glass containers that are much filled, but it is negligible in case of plastic containers. This is the reason why it is practically impossible to sterilize by heat glass containers with a head space less than 10% unless they are sealed by a movable stopper. This constraint does not apply to plastic containers; on the other side, the mechanical strength of many plastic materials becomes often so small at the sterilization temperature that it is necessary to keep the difference constantly very small between the internal pressure of the container and the autoclave pressure. On the contrary, in case of rigid (i.e. glass) containers the same difference may be appreciably greater. To ballast the pressure inside the autoclave chamber at almost the same level as the pressure inside the product, the air initially present in the chamber is not eliminated.

4.2.b Heating phase Due to the presence of both steam and air inside the autoclave chamber during the process, the chamber total pressure does not depend directly on the temperature; a one-to-one relationship only exists between the temperature and the partial pressure of the steam inside the chamber. Therefore, the chamber pressure can and must be independently controlled with a fixed or variable set point; this control is obtained by adding compressed air into the chamber or by pressure relief from it. At the end of the heating phase both the temperature set point and the pressure set point are attained. Steam is fed to the chamber to heat the chamber and the product up the set point temperature value. The steam feed valve is controlled by the “plant” probes TE9 or TE10. During the heating phase the control of the pressure in the autoclave chamber is performed by feeding compressed air via the valve VP3 and/or discharging overpressure via the pressure relief valve VP304. Various pressurization patterns are stored in the Thema4 controlled programs and may be configured by the User. The heating phase ends only when the minimum "product" temperature has overcome the programmed min. sterilization temperature threshold (e.g. the minimum sterilization temperature increased of a specific value which varies according to the particular typology of the sterilizer in use. In this case the value is equal to 0,2 °C).

4.2.c Sterilization phase The temperature control and pressure control are performed as during the heating phase. The phase is ended by reaching the exposure time target within sterilization temperature range, or the minimum F0 value calculated by the selected probes.

1 This section is written as standard for FEDEGARI though no air over steam cycles are foreseen for this particular sterilizer.



Doc. no. 147854-3 of 26

4.2.d Cooling phase with pressure control See above, 4.1.g. The discharge of the excess pressure from the chamber may occur, alternatively or in addition, either via the bottom valve VP4 or via the side valve VP304, both of the modulating type.

4.3 Programs Included in Delivery 4.3.a Programmability limits

Up to 9999 ready-for-use programs may be simultaneously stored for production. The autoclave will be delivered with the following cycles (each of which may be used as the basis of several production programs with different parameters), derived from the standard FEDEGARI cycles according to the Client’s requirement.

4.3.b 1.01 – Chamber vacuum leak rate test The cycle includes initial vacuum pull residual pressure targeted, stabilization phase time targeted, test phase time targeted, vacuum break phase.

4.3.c 1.03 – Chamber pressure leak rate test The cycle includes initial air pulse pressure targeted, stabilization phase time targeted, test phase time targeted, pressure release phase.

4.3.d 1.04 – Chamber spray washing The cycle includes spray washing of the product by purified water and final chamber drain. For a detailed description on how the spray system works see Section 6.6.

4.3.e 1.10.D2 – Pre-heating/Initial mixed vacuum/sterilization/drying vacuum/drying by air pulses To perform programs at temperature values between 102 °C and 138 °C, including pre-heating initial vacuum with timed steam injection and two sets of separately programmable pulsed steam/vacuum for air elimination, heating and sterilization, programmable vacuum drying, programmable hot air pulses. (See above: 4.1.b, 4.1.c (twice), 4.1.e, 4.1.f, 4.1.h, 4.1.i, 4.1.j)

4.3.f 1.13 – Initial vacuum pulses/sterilization/drying (for porous solids) To perform programs at temperature values between 102 °C and 138 °C, including initial pulsed steam/vacuum for air elimination, heating and sterilization, programmable vacuum drying. This cycle is typical for the loads that demand Bowie Dick Test or DART to check the suitability of the process. (See above: 4.1.c, 4.1.e, 4.1.f, 4.1.h)

4.3.g 1.55 – Initial vacuum pulses/sterilization/drying (for air filter sterilization) To perform programs at temperature values between 102 °C and 138 °C, including initial pulsed vacuum/steam for air elimination, heating and sterilization, optional vacuum drying. VPY valve is kept open during all the cycle, to connect air intake line with chamber for air removal, heating, sterilization and drying. Condense discharge valves VPZ and VPZ1 are kept open during heating and sterilization phase, provided that the chamber pressure is super-atmospheric. (See above 4.1.c, 4.1.e, 4.1.f, 4.1.h)



Doc. no. 147854-3 of 26

4.4 Autoclave Performances 4.4.a The heating of the empty chamber up to 121°C will not exceed 15 minutes. The vacuum system is

capable of evacuating the autoclave chamber to an ultimate pressure equal to or less than 60 mbar absolute in max. 12 min (starting from ambient pressure and feeding the vacuum pump liquid ring with water at a temperature that does not exceed 15°C). The max. allowed sterilization temperature during pure saturated steam cycles is 138 °C.

4.4.b Throughout the holding time the temperature distribution in the chamber in empty conditions does not fluctuate or does not differ more than ±1,0 ºC with respect to the process sterilization temperature. Throughout the holding time the temperatures measured in the autoclave chamber are maintained within the specified sterilization temperature band according to the proper set sterilization temperature.

4.4.c The autoclave is equipped with a vacuum system capable of pulling the vacuum to a pressure value greater than or equal to 60 mbar absolute and during the chamber leak test the rate of the pressure rise shall not exceed 80 mbar/h, in accordance with HTM 2010 and EN285, over a duration of test equal to 10 min. The test has to be performed after a stabilization phase. The vacuum leak rate test cycle can be performed including the chamber vent filter housing assembly.

4.4.d The expected sound level will not exceed the value of 70 dB(A) at 1 m from the perimeter of the machine (value calculated both considering one operative hour and the period of 8 hours).



Doc. no. 147854-3 of 26

5. Mechanical Construction

5.1 Pressure Vessel 5.1.a The pressure vessel will be designed, manufactured and examined according to the German

Construction Code AD-2000 MERKBLATT, in order to obtain the full compliance to the 97/23/EC PED Directive. The pressure vessel is mainly made up of three parts: the chamber, the jacket and the doors.

5.1.1 Chamber 5.1.1.a The chamber dimensions are 1300 x 1500 x 2000 mm (W x H x L), corresponding to an useful volume

of 3900 litres. The loading level height is 500 mm.

5.1.1.b The chamber is cylindrical with inner surface ground and polished to high quality. The Ra value has to be better than 0,4 µm. All metal parts in the inner surfaces are made of stainless steel AISI 316 Ti.

5.1.1.c The design pressure for the chamber is 4 bar absolute overpressure and full vacuum. A test certificate will be provided for both the chamber and the pressure relief valve.

5.1.1.d The automatic valve VP4 for pressure discharge is installed on chamber drain line; PC4 micro-switch verifies the valve close position.

5.1.2 Jacket 5.1.2.a The jacket is made of pressed stainless steel AISI 316 Ti, welded around the chamber.

The primary purposes of the jacket are to improve heat distribution in the chamber and to reduce condense.

5.1.2.b The design pressure for the jacket is 3,5 bar absolute overpressure. A test certificate will be provided for both the jacket and the pressure relief.

5.1.3 Doors 5.1.3.a The unit has to be a double door unit.

The doors are made of AISI 316 Ti stainless steel and have to be of horizontal sliding type, opening and closing automatically by an electric motor. After a sterilization process the doors can be opened and closed repeatedly. The doors are interlocked to prevent the simultaneous doors opening that would compromise the integrity of the sterilized load, of the chamber and of the clean room. The opening of the door on the sterile side is allowed only when sterilization is achieved. Then the door on sterile side can be open and closed repeatedly, until the door on not sterile side remains closed.



Doc. no. 147854-3 of 26

5.1.3.b Provisions are made to eliminate the risk for personnel and equipment to get jammed at door closing. Safety interlocks foreseen for door management are described in details at section 7 of TH4–Extract from Functional Design Specification SP-102190 in Annex 2.

5.1.3.c The doors have internally a smooth surface with a Ra value better than 0,4 µm. The doors’ gasket is made of solid silicone rubber, placed in a precision machine tapered groove around the chamber opening. The gasket tightens against the door when compressed air is pressed into the groove behind the gasket. Before the door is opened, pressure is released and the seal moves back due to its inherent elasticity. Thanks to a properly design and material, all mechanisms are lubricant free.

5.2 Insulation 5.2.a The chamber is insulated with artificial mineral wool fibre panel (asbestos, chlorides and crystalline

silica free) whose thickness is 50 mm with aluminium cover sheathing.

5.2.b The door is insulated with 30 mm mineral wool and covered with AISI 304 stainless steel cover sheets. The external temperature cannot exceed 50 °C.

5.2.c The piping insulating sheets are made of polyamide that does not contain asbestos, chloride and crystalline silica. The lines provided with piping insulation are shown on the P&ID (Tag. P.P.: Personal Protection).

5.3 Machine Frame 5.3.a

The pressure vessel is supported on a frame with adjustable feet, made of AISI 304 stainless steel.

5.3.b Most valves and other equipment are mounted on a separate frame. This frame is made of AISI 304 stainless steel and has adjustable feet.

5.4 Panels 5.4.a The fascia panel, the door panels and the lateral sides panels are made of AISI 304 stainless steel

sheets, vertically brushed. The surface is satin finish to 0,3 µm Ra Scotch Brite. The autoclave is bio-sealed on both sides.



Doc. no. 147854-3 of 26

6. Mechanical Components

6.1 Pipes and Valves 6.1.a All incoming media valves are to be pneumatically operated, sanitary design, made of AISI 316L with

Teflon seats and glandless. Condense removal system comprises adjustable orifice drain valve (VP7) and permanent application of vacuum to drain throughout the process.

6.1.b The piping components installed on the machine will be in accordance with the following General Piping Specification:

Item Size Description Piping All sizes Material: ASTM A270 Type 316L Stainless Steel

STD O.D. finish Internal Finishing with max. Ra = 0,8 µm (Ra value better than 0,4 µm for clean steam line, compressed air line and purified water line) Imperial size dimensions

Nozzles All sizes To be applied to all nozzles welded on the Pressure Vessel. Material: 1.4404/1.4435 EN10216-5 Stainless Steel Tubing STD O.D. finish Internal Finishing with max. Ra = 0,8 µm Imperial size dimensions

Joints All sizes Butt welded, Automatic Orbital Welding (as an alternative where not applicable: manual TIG welds)

Clamps All sizes Cast type 304 stainless. The ferrules are sanitary design Tri-Clamp type, design and manufacturer according to FEDEGARI STD.

Gaskets All sizes EPDM steam resistant material In-Line Valves All sizes and all types

(ON/OFF, modulating, sampling installed on tubing)

Body: hot rolled 316L stainless steel Internal finishing with max. Ra = 0,8 µm STD O.D. finish Connections: Tri-Clamp type, design and manufacturer according to FEDEGARI STD. Diaphragm: PTFE Lubricant free

Thermostatic steam traps

All sizes Body: hot rolled 316L Stainless Steel Connections: Tri-Clamp type, design and manufacturer according to FEDEGARI STD. Bimetallic Traps Type by GESTRA

Notes: 1 - Diaphragm valves are designed according to the following design conditions: pressure 6 bar g, temperature 160 °C. The design assures the sanitary design and the installation assures the proper drainage. 2 - All devices are tagged and fully traceable to the P&ID. 3 - All connections are Tri-clamp type connections designed and manufactured according to FEDEGARI STD..



Doc. no. 147854-3 of 26

6.2 Vacuum and Drain System 6.2.a Full rate vacuum is performed by means of the water ring vacuum pump PV (mod. 2BV5 121-0KC90-6S

by NASH ELMO) through VP6 valve while the reduced rate vacuum is performed by means of the smaller sized water ring vacuum pump PV7 (mod. 2BV2 060-0NC00-1S by NASH ELMO) through VP7 valve.

6.2.b The pumps have to be connected to an automatic feed and re-circulating water system. Softened water fills up a tank (TANK) and supplies the vacuum pump after having been cooled by a plates heat exchanger (RAFFR2) (mod. CB76-20H by ALFA LAVAL). The water that leaves the vacuum pumps is redirected into the tank thus forming a closed loop. The recovery tank is provided with an overflow and make-up.

6.2.c A drain cooling system is installed on the condensates discharge pipe and on the generic waste before leaving the machine. This system is constituted by a plates heat exchanger (RAFFR) (mod. CB27-24H by ALFA LAVAL) supplied with chilled water and regulated by a thermostat (TER). The system is used to reduce the temperature of condensates below 80 °C. Before leaving the machine the above stream is de-pressurized by separating the air from the liquid phase already present within the cyclone separator (SEP). The residual condensate stream is then conveyed to the main drain system, whose dimensions are designed in order to assure an appropriate evacuation.

6.3 Incoming Air to Chamber 6.3.a The air filter (FA) has to be installed for compressed or atmospheric air entering the autoclave chamber.

Filter’s absolute removal rating is 0,2 µm in liquids, 0,003 µm in gases. Filter’s bacterial challenge: Brevundimonas (Pseudomonas) diminuta 107/cm2.

6.3.b The filter has to be housed in a filter-holder made of stainless steel (cartridge PALL type Emflon PFR mod. AB1PFR7PVH4, mod. housing AGT11G95EEH4 by PALL). The installation should be designed for automatic in-line steam sterilization. The sterilization and test cycle includes pre-heating, sterilization (set temp/time), cooling and drying. One Pt100 probe (TE7) indicates and records during air filter sterilization.

6.3.c The filter is equipped with the required connection manual valves (VM6 and VM16) for the execution of WIT test with manual mode and protection sheet.



Doc. no. 147854-3 of 26

6.4 Internal plates heat exchangers cooling/drying system

6.5 Chamber’s Internal Circulation Fans

6.6 Spray washing/rinsing System 6.6.a The machine is equipped with internal nozzles installed on the two sides of the chamber (3 stripes of

nozzles for each side, 42 nozzles on each stripe) to assure the washing and rinsing of the product inside the chamber. The stripes are activated in alternation (one stripe at a time with selectable time differences between activations). The rated flow-rate of each nozzle is equal to 1,6 l/min.

6.6.b The chamber is fed with purified water through VPW2 root valve. The six stripes of nozzles are activated by opening VPW2A, VPW2B, VPW2C, VPW2D, VPW2E and VPW2F valves in alternation. After the washing/rinsing process the purified water is drained out of the chamber and is routed to the cyclone separator (SEP) through VP16 valve. The flushing/draining of the purified water line is performed by letting in filtered air at atmospheric pressure through VP6T air intake valve and by simultaneously opening VPE1, VPE2 and VPE3 valves.

6.4.a The internal plates heat exchangers cooling water re-circulation system is constituted by a recovery tank (TANK4), connected to a softened water line, a re-circulation pump (PA3, mod. CA70/33 by LOWARA) and a cooler (RAFFR4) (mod. CB27-50H by Alfa Laval), supplied with chilled water. The heat exchanger is of Cu-brazed type, with cover plates, plates and connections in AISI 316.

6.4.b The re-circulation pump and the cooling water feeding valve to RAFFR4 are activated in closed loop to the re-circulation tank (TANK4) both when the thermostat (TER2) is in high temperature condition and during the activation of the cooling system: the cooling water for the heat exchangers is fed through the valve VP308 and discharged through valve VP328 to the recovery TANK4. The cooling water is drained out of the heat exchangers by letting in compressed air through valve VP329. In case of low level the automatic make-up to the tank is assured, in case of minimum level (RL1W) the re-circulation pump is de-activated.

6.4.c The internal plates heat exchangers can be also fed with steam for drying purposes through VP306 valve.

6.5.a The chamber is equipped with no. 2 air re-circulation fans. The motor is magnetically coupled to the fan through the chamber. The fans’ material is AISI 316 for the magnetic drive, while PVDF (Brand mane SOFEF PVDF in accordance with section 177.2510 – Polyvinylidane Fluoride Resins – Code of Federal Regulation, volume 21) for fans’ blades. During operation the fans force the fluid (air/steam) to circulate through heat exchangers opportunely placed within the chamber. In this way the fluid gets cooler and is led again through the load by means of a suitable aeraulic passage.



Doc. no. 147854-3 of 26

7. Electrical Components

7.1 Required Connections

7.2 Control System 7.2.a See TH4 –User’s Manual. With reference to the General HW Configuration of the Control System, the

one that will be foreseen for the specific machine is the following (see Section 1 of SP-102190): 1 – Side 1 Operator Panel (primary/S1): Digital Proface PC mod. PL6921-T42 with lateral floppy disk

drive 2 – Side 2/technical area Panel PC: not included 3 – PLC remote I/O modules: Siemens ET200S 4 – Hub for Ethernet connection between operator panel and external connection: included 5 – UPS for blackout management: included 6 – Thermal Printer: included 7 – Side 2 door management module: included 8 – Remote Operator Station: not included 9 – Remote GUI license: included

7.2.b All messages and alarms visualized on the PC panel have to be in French.

7.3 Panel and Indicators on loading side 7.3.a Door control panel including emergency stop button, process controller key-switch, door OPEN/CLOSE

buttons. Additional available features are:

1) one light to indicate emergency button activation

7.3.b Sanitary pressure gauge for chamber pressure (MAVS). Pressure gauge for jacket pressure (MAI).

7.3.c Safety thermometer and independent temperature indicator (TE5 and TESIC).

7.4 Indicators on unloading side 7.4.a Door’s control display, emergency stop button, door OPEN/CLOSE buttons.

7.4.b Sanitary pressure gauge for chamber pressure (MAV1S).

7.1.a One power supply 400V - 3ph + PE - 50Hz (for autoclave and control system).



Doc. no. 147854-3 of 26

7.5 Indicators in Service Area 7.5.a Manometers installed on the utility lines:

- on the air feeding line for the internal heat exchangers (MA8). Sanitary manometers installed:

- on the compressed air feeding line for the chamber (MA3.1).

7.5.b Manometers installed on the pneumatic distribution lines: - on compressed air controls (MA6 and MA7) downstream the i/p converters (COP and COT)- on the line feeding the low-pressure valves (MA24) - on the line feeding the door seal controls (MA, MA1 and MA2).

7.6 Temperature and pressure transducers 7.6.a Temperature probes

Temperature probes may be fixed or flexible, designated as product, plant or display probes. All circuits have built in linearization (“autocalibration”). The temperature probes are connected with sanitary connection. Temperature probes are of the 4-wire Pt100 type (manufacturer FASINTERNATIONAL), Specification IEC/751 Class 0.1, with silicone rubber sheathing, duplex when applicable (see section 7.6.b). The theoretical measuring range of the temperature probes is –80 °C/+250 °C. Thema4 controller considers the probes to be failed if they return a measurement value outside the meaningful range (-20 °C ÷ 160 °C).



Doc. no. 147854-3 of 26

7.6.b The following list gives the location and use of each probe supplied by FEDEGARI and by Client. TE5 is not connected to the Thema4 but to a separate safety thermometer TESIC (mod. 2108i/AL/GN/VH/RF/RF, manufacturer EUROTHERM).

Probe ID Type Location Usage

TE1 Fixed, product and display Chamber drain Coolest point for

saturated steam cycles TE2 TE3 TE4

Flexible, product or display

Load or chamber free space

Load temperature or chamber temperature

TE5 Flexible, safety Load or chamber free space

Safety interlock for door opening (fluid loads), independent temperature check, independent over-temperature interlock

TE7 Fixed, product Process air FA Temperature control of the inlet air

TE8 Fixed, plant Jacket Control of jacket temperature by steam valve operation

TE9 TE10

Fixed, plant Chamber space Control of chamber temperature during air-steam cycles

7.6.c Each temperature probe can produce a digital and graphic recording on the Thema4 process controller.

7.6.d The process controller will detect probe failures (open or short circuit) and will ignore data from a failed

probe. The process controller will generate an alarm and it will disable the failed probes. However the process will continue as long as at least one plant probe and at least one product probe remain functional; otherwise the process will be aborted with consequent alarms.

7.6.e Pressure transducers Pressure transducers with separation diaphragm, 0 ÷ 5 bar absolute range, specification VDI/VDE 2184, accuracy +/-0,1% full scale (TP), manufacturer HAENNI mod. ED 701 R204R4A2510/9007/0120.

7.6.f The circuit has built-in linearization (“autocalibration”). The pressure transducers are connected with a sanitary connection. The following table gives the location and use of the transducers supplied.

Transducer ID Location Usage TP Chamber Control of chamber pressure by compressed

air/vent valve operation and steam valve



Doc. no. 147854-3 of 26

8. Extra features 8.a As standard the autoclave includes:

- automatic SIP of sterile air filter and connections for in-line manual integrity testing - condensate level sensor and alarm - chamber validation ports (nozzles C28 and C29) with total capacity for at least 24 thermocouples.

8.b - No. 1 kit for introduction of validation probes provided with one tri-clamp connection (with blanking plates and safety clamps), suitable for the introduction of at least 12 thermocouples.

8.c Other non-standard features included in the scope of supply to be installed on machine are:

- Sanitary pressure switches on clean steam, compressed air and purified water lines (CPV, CPA

and CPH2) - Pressure reducers on the compressed air feeding line for the internal heat exchangers, on the

compressed air feeding line for the chamber (RA0 and RA1) - Safety valve on compressed air line - 1” ASME BPE compliant Tri-clamp adapters on compressed air line for chamber counter-pressure

and on purified water line and 2 ½” ASME BPE compliant Tri-clamp adapter on clean steam line

9. Documentation

9.1 Installation Drawing, P&ID 9.1.a Installation DWG: no. 2 copies already sent and returned approved/commented by Client.

9.1.b P&ID: no. 2 copies will be issued for approval, 1 copy to be returned approved/commented within two

working weeks.

9.1.c Certified construction DWG: sent approx 2 weeks after approval. As Built DWG: issued after FAT and delivered with autoclave, in both copies of Technical Manual.

9.2 Pressure Vessel Documentation 9.2.a Pressure vessel documents issued at FAT. Original and one copy.

9.3 Documents supplied on Completion 9.3.a 3 copies of Technical Manual in French, incorporating:

- As built Installation drawing - P&ID with parts list - Wiring Diagram with parts list - Drawings of Fedegari supplied valves, devices - Data sheets for bought-in items e.g. vacuum pump



Doc. no. 147854-3 of 26

- EC Declaration of Conformity for critical instruments - Configuration data - User Manual for Thema4 operating system - Data sheets for each phase in the library supplied - Installation instructions - Sub-supplier information - Maintenance instructions - FDS (Functional Design Specification, issued for the specific machine) - Planned preventative maintenance schedule – daily/weekly/monthly/annual overhaul

9.3.b 3 copies of Operators Manual in French, including: - Recommended spare parts list

9.3.c Process Controller THEMA4

Validation Package including: - Validation Package Letter - Life cycle of Process Controller – GAMP4 Approach - Functional Design Specification - Configuration Manual – HW and SW Configuration - HW-SW Change Control - Libraries Configuration Manual - Change Control P/G Library - Validation Activities Planning - Risk Analysis – Methodology - Risk Analysis – Report

9.3.d Certificates

- Welding log for clean steam line, compressed air line and purified water line tubing and 3.1B certificate

- Roughness test certificate (for chamber) - Documentation on manometers’ supplier and manometers certificates - Calibration certificates

9.3.e - Data sheets on chamber safety valves calculations - Material declaration - Insulating material declaration - PED dossier copy



Doc. no. 147854-3 of 26

10. Standards & Codes 10.a The quality System of Fedegari Autoclavi SpA has been Certified compliant with the EN ISO

9001:2000. The autoclave has to be CE marked and has to be in conformity with the following European Directives: - Dir. 98/37/EC MD-Machinery Safety - Dir. 97/23/EC annex 3, category III PED-Pressure Equipment module H - Dir. 89/336/EC and amendments EMC-Electro Magnetic Compatibility - Dir. 73/23/EC and amendments LVD-Low voltage systems

10.b The pressure vessel code AD-2000 MERKBLATT (Germany). Build standard is to full cGMP standards. Control software is fully compliant with GAMP4 standard and 21 CFR Part 11. Documentation prepared in compliance to the applicable European Directive. Drawings – P&ID symbology – ANSI-ISA S5.1–1984 (DIN19227, DIN28004).

10.c The autoclave is constructed following the performance requirements, when applicable, specified in EN285 : 1996 Sterilization – Steam Sterilizers – Large Sterilizers (applicable parts) UK NHS Department Technical Health Memorandum HTM2010

10.d Conformity to others European Standards: EN 12100 – Safety of machinery EN 55011 – Industrial scientific and medical (ISM) radiofrequency equipment EN 60204-1 (IEC 204.1) Safety of machinery – Electrical equipment of machines. Part 1:

General requirement EN 61000-4-2 (IEC 1000.4.2) Electromagnetic compatibility (EMC) Part 4: Testing and

measurement techniques. Section 2: Electrostatic discharge immunity test EN 61000-4-4 (IEC 1000.4.4) Electromagnetic compatibility (EMC) Part 4: Testing and

measurement techniques. Section 4: Electrical fast transient/burst immunity test

10.e The electrical system achieves a minimum protection degree equal to IP54.



Doc. no. 147854-3 of 26

11. Glossary CFR : Code Federal Regulation DWG : Drawing FAT : Functional Acceptance Test FDS : Functional Design Specification GAMP : Good Automated Manufacturing Practice cGMP : Good Manufacturing Practice GUI : Graphical User Interface HTM : Health Technical Memorandum HW : Hard Ware NHS : National Health Service P&ID : Process & Instruments Diagram TH4 : FEDEGARI Process Controller Thema4 UPS : Uninterruptible Power Supply WIT : Water Intrusion Test



Doc. no. 147854-3 of 26

Appendix 1 TN-102081– TH4 - Report of Pressure and Temperature Measurement

THEMA4 Report of Pressure and

Temperature Measurement

TN –102081-3

Pag. 2/7

CONTENTS 1. THEMA4 PRESSURE MEASUREMENT............................................................................3 1.1 “Pressure- Measurement- Chain”: Description and Relevant Errors ...................................................3

A. Pressure Transducer .................................................................................................................. 3 B. I/O Module ................................................................................................................................ 3 C. Process Controller ...................................................................................................................... 3

2. THEMA4 TEMPERATURE MEASUREMENT....................................................................5

2.2 “Temperature-Measurement - Chain”: Description and Relevant Errors ................................................5 A. Temperature Probe..................................................................................................................... 5 B. INOR Module ............................................................................................................................. 5 C. I/O Module ................................................................................................................................. 5 D. Process Controller ...................................................................................................................... 5

References........................................................................................................................................7



TN –102081-3

Pag. 3/7

1. THEMA4 PRESSURE MEASUREMENT 1.1 “Pressure- Measurement- Chain”: Description and Relevant Errors The Thema 4 “Pressure measurement chain” is composed by the following elements:

A. Pressure Transducer Input: 0 – 5 bar abs Output: 4 – 20 mA Model: HAENNI, ED701/R20.4R4.A25.10/9007/0080 Maximum allowable total error: + 0,4% Input Range = +0,02 bar Note: The evaluation of this error includes non-linearity, thermal drift, hysteresis and reproducibility errors and it is applicable for “media temperature” values from 25 to 125 °C. Each single Pressure Transducer is calibrated (with an interactive method) and certified by the manufacturer in compliance to the above specified precision.”

B. I/O Module 1 The performance of the I/O analog module is described according to the manufacturer.

ET200S ET200M Allen Bradley 6ES7 134-4MB00-0AB0 6ES7 331-7NF00-0AB0 1794-IF2XOF2I 1794 – IF4I Input : 4 – 20 mA Input : 4 – 20 mA Input : 4 – 20 mA Input : 4 – 20 mA Output: 0 – 27648 counts Output: 0 – 27648 counts Output: 0 – 61681 counts Output: 0 – 61681 counts +0.012 mA +0.011 mA +0.017 mA +0.017 mA +0.004 bar 2 +0.003 bar 2 +0.005 bar 2 +0.005 bar 2

C. Process Controller The controller operates using data in Pa.

1 I/O Modules according to the specific HW configuration of TH4 as specified on FDS section 7.2. 2 Max allowable total error

ET200S ET200M Allen Bradley 6ES7 134-4MB00-0AB0 6ES7 331-7NF00-0AB0 1749-IF2XOF2I 1794 – IF4I Input : 0 – 27648 counts Input : 0 – 27648 counts Input : 0 – 61681 counts Input : 0 – 30840 counts Output: 0 – 500000 Pa Output: 0 – 500000 Pa Output: 0 – 500000 Pa Output: 0 – 500000 Pa

< +0.001 bar 2 < +0.001 bar 2 <+ 0.001 bar 2 < + 0.001 bar 2

PR

ES

SU

RE

TR

AN

SD

UC

ER

I/O M

OD

ULE

P

C



TN –102081-3

Pag. 4/7

Total Accuracy of the Measurement-Chain

ET200S ET200M Allen Bradley 6ES7 134-4MB00-0AB0 6ES7 331-7NF00-0AB0 1749-IF2XOF2I 1794-IF4I

PRESSURE TRANSDUCER +0.020 bar +0.020 bar +0.020 bar +0.020 bar

I/O MODULE +0.004 bar +0.003 bar +0.005 bar +0.005 bar

PC negligible negligible negligible negligible

TOTAL (ABSOLUTE) 3 +0.024 bar +0.023 bar +0.025 bar +0.025 bar

TOTAL (PONDERAL)4 + 0.020 bar + 0.020 bar + 0.021 bar + 0.021 bar

3 Absolute total error is equal to the sum of the allowable total errors 4 Ponderal total error is equal to the square root of the sum of the quadratic allowable total errors



TN –102081-3

Pag. 5/7

2. THEMA4 TEMPERATURE MEASUREMENT 2.2 “Temperature-Measurement- Chain”: Description and Relevant Errors

The “Temperature Measurement Chain “ is composed by the elements described below.

A. Temperature Probe Model: FAS INTERNATIONAL: PM600019 Sensor Type: Pt100, 4 wire Input: Temperature –20°C / +160°C Output: Resistance, as Temperature function, in compliance to IEC 751 (IPTS68) Applied wiring: 4 wire, with full compensation of the cable length Maximum allowable error (Tolerance): as defined for Class 0,1 (IEC 751) = +[0,1 + (0,0017 x Unsigned Temperature value)]

B. INOR Module

Model: Inor IPAQ-L Input: -20°C / +160°C Output: 4 – 20 mA Accuracy: 0.1% Input Range = +0.18°C

C. I/O Module The performance of the I/O analog module is described according to the manufacturer.

D. Process Controller

The controller operates using data in cent of Celsius degree °C.

ET200S ET200M Allen Bradley 6ES7 134-4MB00-0AB0 6ES7 331-7NF00-0AB0 1794-IF2XOF2I 1794-IF4I Input : 0 – 27648 counts Input : 0 – 27648 counts Input : 0 – 61681 counts Input : 0 – 61681 counts Output: -20 – 160 °C Output: -20 – 160 °C Output: -20 – 160 °C Output: -20 – 160 °C < + 0.01 °C 5 < + 0.01 °C 5 < + 0.01 °C 5 < + 0.01 °C 5

5 Max allowable total error

ET200S ET200M Allen Bradley 6ES7 134-4MB00-0AB0 6ES7 331-7NF00-0AB0 1794-IF2XOF2I 1794-IF4I Input : 4 – 20 mA Input : 4 – 20 mA Input : 4 – 20 mA Input : 4 – 20 mA Output: 0 – 27648 counts Output: 0 – 27648 counts Output: 0 – 61681 counts Output: 0 – 61681 counts + 0.012 mA + 0.011 mA + 0.017 mA + 0.017 mA + 0.14°C 5 + 0.12°C 5 + 0.19°C 5 + 0.19°C 5

Pt 1

00

INO

R M

OD

ULE

I/O

MO

DU

LE

PC

nad



TN –102081-3

Pag. 6/7

Total Accuracy of the Measurement-Chain for Some Meaningful Temperature Values

ET200S ET200M Allen Bradley TEMP. 0°c 6ES7 134-4MB00-0AB0 6ES7 331-7NF00-0AB0 1749-IF2XOF2I 1794-IF4I

PT100 ±0.1 °c ±0.1 °c ±0.1 °c ±0.1 °c INOR MODULE ±0.18 °c ±0.18 °c ±0.18 °c ±0.18 °c I/O MODULE ±0.14 °c ±0.12 °c ±0.19 °c ±0.19 °c PC negligible negligible negligible negligible TOTAL (ABSOLUTE) ±0.42 °c ±0.40 °c ±0.47 °c ±0.47 °c TOTAL (PONDERAL) ±0.25 °c ±0.24 °c ±0.28 °c ±0.28 °c











TN –102081-3

Pag. 7/7

References 1. TN – 41712.2/MAR Pressure and Temperature Measurements on Process Controller THEMA 3 for

Fedegari Autoclaves. 16.02.2000 2. TN – 98800.1/RPE Uncertainty Evaluation 14.07.2003 3. TN – 99488.1/RPE Taratura della catena di misura dei segnali di pressione e temperatura

Controllore TH4 26.01.2004



Doc. no. 147854-3 Page 26 of 26

Appendix 2 SP-102190– TH4 – Extract from Functional Design Specification

TH4-EXTRACT FROM FUNCTIONAL DESIGN SPECIFICATION

SP-102190 -8

Page 1 of 35

Control system:

THEMA4

EXTRACT FROM FUNCTIONAL DESIGN SPECIFICATION

ORIGINAL DOCUMENT: SP-95630v3

Function

initials Abbreviation of

the name Date

(dd/mm/yy) Signature

Written by IPR ARE

Revised by: IPR FAF 10/04/2006 FABIO FUSI

8 10/04/06 Implemented access levels table [RDB] 7 03/03/06 Added sect. 1.6 and implemented section 5.3 6 08/02/06 Implemented description of emergency shutdown management 5 11/07/05 Version comply to TH4-SP (D/O # 94296v6, MGH) 4 13/04/05 Version comply to TH4-SP (D/O # 94296v5, MGH) 3 05/11/04 Third emission 2 22/07/04 Second emission 1 29/03/04 First emission

Version Date (dd/mm/yy) Description of the revision


SP-102190 -8

Page 2 of 35

CONTENTS

0 INTRODUCTION 4

1 PHYSICAL DESCRIPTION OF THE CONTROL SYSTEM 5 1.1 HARDWARE ARCHITECTURE 6 1.1.1 SIDE 1 (PRIMARY) OPERATOR PANEL 6 1.1.2 SIDE 2 (SECONDARY) / SIDE 3 (TECHNICAL AREA) OPERATOR PANELS 6 1.1.3 PLC REMOTE I/O MODULES 7 1.1.4 HUB FOR ETHERNET CONNECTION BETWEEN OPERATOR PANELS

AND/OR EXTERNAL CONNECTIONS 7 1.1.5 UPS FOR BLACKOUT MANAGEMENT 7 1.1.6 THERMAL PRINTER 7 1.1.7 SIDE 1/2 DOOR MANAGEMENT MODULES 7 1.1.8 REMOTE OPERATOR STATION 8 1.2 SHUTDOWN 9 1.2.1 SHUTDOWN IN SAFE CONDITION 9 1.2.2 EMERGENCY SHUTDOWN 9 1.2.3 RESTARTING AFTER EMERGENCY SHUTDOWN 10 1.2.4 EXTENDED SHUTDOWN 10 1.3 DATA STORAGE 10 1.4 BACKUP/RESTORE DATA 11 1.5 CONNECTION TO THE FIELD 11 1.6 MANUAL ABORT CYCLE 11

2 PROCESS MANAGEMENT 12 2.1 PHASE GROUPS – CYCLES - PROGRAMS 12 2.2 ALARMS – GENERAL INFORMATION 13 2.2.1 "KERNEL" ALARMS 13 2.2.2 “CONFIGURATION” ALARMS 13 2.3 "PHASE" ALARMS 14 2.4 CAUSES AND SOLUTIONS OF ALARMS 15

3 PASSWORDS 16 3.1 OPERATING PROCEDURES AND ACCESS LEVELS 16 3.2 ACTIVE CODE CONFIGURATION DISPLAY/PRINTOUT 17

4 LIST OF OPERATIONS 19 4.1 OPERATING MENUS 19 4.1.1 RUNS & OPERATIONS 19 4.1.2 PROGRAM MANAGEMENT 19 4.1.3 CYCLE MANAGEMENT 19


SP-102190 -8

Page 3 of 35

4.1.4 SETUP & CONFIGURATION 20 4.1.5 DIAGNOSE & MAINTENANCE 21 4.1.6 LOG-IN & PASSWORDS 22 4.1.7 ALARM & DATA LOGGING 23 4.1.8 ON-LINE MANUALS 23 4.2 OPERATIONS THAT ARE DISABLED DURING A CYCLE 23

5 PROGRAM EXECUTION 24 5.1 TIME CALCULATION 24 5.2 PROCESS SUMMARY 24 5.3 PROCESS REPORT 24

6 PRINTOUT MANAGEMENT 28 6.1 ARCHIVED AND PRINTED DATA 28 6.2 “PROCESS REPORT” PRINTOUT 29 6.2.1 AUTOMATIC OR MANUAL PRINTOUT 29 6.2.2 REDUCED OR NORMAL PRINTOUT FORMAT 29

7 DOOR MANAGEMENT 30 7.1 DOORS CONFIGURATION 30 7.2 DOORS OPENING MANAGEMENT 31 7.2.1 PROCESS CONDITIONS FOR OPENING DOOR 31 7.2.2 SAFETY REQUIREMENTS FOR OPENING DOOR 32 7.3 CRITERIA FOR MOVING MOTORIZED DOORS 32 7.3.1 DOOR SYSTEM ALARMS 32 7.4 SAFETY REQUIREMENTS FOR THE INTRODUCTION OF PRESSURIZED FLUID IN

CHAMBER 33

8 CALCULATION OF F0 34

9 GLOSSARY 35


SP-102190 -8

Page 4 of 35

0 INTRODUCTION

The THEMA4 process controller manufactured by Fedegari Autoclavi SpA is an electronic system, based on commercial hardware, dedicated to the control of moist-heat, gas or dry-heat sterilization processes. The Thema4 software was developed in compliance with GAMP4. Access to the Thema4 process controller and password structure and management was developed in compliance with the “CFR 21 Part 11” directive.


SP-102190 -8

Page 5 of 35

1 PHYSICAL DESCRIPTION OF THE CONTROL SYSTEM

The THEMA4 control system can be configured according to the following composition1:

1 – Side 1 Operator Panel (primary /S1) 2 – Operator Panels for Side 2 (secondary /S2) / Side 3 (technical area /S3) 3 – PLC remote I/O modules 4 – Hub for Ethernet connection between operator panels and external connections 5 – UPS for blackout management 6 – Thermal printer 7 – Side 1/2 door management modules 8 – Remote operator station

These 8 main parts are interconnected as shown schematically here:

1 The configuration foreseen for the specific project is detailed on the FDS (Section 7.2).

4

Ethernet HUB

Panel PCSide 1

Field Bus

STERILIZER 6

Thermal printer

card BUS

Ethernet link (DDE, DDL,OPC) to external systems(SCADA, DCS, Recorder)

Serial Line Link (Modbus) to external systems (SCADA, DCS)

2 Panel PC

Side 2

Panel PCTechnical

Area

Operator Panels 2/3

1

Operator Panel 1

5

UPS

7

Door module

Remote operator station

WINDOWS PC

8

Printer (WINDOWS)

3

FIELD: Sterilizer devices (Sensors andActuators)

PLC remote I/O modules

4-20mA/Pt100Converter

BUS D IN

D OUT

AN IN

AN OUT

PWR


SP-102190 -8

Page 6 of 35

1.1 HARDWARE ARCHITECTURE

1.1.1 SIDE 1 (PRIMARY) OPERATOR PANEL The Side 1 Operator Panel is the control unit of the system and the operator interface on side 1 of the sterilizer (always installed). This is the primary station of the sterilizer and is composed of two units: 1 Touchscreen Panel PC TH4_HW-PANEL 1 PCI Card for connection via Profibus field bus TH4_HW-I/O BOARD_P

Minimum requirements of side 1 Panel PC of THEMA4 system The minimum requirements that the Panel PC must have are listed below.

1.1.2 SIDE 2 (SECONDARY) / SIDE 3 (TECHNICAL AREA) OPERATOR PANELS Side 2 (secondary) Operator Panels on the side of the sterilizer normally used for unloading and side 3 Operator Panel (technical area of the sterilizer) are two optional additional operator stations on board the machine. Both operator panels are composed of a single unit, which is the same one used for the Operator Panel on side 1: 1 Touchscreen Panel PC: TH4_HW-PANEL

Serial, parallel and USB ports are not used for these panel PCs. Moreover, the hard disk may be replaced with a FLASH Disk, since it stores no data but only the applications required for the installation and operation of the user interface.

1 PCI slot for Profibus card

1/2 RS232C COM for Door Board connection

1 RS232C COM for Modbus RS232 connection

12.1-inch color TFT LCD SVGA 800x600 analog resistive touch-screen

Touch Driver for Vx Works 1 HD ≥ 10GB

1 LPT port for Thermal Printer

1 Ethernet 10/100 MHz port

Pentium III 700MHz 128MB RAM

1 front-mounted Floppy Disk Drive (or side mounted) 1 PS2/Keyboard port for installation of SW and Backup/Restore operations

1 USB port for connection of backup/restore units


SP-102190 -8

Page 7 of 35

1.1.3 PLC REMOTE I/O MODULES The digital and analog signals that the control system exchanges with the devices (field) of the sterilizer (sensors and actuators) are acquired and sent by means of (Siemens or Allen Bradley) a set of Input/Output modules that are appropriately powered and communicate with side 1 Panel PC by means of a Profibus communications module. This set of modules is constituted by two units: 1 PLC Remote I/O module TH4_HW-PLC I/O 1 Pt100/4-20mA converter module TH4_HW- Pt100/4-20mA

1.1.4 HUB FOR ETHERNET CONNECTION BETWEEN OPERATOR PANELS AND/OR EXTERNAL CONNECTIONS

This component is required if the sterilizer is configured with more than one Panel PC (in addition to the “primary” one, which is always installed) or to allow the Ethernet connection to the outside of the sterilizer (remote station or LAN connection).

1.1.5 UPS FOR BLACKOUT MANAGEMENT The system uses a UPS (Uninterruptible Power Supply) that allows to supply continuously power during a blackout event for a certain time (at least for 15 minutes), switching instantly to the emergency backup batteries located inside the UPS. The S1 Panel PC detects the blackout condition by means of a digital input from the electrical cabinet, and reports it by means of appropriate alarm messages to all connected local and remote operator stations. The following units are powered by means of the UPS: - n Touchscreen Panel PC(s) (a) TH4_HW-PANEL - 1 5/8-port 10/100 MHz hub (b) TH4_HW-HUB (a) all Panel PCs (n is 1 to 3) installed on the machine (b) the hub on board the machine, if provided The controller remains active even if the electric power supply fails during a cycle; however, the cycle is in practice interrupted, because the connected sterilizer would no longer be able to execute the instructions that originate from the controller and would not be able to provide data regarding its condition. If the black-out happens during the sterilization phase, at the restart of the cycle the process controller verifies also that the duration of the black-out does not exceed the selectable parameter max black-out duration during the sterilization phase. In case yes the sterilization timer is reset while in case not the controller performs a linear interpolation between the last temperature value read before power failed and the first value read after power is restored, in order to quantify the time elapsed at values over and under the minimum sterilization temperature.

1.1.6 THERMAL PRINTER A thermal printer is installed on the sterilizer to record the Process Reports and to print system data and parameters. All printed data are stored electronically. Requests to print on this thermal printer can be made only from stations provided on board the machine.

This system requires two components: 1 Thermal printer TH4_HW-TPrinter 1 Parallel cable for thermal printer TH4_HW-CableTPrinter

1.1.7 SIDE 1/2 DOOR MANAGEMENT MODULES For both doors (side 1 and 2) there is a door management module that comprises the following devices: 1 LCD message display, 4 lines x 20 characters (only for Side 2 door as for Side 1 is a function included

in the PC panel) 2 door OPEN and CLOSE buttons, which activate two digital inputs of the I/O_PLC An EMERGENCY pushbutton A key-operated selector for switching on the control system (only for Side 1 door)


SP-102190 -8

Page 8 of 35

The 4-line display is used to display the following 20-characters messages, which are grouped into four types. Messages of the same type are mutually exclusive (except for Alarm messages) and are displayed on the same line. For messages that are not mutually exclusive, the most important message is always displayed. Line no. Message type Message

1 CONTROLLER AND CYCLE STATUS COMPUTER ON READY TO START CYCLE IN PROGRESS STERILIZING EMERGENCY NON RECOVERABLE EMER CYCLE COMPLETE

2 STERILIZATION MESSAGE STERILIZ.TEMPER.HIGH STERILIZ.TEMPER.LOW STERILIZED H.PATHOG.STERILIZED

3 ALARM MESSAGE (a) ALARM ON AUXILIARY ALARM 1 / 2 DOOR SYSTEM ALARM

4 DOOR MESSAGE OK OPEN DOOR 1 OK OPEN DOOR 2 OK OPEN DOOR 1 AND 2 OPPOSITE DOOR OPEN DOOR MOVING

(a) Alarm messages are not mutually exclusive and are listed in order of increasing importance. The display is controlled by means of a serial line by the Panel PC for side 1, which sends it the messages in the language chosen on that Panel PC according to the logic criteria described earlier.

1.1.8 REMOTE OPERATOR STATION The remote operator station is constituted by an operator interface installed on a Personal Computer (desktop or notebook) with certain minimum specifications:

LCD display 4 lines x 20 characters

RS232 port S1 Panel PC

Power-on key (Side 1 only)

EMERGENCY pushbutton

Door OPEN button

Door CLOSE button

DIGITAL INPUT I/O PLC


SP-102190 -8

Page 9 of 35

Processor power Pentium III Hard disk 10 GB RAM 128 MB Floppy disk / CD ROM YES Ethernet port YES Operating system Windows 2000 / XP JAVA Virtual Machine (Sun Microsystem) 1.3 software version The PC can print process reports and selected log files or parameters on an A4 printer connected to the PC.

1.2 SHUTDOWN

The shutdown of the process controller is performed by the operating procedures, listed below:

- shutdown in safe condition - emergency shutdown - restarting after emergency shutdown - extended shutdown

1.2.1 SHUTDOWN IN SAFE CONDITION The shutdown of the process controller is performed in safe condition if the operator follows the procedures listed below:

1. when none operating procedures (i.e. cycle running, devices activation, archived data modification) are running, the user can start the shutdown operating sequence from the control panel by pushing of the button “shutdown” <T6.4> on the work area “Login & password” (activated only if the user has the access to the shutdown function)

2. the process controller activates the shutdown in safe condition; at the end of this step on the PC panel is displayed the “page of shutdown”

3. after that the page of shutdown has been displayed, the shutdown operation goes on as described below

Note: After the pushing of the button “shutdown”, the control system requires the confirmation Warning: If the shutdown has been required while an operating procedure is running, the process controller displays a message of warning and requires a confirmation to continue.

4. the normal shutdown is performed by the rotation of the process controller key-switch installed on side 1 in position 0

5. it is important to make sure that the process controller and the user connected to the process controller has been deactivated by checking the following conditions:

- Panel PC OFF - Safety thermometer display OFF - No message displayed on the service panel - Vacuum pump motor, optional fans and stand-alone steam generator OFF - All valves fail in their fail safe position (all valves installed on the pressurized fluids lines are

failure closed).

1.2.2 EMERGENCY SHUTDOWN Warning: The pushing of the emergency button can carry out irreversible damages for the load inside the sterilizer. Once the button is pushed, the operator can’t restart the sterilization process. The user has to contact as soon as possible the responsible. The emergency shutdown is performed by the mushroom-head push button installed on the operator interface. This operation stops in real time the sterilizer by the deactivation of the general switch. In this case the sterilizer works as during the “Black Out” of the electrical system: while the THEMA4 process controller is switched on, the Side 1 Panel PC remains active, since it is powered alternatively by the UPS system.


SP-102190 -8

Page 10 of 35

When the main power supply returns after the blackout, the screen always shows the last page displayed before the interruption. In order to allow stabilization of the reading of the analog channels, the end of a blackout for the controller is postponed by 10 seconds with respect to the physical end of the blackout. The Side 1 Panel PC remains active even if the electric power supply fails during a cycle, but the cycle in practice is interrupted, since the connected sterilizer would no longer be able to perform the instructions that arrive from the controller and would not be able to supply information regarding its own status. The MAX BLACKOUT TIME is the maximum time for which a continuous interruption of the electric power supply to THEMA4 is considered acceptable. If the value of this parameter is lower than MAX OFF TIME STERILIZATION (the sterilization parameters S1.5, S2.8 and S3.8), this value is reduced to the value of MAX BLACKOUT TIME. If the maximum blackout time is exceeded without the electric power supply being restored, the progressive phase time is reset. If the phase is time-controlled, it is therefore repeated from the start. If the sterilization process is time-controlled, and in order to quantify the time elapsed above and below the minimum sterilization temperature, if a blackout or emergency shut down has occurred during the sterilization phase, the controller performs a linear interpolation between the last temperature value read before the power supply failed and the first value read after it returns.

1.2.3 RESTARTING AFTER EMERGENCY SHUTDOWN Warning: Before the restarting of the machine, the abnormal running cause, that has required the emergency shutdown, has to be found and eliminated to avoid sterilizer’s damages and dangerous situations for people. The restarting of the machine has to be performed only after the elimination for sure of the abnormal running cause. The restarting is allowed by the following operations:

1. Clockwise rotation of the mushroom-head push button 2. Access to the electrical panel and activation of the general switch

while the THEMA4 process controller is switched on, the Side 1 Panel PC remains active, since it is powered alternatively by the UPS system. When the main power supply returns after the blackout, the screen always shows the last page displayed before the interruption.

1.2.4 EXTENDED SHUTDOWN Warning: When it is foreseen an extended shutdown, the residual pressure in the chamber has to be discharged by means of the manual valve installed on the machine front panel.

1.3 DATA STORAGE

All the data are archived according to 21 CFR Part 11. These data are stored in two directories of the hard disk installed on the Panel PC side 1. One directory contains the previous version of the modified data, the other one contains the current data.

To ensure compliance with CFR21p11, the archive files cannot be modified and any tampering with them is detected. Moreover, if they are modified, the previous values of the data are always retained. All changes are tracked (date and author) and safe data backup/restore procedures for the user are available (Audit Trail Records). There are two kinds of archived file: “Process reports” and “Sterilizer data”. The latter are divided into “Parameter” files and “Records” files. The records are always collected in a single file that is updated continuously. The “Process report” files are in ASCII text format. The “Sterilizer data” are all in binary format, except for the audit trail file, which is in ASCII format.


SP-102190 -8

Page 11 of 35

These files are not encrypted. For further details see Section 6.1.

Programs and data are archived in a 2 GB (2048 MB) memory area. This amount of memory is actually configured independently of the capacity of the hard disk of the Panel PC. 2000 MB are used for data storage, including process data, system data and parameters.

1.4 BACKUP/RESTORE DATA

The Backup/Restore procedures for the data stored in the main Panel PC can be run by means of the GUI of the Panel PCs provided on the sterilizer. Data to be backed up/restored can be selected from the archived data categories. Data of the same categories will be saved. Data can be archived and restored in two ways: 1. Floppy Disk (by means of the floppy drive mounted on the main Panel PC) 2. Ethernet LAN (FTP protocol) using the hard disk of the connected PC. Other storage media connected to the USB port of the main Panel PC (CDRW, memory card, Zip drive) can be used in the future. Currently, these alternative storage devices can be used if they are connected to a remote PC (Windows environment) in which the data have been transferred using the Ethernet link. The archiving directories have to be present on the hard disk of the main Panel PC even after Backup/Restore procedures have been performed.

1.5 CONNECTION TO THE FIELD

The “NL” symbol (“logic number”) identifies, for Thema4 controllers, a function to be performed or a situation to be detected in the field (i.e., in the sterilizer connected to the controller) by means of the available devices or instruments.

The “Configuration” of a Thema4 assigns NLs to the channels for interfacing with the field. This assignment is different for the individual sterilizers.

Each NL can be: • a digital input (“NLID”), for detecting an on-off situation in the field; • a digital output (“NLOD”), for performing an on-off action in the field; • an analog input (“NLIA”), for measuring a physical variable in the field; • an analog output (“NLOA”), for performing a modulated function in the field.

1.6 MANUAL ABORT CYCLE

The "Manual emergency" button on the touch-screen allows to stop the cycle temporarily, moving from the phase in progress to the emergency phase. This transition is a consequence of the alarm activation (“Manual emergency”) and is possible during all phases except for the cycle end phase. It is possible to return from the emergency phase to the phase previously in progress by pressing the “Phase Step” button, provided that this is authorized and no other alarms with an emergency effect are active; as an alternative, the cycle can be ended directly by means of the "Stop” button (on the touch-screen), again provided that the "Phase Step" button has been enabled.


SP-102190 -8

Page 12 of 35

2 PROCESS MANAGEMENT

2.1 PHASE GROUPS – CYCLES - PROGRAMS

The control system can manage “sterilization or test processes” organized according to a clearly defined logic structure implemented at the software level and based on the following mutually correlated elements:

• Phase • Phase Group (Phase/Group o P/G) • P/G library • Cycle • Program

Of these elements, only Phase groups, Cycles and Programs correspond to specific “objects” (program files and data file) of the software of the control system.

PHASE The phase is the basic structure of every “process” of the sterilizer. Each phase is structured so as to perform a specific function. This is done by reading the input signals that arrive from the sensors of the sterilizer and by activating the output signals that drive the actuators of the sterilizer, according to a specific control logic implemented in the phase (also according to the value assigned to the “phase parameters” and according to the actions of the operator).

PHASE GROUP The Phase group P/G (or Phase/Group P/G) is the sequence of one or more phases (up

to 16). Each P/G identifies a part (sub-process) of the process performed by the sterilizer, which implies the execution of various phases in sequence (e.g., P/G 9 – VACUUM IN CHAMBER, which consists of the sequence of two phases: F1-Slow vacuum and F2-Vacuum at normal rate). Each Phase Group corresponds to a “software program” , written in C Language: the “P/G Definition Sheet” is its “Functional specification”.

P/G LIBRARY A certain number of P/Gs, required to perform the various processes of the sterilizer, are

stored in the control system. This set is termed P/G Library ("PGL"). Different versions of PGL can include the same P/Gs or different ones in the same version or in a different version: this depends on the structure of the sterilizer and on the requirements expressed by the user during specification of the sterilizer. Each phase group is identified by a five-character alphanumeric code. The Data Sheet of each Phase Group constitutes its specification (pseudo-code).

CYCLE Every process of the sterilizer is performed by means of a clearly defined sequence of P/G

termed “Cycle”. Accordingly, in the control system of a sterilizer there must be an installed Library that contains all the P/Gs required to configure the cycles needed by the user. Different cycles can use the same P/Gs or different P/Gs in a different sequence. Cycles can be configured freely by the user. The cycles are stored permanently in the Thema4 controller, where they are identified by : • a progressive number; • a code; • a name; • the total number of phases included in the P/Gs of the cycle; • the total number of local parameters related to the P/Gs of the cycle;

PROGRAM The system is structured so as to provide the user, for each cycle, with different Programs. These programs provide the cycle from which they are derived, but they can be differentiated by means of the different values assigned by the user to the Program Parameters.


SP-102190 -8

Page 13 of 35

Furthermore, since every Program consists of the sequence of P/Gs of the Cycle from which it is derived, the operator can decide how certain Phases will proceed by appropriately assigning values to the P/G Parameters. Up to 9,999 programs can be archived in the memories of the system.

An executable program is identified by a progressive number and is a result of the combination of:

• a cycle as defined above; • a name; • the actual values of the general parameters used throughout the cycle; • the actual values of the parameters related to the P/Gs of the cycle, i.e., the local or

phase parameters; • the identification of the heat probes used to monitor the process, which constitutes the

so-called "TE list"; • the actual values of the parameters used to manage the PID control procedures

during every execution of the program, known as "PID parameters". A program can be defined either starting from a cycle ("new" program) or by copying an existing program ("copied" program).

2.2 ALARMS – GENERAL INFORMATION

There are three types of alarm: "kernel", "configuration" and "phase". These alarms are referenced with the letters "N", "C" and "P" respectively. The kernel application program has 300 different alarms, which are identified by their number. Regardless of the type as defined above, each alarm has the following characteristics: • a short descriptive text, i.e., the message that is displayed and/or printed when the alarm is active; • the delay (“DLY”), i.e., the time in seconds that elapses from when the sufficient cause of the alarm

occurs to when the alarm is actually activated; • the effects ("EFF"), i.e., the effects produced by the emission of the alarm.

The effects of the alarms can be configured and are as follows: Activation and deactivation printout; Acoustic warning; Emergency and additional siren; Printout of activation only; Display in "Process summary"; Complete logging in "Alarm summary"; Logging of activation in "Alarm summary"; Interlocking of other programs (only for Autoclave); Loss of sterility (only for Oven); Activation (and deactivation, if provided) of the alarms activated during the execution of the program can be recorded in the Audit trail. When a new cycle is started, all alarms are deactivated, with the only exception of alarms related to door management and to the steam generator management (if present).

2.2.1 "KERNEL" ALARMS Kernel alarms are activated by the Thema4 controller • independently of the programming of the “Alarm configuration”. To avoid conflicts in operation, kernel

alarms must not be configured; • independently of the phase group library.

2.2.2 “CONFIGURATION” ALARMS It is possible to program up to 60 configuration alarms. Configuration alarms can be caused simply by the status of a digital input or by the comparison between the status of an input and the status of an output when both are digital. These alarms are:

• Simple input alarms • Alarms with actuation control • Full alarms for motors


SP-102190 -8

Page 14 of 35

• Full alarms for valves • Partial alarms for motors • Linked input alarms • Modulating valve alarms • Partial alarms for valves • Type 1 auxiliary configuration alarms • Type 2 auxiliary configuration alarms

2.2.2.1 Simple input alarms An alarm is configured as a simple input if the value of the NLO is left at zero. In this case, LOG must be left at zero as well. This means that the alarm will be activated whenever the digital input signal related to the alarm has the logic value true during program execution, i.e., whenever its condition is the opposite of the one defined as its "normal" condition in the NC column of Digital Input Configuration.

2.2.2.2 Activation monitoring alarms An alarm that compares the state of an input with the state of an output (currently termed "activation monitoring alarm") requires that both NLI and NLO be different from zero and can be configured with logic modes 0, 1, 2 or 3.

2.2.2.3 "Complete" alarms for motors Activation monitoring alarms with LOG = 0 are activated: both when the related NLID is true and the related NLOD is also true; and when the NLID is false and the NLOD is also false. Since the NLIDs related to the motors in the field are configured with NC = 1 and their channels are electrically energized when the motors are actually running, these alarms are meant to monitor the state of the motors: the alarm is activated both if a motor fails to run when it should and if it runs when it should not.

2.2.2.4 "Complete" alarms for valves Activation monitoring alarms with LOG = 1 are activated: both when the related NLID is true but the related NLOD is false; and when the NLID is false but the NLOD is true. The NLIDs related to the valves in the field are usually related to their "POs", i.e., to microswitches detecting Position Open. These NLIDs are configured with NC = 0 and their channels are electrically energized when the valves are actually open: thus the alarm is activated both if a valve is not open (NLID false) when it should be (NLOD true) and if a valve is open (NLID true) when it should not be (NLOD false). If microswitches detecting Position Closed of the valves are installed, the related NLIDs are configured with NC = 1 and their channels are electrically energized when the valves are actually closed, so the inputs are logically false when the valves are open: thus, the alarm is activated both if a valve is not closed (NLID true) when it should be (NLOD false) and if a valve is closed (NLID false) when it should not be (NLOD true).

2.2.2.5 "Partial" alarms for motors Activation monitoring alarms with LOG = 2 are activated: only when the related NLID is true and the related NLOD is also true; Since the NLIDs related to the motors in the field are configured with NC = 1 and their channels are electrically energized when the motors are actually running, these alarms are meant for "partial" monitoring of the state of the motors: the alarm is activated if a motor fails to run when it should, but it is not activated if the motor runs when it is not activated by the Phase Group being executed.

2.3 "PHASE" ALARMS

Alarms programmed in the Phase/Group code are termed phase alarms. These alarms are generally provided in order to indicate abnormal process conditions with respect to the phase in execution.


SP-102190 -8

Page 15 of 35

2.4 CAUSES AND SOLUTIONS OF ALARMS

The controller provides, for each alarm, a description of its probable causes and a suggestion for its possible solutions.


SP-102190 -8

Page 16 of 35

3 PASSWORDS

Virtually all operations allowed by means of the keyboard of the Thema4 controller require the input of an access code that consists of two parts: the ID Code, which is public, and the Password, which is secret. The access to the various operations is associated with the individual codes when they are configured by the system administrator. The minimum number of characters for the Password is configurable from 2 to 19. In “Change password”, any Thema4 operator is always able to modify and then update his password.

3.1 OPERATING PROCEDURES AND ACCESS LEVELS

It’s important to know the autoclave in all its aspects to use and to maintenance it as the process controller has a high level of flexibility to define parameters, state and logic combination. Anyway, if the best configuration and the different applications are defined (sterilization programs), the use of the machine is easy and the operator doesn’t need to have a high level of competence. To protect the system and to guarantee a correct use, the different access levels have been classified as: administrator, supervisor, maintenance and user. As default only the administrator level is defined. At this access level there is the possibility to define the different access levels and their correlated functions. An operator can start a “session of work” only if he knows the access code. After that the administrator defines the different professional figures, TH4 presents the related operating procedures:

- ADMINISTRATOR (A): organizes and manages the access to the system; - SUPERVISOR (S): defines sterilization parameters and operating programs; - MAINTENANCE (M): performs all the operating functions to maintenance and/or to control; - USER (U): uses the machine from the beginning until the end of the cycle.

The ADMINISTRATOR is the only one who can configure users with these professional roles, defining for each one the accesses allowed to the various functions of the system. Fedegari releases the THEMA4 with only one Administrator configured, with known access codes, in order to allow the customer to configure his various users. When they are created, the various professional roles have predefined access privileges, which the ADMINISTRATOR can in any case modify, user by user, according to the operating requirements. There is no limitation to the number of users that can be created. The table that follows lists the functions, among the ones available on the GUI, that are enabled by default, for each one of these four typical professional roles. The following are possible for each function:

- VIEW [V] access in view-only mode, i.e., without being able to modify data and perform commands;

- EDIT [E] this access allows to view and change data and perform commands; - LOCK [B] no access to the function.

For certain functions, the Administrator can change the type of access assigned by default for each user. The accesses that can be modified during access creation are highlighted as follows:

- V : indicates that the default operating mode is V and can be set to E by the Administrator. - B : indicates that the default operating mode is B and can be set to V by the Administrator.

Sub-functions "inherit" the clearances of the functions from which they are derived (the table that follows shows this by means of the "double quote" symbol), unless specific clearances are indicated for them. During a "work session", a specific operator can only access the operations for which he has been enabled. If all the functions of a work area are locked, the work area is also locked and therefore cannot be accessed.


SP-102190 -8

Page 17 of 35

Table 1. Functions for each of four operating procedures

N WORK SECTION STRUCTURAL FUNCTION

FUNCTION LIST A S M U

1 Runs & Operation 1. 1.1 1.2 1.3 1.4

State of the machine Run program Synoptic Alarms list Qualification of control push button

V B B B B

V E V E E

V E V E E

V E V V V

2 Program Management

2. 2.1

- Programs configuration list

- B

- E

- V

- V

3 Cycle Management 3. 3.1 3.2

- Cycles configuration list Phase groups

- B B

- E V

- V B

- V B

4 Set-up & Configuration 4. 4.1 4.2 4.3 4.4 4.5 4.6 4.7. 4.8.

Parameters summary Factory parameters (general data) Hardware view Alarms configuration System parameters Set up data-time Set up language Software version Authorization parameters

V B B B B B B V V

V V E E E E E V V

V V E E V V V V V

V V V V V V V V V

5 Diagnosis & Maintenance 5. 5.1 5.2 5.3 5.4 5.5 5.6 5.7

- Diagnosis I/O HW view Diagnosis I/O Logic view, for NL Calibration Maintenance schedule Filter maintenance planning Backup & Restore File conversion

- B B B B B B B

- V V VV V V V

- EEEE E V V

- VVVV V V V

6 Log-in & Passwords 6. 6.1 6.2 6.3 6.4 6.5

- State of Log-in General Log-in data Password configuration Password modification Shutdown

- EEEE E

- E V B E E

- E B B E E

- E B B E E

7 Alarms & Data Logging 7. 7.1 7.2 7.3 7.3.1 7.3.2 7.3.3 7.3.4 7.3.5 7.3.6 7.3.7 7.3.8 7.3.9 7.4

Historic alarms archives Process report archives Historic data archives - Archives - Alarms configuration - Hardware configuration - Maintenance archives - Calibration archives - Parameters archives - Programs archives - Cycles archives - Accesses manage Audit trail report

- B B V V V V V V V V V V V

- V V V V V V V V V V V B V

- V V V V v V V V V V V B V

- V V V V V V V V V V V B V

8 Manuals on-line 8. Manuals on-line V V V V

3.2 ACTIVE CODE CONFIGURATION DISPLAY/PRINTOUT

This operation allows an Administrator to generate documents that contain information related to the access codes at the time of a printout request. The resulting printout does not include information related to access codes that have been removed or otherwise disabled. Passwords are also not included because they are strictly personal and secret. The following information is provided:

- Number of repeats (reuses) of one’s own previous password (1 to 99) - Number of password entry attempts accepted before the password is suspended (3 to 10) - Minimum number of password characters (2 to 19) - Maximum number of password characters (2 to 19) - Maximum accumulated time of actual use (in hours, 0 to 4000) - Expiry date of the code, if the password is not changed first (in days, 0 to 9999) - Inactivity time: maximum inactivity time after that it is performed a logout operation (from 0 to 60

min) -


SP-102190 -8

Page 18 of 35

Enabling of absolute password uniqueness: passwords must be different from all passwords in use and from removed passwords.


SP-102190 -8

Page 19 of 35

4 LIST OF OPERATIONS

The user communicates with the Thema4 controller by means of a touch-screen. To allow any operation on the field or any change to the stored data, the controller always requests a properly access operation (LOG-IN).

4.1 OPERATING MENUS

After access (LOG-IN), the system displays all the functions of the GUI, divided into 8 main work areas, which correspond to the selectable functions of a main menu.

1. Runs & Operations 2. Program Management 3. Cycle Management 4. Setup & Configuration 5. Diagnose & Maintenance 6. Log-in & Passwords 7. Alarm & data logging 8. On-line manuals

By accessing each one of these areas, by means of suitable label buttons, it is possible to access the sub-functions of each area.

4.1.1 RUNS & OPERATIONS “Runs & Operations” management gives access to the operations that allow to: 1. Monitor the status of the sterilizer. 2. Select and run programs that are present in the memory of Thema4. This operation is denied if a

program is already running. 3. Synoptic of the parameters of the program and of the data of the process in progress. 4. Display the alarms that have occurred during cycle execution. 5. Qualification of control push button.

4.1.2 PROGRAM MANAGEMENT “Program Management” allows to access the operations that allow to: 1. Create new programs or derive them from other existing ones. 2. Delete programs. 3. Change the parameters of a program, i.e.:

The name. The “General parameters”. These parameters are termed “general” because they are not linked to a single Phase Group (in this case they are termed “local” or “phase” parameters), but are used generally within the entire program. The “Phase parameters”, i.e., parameters that are not used generally throughout the program but refer only to one or more of its phases that constitute a phase group. The list of probes used (for display and for the product). The PID parameters for process regulation.

4. Print program parameters. 5. Display program parameters.

4.1.3 CYCLE MANAGEMENT “Cycle Management” gives access to the operations that allow to: 1. Create new cycles from the library installed in the process controller. 2. Delete and edit cycles. 3. Display cycle data (list of phases and list of phase parameters). These functions are performed by means of the following menu items: 1. Cycle list 2. Phase groups


SP-102190 -8

Page 20 of 35

4.1.3.1 List of cycles This function lists the configured cycles, from which the work programs can be derived. The following information is listed for each cycle: - ID : identification code, corresponding to the Fedegari cycle code - Name : name of the process performed by the cycle This list can be sorted by ID code or by Name by means of an appropriately provided button. Another button allows to access the new cycle creation function. From this page one can also access the new cycle creation function. The user needs to enter the “ID” and “Name” fields and to configure the cycle, loading, by means of a button, the P/Gs listed in the list of the installed library, in the order in which they must occur in the cycle. Another button allows to remove a selected P/G from the cycle being created. Confirmation to create is required at the end. If a generic existing Cycle “x” is selected, its data are displayed: the “ID“ and “Name” fields and the phase groups that constitute it. In this page, specific buttons allow to:

- Modify certain data of the cycle: the “ID“ and “Name” fields - Delete the selected cycle - Copy the selected cycle to a new cycle

If a phase group “x” is selected from the displayed P/G (or the sub-functions are used), one gains access to the page that lists (in addition to its phase list) the parameter of the phase group (parameters V) with their values preset by Fedegari:

- ID : number of the parameter - Description : name of the parameter - Min , Max : minimum and maximum values of the parameter - Default : preset value of the parameter.

If the cycle copy button is selected, a new cycle is created which has the same P/Gs as the original cycle but has a different “ID“ and “Name” for cycle identification, which must be entered by the operator.

4.1.3.2 Phase groups This function lists the Phase Groups available for cycle composition. The following are listed for each P/G:

- ID : Fedegari identification number of the P/G - P/G Code : Fedegari identification code of the P/G - Phase list : list of phases that constitute the cycle

Selecting a generic P/G “x” from the list (or using the sub-functions) gives access to the page that lists the phases that constitute the phase group and its parameters (parameters V) and their values preset by Fedegari.

4.1.4 SETUP & CONFIGURATION “Setup & Configuration” gives access to the operations that allow to:

1. Define the Factory Parameters of the sterilizer. These parameters contain the factory settings of the sterilizer: identification code (not modifiable), needle model and operating limit value, which depend on the construction characteristics of the machine. The SERIAL NUMBER cannot be modified and is entered when the system software is installed.

2. Modify the System Parameters of the sterilizer. System Parameters allow to define settings required for the operation of the sterilizer which are independent of the type of program to be run. These parameters have been divided into groups according the following structure:

• General Parameters • Door Configuration • Steam Generator • Modbus Parameters • Printer Configuration • Independent Chart Recorder Configuration • WIT Sartorius Configuration


SP-102190 -8

Page 21 of 35

3. Hardware physical view, that allows to configure the “Equipment”, i.e. the series of modules of

analog and digital Inputs/Outputs that are used by the control system to interface with the field. One or more item of equipment can be configured on a system and are connected to each other and to primary panel PC (Side 1) by means of a connection that uses a field bus. Each item of Equipment, chosen among the ones available in a library is composed of a series of Input/Output “Modules”, chosen from a library of modules that belong to the chosen item of equipment.

4. Change the alarm configuration of the sterilizer 5. Set the date-time on the Process Controller 6. Change the language used on the GUI 7. Display the installed version of software, that is composed of Fedegari application programs 8. Display the authorization parameters activated on the Process Controller.

4.1.5 DIAGNOSE & MAINTENANCE “Diagnose & Maintenance” gives access to the operations that allow to: 1. Force the status of digital output channels. 2. Display the status of the digital input/output channels (“ON” or “OFF” status) and analog channels. 3. Calibrate the analog input channels. 4. Program the maintenance schedule planned for the sterilizer. These functions are performed by means of the following menu items: 1. Hardware physical view 2. Logical view 3. Calibration 4. Maintenance schedule 5. Filter maintenance planning 6. Backup & Restore 7. File conversion (only for remote GUI)

4.1.5.1 Hardware physical view This function allows to diagnose the configured input/output channels by accessing their physical visualization. By selecting the individual available items of Equipment, it is in fact possible to view the status of the channels on the digital modules and the sent and acquired values of the channels on the analog modules. Selecting an individual module allows to view its configuration in addition to the status of the individual channels. The displayed data depend on the type of module.

4.1.5.2 Logical view This function allows to diagnose the configured input/output channels, sorted by Logic Number and grouped by channel type:

- digital inputs - digital outputs - analog inputs - analog outputs

By selecting each one of these groups it is possible to view not only the state of the individual channels but also their configuration. The displayed data depend on the type that is selected.

4.1.5.3 Autodiagnosis of analog and digital outputs This function allows to enable and disable the forcing of the analog and digital output channels, both in the physical view function and in the logical view function. When forcing is enabled, the forcing button is displayed for each digital output channel. This button is initially deactivated (OFF state). If it is activated (ON state), it energizes the channel. For analog output channels, a field for entering a forcing value from 400 to 2000 (mAx100) is displayed.

4.1.5.4 Calibration This function allows to perform calibration operations on the analog input channels of the system: Pt100 temperature probes and pressure transducers.


SP-102190 -8

Page 22 of 35

When selected, the list of the channels of the analog inputs configured in the system Equipment is displayed, listing the following data for each channel: - Type :Type of analog channel - NL : Logic number associated with the channel - Name : Name of NL - Direct : analog value read on the channel before applying calibration

- Calibrated : analog value read on the channel after applying calibration - Points : number of points on which calibration is performed (2-3) Access to these data is in display-only mode.

4.1.5.5 Maintenance schedule This function reports on maintenance scheduling, which is divided into a maximum of 10 classes. When the “Maintenance Schedule” function is selected, the list of configured maintenance classes is displayed. The following information is reported for each class:

- Class : Progressive number of configured class (0 to 9) - Last : Date of last maintenance performed on that class or of the programming of that

class - Next : Date of next maintenance performed on that class. - Runs : Number of cycles run from the date of the last maintenance - Remaining : Number of cycles remaining before the class expires - Run : Button for performing a maintenance class, which displays the status of the class:

expired or awaiting expiry. When selected, it displays temporarily the OK maintenance status and resumes waiting for the expiry of the next maintenance.

4.1.5.6 Filter maintenance planning This function reports the filter maintenance planning which is divided in 2 classes: filter sterilization running and filter sterilization performed successfully. When the “Filter maintenance planning” function is selected, it’s displayed how many times the filter sterilization has been started and how many times the filter sterilization has been performed successfully. The following information is reported for each class:

- Class :Description of the filter sterilization cycle count (sterilization started and sterilization performed successfully)

- Runs :Number of cycles run from the date of the last maintenance - Remaining :Number of cycles remaining before the class expires - Status :Visualization of the class status: expired or in waiting state before the expiring of the

cycle After the filter maintenance has been performed, the reset button, placed on the bottom of the page, allows to recalculate from zero the filter sterilization cycle count.

4.1.5.7 Backup & Restore This function allows to perform backup and restore operation on the data stored by the Process Controller. Refer to section 1.4. for further details about backup and restore procedure.

4.1.5.8 File Conversion This function is activated only for the remote GUI. It is possible to export the data from the machine to an external PC in readable format by means of commercial editor. It is foreseen the opportunity to export file in PDF, CSV and TXT format. Actually it is allowed only the conversion in PDF format.

4.1.6 LOG-IN & PASSWORDS “Log-in & Passwords” gives access to the operations that allow to: 1. Display the list of configured Logins, together with their characteristics. 2. Configure new Access codes. 3. Change one's own Password. 4. Release or reserve the work session on the system.


SP-102190 -8

Page 23 of 35

4.1.7 ALARM & DATA LOGGING “Alarm & Data Logging” gives access to the operations that allow to: 1. Display the history list of alarms that have occurred, in their various states: activation, deactivation and

acknowledgment. 2. Display the executed Process Reports and the ”audit trail”.

4.1.8 ON-LINE MANUALS “On-line manuals” gives access to the operation for displaying the user manual of the Thema4 controller.

4.2 OPERATIONS THAT ARE DISABLED DURING A CYCLE

Some operations are considered to be incompatible with the control of the sterilizer that is required during a cycle: therefore, depending on the situation, access to these operations is prevented, or these operations remain accessible only for browsing and any attempt to modify the stored data is prevented. These operations are:

- Program execution. - Reprint data of executed cycles. - Digital output diagnosis. - Analog channel calibration. - Change date-time of process controller.


SP-102190 -8

Page 24 of 35

5 PROGRAM EXECUTION

5.1 TIME CALCULATION

“Progressive program time” or “progressive cycle time” is calculated from the moment when the START button has been effective or the cycle has automatically started the phase that follows the preparation phase. This time is updated continuously during a cycle until the cycle end phase begins and freezes the time count. The value of this time is reset when a new cycle is started.

“Progressive phase time” is the time "tp" recalculated from zero every time a phase begins or restarts after it has been interrupted, up to the moment when the phase ends either because the end phase conditions indicated in the Phase Group data sheet have been met or forced advancement has been executed, if possible, by means of the Phase Step button.

The “total phase time” is the time "ttp" accumulated from the first start of a phase or the programmed repetition of a phase, without taking into account any interruptions.

“Actual sterilization time” is the lowest of the values calculated separately for each product probe starting from the beginning of the sterilization phase of a program, adding the time intervals during which each individual probe detects a temperature that is not lower than the minimum sterilization temperature. This time is applied only in the two cases of time-controlled sterilization.

5.2 PROCESS SUMMARY

During program execution, the screen displays the following: 1. “Program data”, i.e., the number and the name of the program in progress and the progressive number

of the phase in progress together with its name. Moreover, if a sterilization program is in progress, the programmed value of the minimum sterilization temperature is displayed.

2. “Phase data”, i.e., the “targets” of the main process variables (temperature / pressure / time) most cases. The actual values of the main process variables are displayed below these parameters. The progressive phase time and the actual “equivalent time” (only in case of F0 sterilization) are also displayed.

3. “Progressive program time”. 4. The Alarms occurred during the execution of the program. 5. The diagram of the Pressure and the Temperatures measured by the probes selected as “monitored”

probes.

5.3 PROCESS REPORT

The Process Report of Thema4 consists of a set of data required to document the executed program. All Process Reports are stored in files that cannot be modified (the system checks their integrity), and can be displayed and reprinted. Process Reports can also be printed during the execution of the program, but only on the onboard thermal printer (online printout). The parts into which one can consider the Process Report to be divided are listed hereafter and are sorted into three groups: Program identification data which contain basic information regarding the program to be run, Program run data which document the behavior of the process by recording its significant variables (time, TE, pressure, F(Tz), phases in progress) and Final cycle data which contain the essential information that documents the execution that has just ended. Cycle identification data, which contain the basic information regarding the program to be run:

- number of the program being run; - name of the current program; - public code of the password used for the last operation for storing and changing the

program; - public code of the password used to enter the Program Use menu and therefore start

the program; - PRODUCT CODE set during program selection;


SP-102190 -8

Page 25 of 35

- BATCH NO. set during program selection; - AUTOCLAVE ID followed by the identification code of the autoclave, but only if required

by the "Identify machine" system parameter; - four lines dedicated to optional NOTES, optionally set during the selection of the

program; - AUTOCLAVE MODEL that is a factory parameter and it cannot be modified as it is

entered during the installation of the software of the system; - SERIAL NUMBER that is a factory parameter and it cannot be modified as it is entered

during the installation of the software of the system; - PROGRESSIVE NO. expected for the program about to be run (this data in case of

replacement of the panel PC is reset automatically); - GENERAL PARAMETERS this list comprises three columns under the heading

"General parameters": "no." (the progressive numbers of the parameters), "parameters" (the names of the parameters) and "value" (the actual values of each parameter);

- PHASE LIST this list comprises three columns under the title "Phase list": "phase no." (the progressive numbers of all the phases of the program), "phase" (the names of the actual phases of the program) and "group no." (the identification numbers of the phase groups to which the individual phases belong);

- PHASE GROUP PARAMETERS this list comprises four columns under the title "Phase group parameters": "no." (the progressive numbers of all the “local” parameters of the program), "phase no." (the number of the phase of the program to which each parameter refers), "parameters" (the names of the local parameters) and "value" (the actual values of each local parameter);

- TE TABLE this list comprises three or exceptionally four columns, depending on the actual value of system parameter no. 8, "Enable immersion TE": "no." (the progressive numbers of the probe), "MONITORED" (the NLIA of the TE monitored in the program), "PRODUCT" (the NLIA of the product TE of the program) and "IMMERSION" (the NLIA of the “immersion” TE used by the program);

- PID PARAMETERS this list comprises five columns: the first column is used to adjust the supply of direct or indirect heating steam (the default values given in the table are typical for the supply of steam in saturated steam autoclaves), the second column is used mainly for feeding and discharging compressed air, when the modulating valves for pressurization and discharge operate continuously, the third column is used mainly for feeding and discharging compressed air, when the modulating pressurization and discharge valves operate discontinuously (in this case, one can speak of mixed modulating/on-off adjustment, which is typical for FOA autoclaves); the fourth column is used mainly for special requirements and the fifth column is used mainly to adjust the rate of application of the vacuum in FOF autoclaves and the cooling rate in FOW autoclaves;

Program run data if the complete printout of the process data is requested, the following report composed by lines are generated for each phase of the cycle:

- PHASE the progressive number and the name of the phase to which the subsequent lines refer;

- three to six columns, each with its own heading describing its contents, printed only once for each phase: TIME (the total program time to which the values printed alongside refer in "minutes.seconds" format), PRESS. (the "chamber pressure", measured by the pressure transducer TP) and TE-nn columns whose number can vary from one to four (the temperature value measured by the probe with NLIA = nn, provided that it is included among the first four probes selected as "monitored" probes).

-

If the equivalent time F(T,z) is also calculated is reported also another line, characterized by the index "F" on the left, is added below each "time/Pressure/Temperature" line. This line contains the actual values of F(T,z) calculated for the probes, among the first four monitored probes, which are also "product" probes. The first line is printed exactly when the phase begins. The subsequent lines or pairs of lines are printed at fixed intervals as indicated in the data sheets of the individual Phase Group and in accordance with the printout interval multiplier. During a generic phase, alarm messages can also be printed during "transitions" both for activation and deactivation. The moment when the transition occurs is printed in the time column. If appropriate, the pressure column is used to print the type of transition (ON or OFF). The descriptive text of the alarm is printed immediately to the right. When the activation of an alarm occurs, or if multiple activations occur


SP-102190 -8

Page 26 of 35

simultaneously, a line is added which contains all the time/Pressure/Temperature columns with the data related to the time of activation (the value of the time is therefore printed two or more times). Blackout messages can also appear among the data of a phase. For these data, no reference is made to the progressive program time; the start and end times of the blackout, given by the clock calendar, are printed instead. All the phases, except for the cycle end phase, also comprise the final lines:

- TOTAL PHASE TIME in the minutes.seconds format; - FINAL PHASE DATA the time/Pressure/Temperature columns related to the final

moment of the phase. Since each phase change lasts two seconds, these data correspond to two seconds before the initial moment of the next phase.

If a complete printout of the process data is not requested the following reduced data report is generated for each phase of the cycle:

- PHASE the progressive number and the name of the phase to which the subsequent lines refer;

- TOTAL PHASE TIME in the minutes.seconds format; - the alarms messages.

Final cycle data comprise a group of lines, which can vary in number and content depending on the actual value of the general sterilization control parameter, of the actual cycle sequence, and of the success or failure of some phases of the sequence which are considered critical:

- PROGRAM START TIME the date and time when the first phase of the cycle after preparation phase started in the format dd/mm/yy hh:mm:ss;

- PROGRAM END TIME the date and time when the cycle end phase started in the format dd/mm/yy hh:mm:ss;

- STERILIZATION STATUS (OK or FAILED) including also a progressive number of the sterilization process, updated value every time a sterilization phase has ended successful;

- MIN / MAX STERIL. TEMP the maximum and minimum temperature values detected during the sterilization phase, specifying the NLIA of the probes that detected the reported value;

- STERILIZ. PHASE DURATION in the format min.s (yyyy.yy); - ACTUAL STERIL. TIME corresponding to when the sterilization phase ends, in the

format min.s (yyyy.yy); - F(T,z) MIN / F(T,z) MAX the maximum and minimum values of the equivalent

sterilization times added for all the “product” probes from the beginning of the cycle up to its end, indicating the NLIA of the probes to which the equivalent minimum and maximum times correspond;

- TIGHTNESS TEST STATUS (OK or FAILED) including also: TEST DURATION in min. s format (yyy.yy), NEGATIVE / POSITIVE PRESSURE VARIATION in bar format (y.yyy);

- WIT REPORT in the following format:

FILTER TYPE (xxxxxxxxxxxxxxx) WIT TOLERANCE ml/10min (xx.x) WIT TEST VALUE ml/10min (xx.x) TEST OK or TEST FAILED NET VOLUME ml (xxx.x) ATMOSPHERIC PRESSURE bar (x.xxx) INITIAL PRESSURE bar (x.xxx) INITIAL TEMPERATURE 'C (xxx.x) FINAL PRESSURE bar (x.xxx) FINAL TEMPERATURE 'C (xxx.x)

- ALARM SUMMARY if critical alarms have occurred during the execution of the program,

the alarm summary comprises all the messages related to the alarms that have occurred during the cycle;

- TEMPERATURE/TIME CHART if requested the chart is printed with the temperature axis and the time axis showing the trend of the values measured by the first four probes of the "monitored" TE (the scales used for the axes are selectable);


SP-102190 -8

Page 27 of 35

- PRESSURE/TIME CHART if requested the chart is printed with the pressure axis and the time axis showing the trend of the value measured by the pressure transducer (the scales used for the axes are selectable);

- SIGNATURE HEADINGS three headings for the manual signatures of the OPERATOR, of the SUPERVISOR and for the optional QUALITY ASSURANCE APPROVAL are printed on two spaced lines.


SP-102190 -8

Page 28 of 35

6 PRINTOUT MANAGEMENT

6.1 ARCHIVED AND PRINTED DATA

It is necessary to make a distinction between the two families of data that are archived in the memories of Thema4 by the PCS and can be displayed and printed: “process reports” and “sterilizer data”.

• Process reports Process reports are the recordings, produced automatically by the PCS, in the memories of the Server Panel PC, of the data produced by the execution of a program (for testing or sterilization) of the machine. These data, at the end of the execution of the program, are archived in a non-modifiable file and can be displayed on any connected GUI and sent for printout on request. The PCS software stores these files in a fixed format (please refer to the “Program Execution” chapter) and in the language selected on the GUI interface installed on the primary Panel PC, checking their integrity. .

• Sterilizer data There are two types of sterilizer data: parameters and records: Parameters Parameters are groups of data that can be set and grouped by type (parameters of the machine, of the accesses, of the cycles, of the stored programs, of the P/Gs, et cetera..) and stored in files, required for

the operation of the sterilizer. Every time changes are made to parameters, the new values are archived in a file with a new version. The PCS software PCS stores these files in a fixed format that is independent of the language selected in the GUI. This is why each GUI displays and prints these parameters in its own language. Moreover, as occurs for process reports, the PCS checks the integrity of these files every time it accesses them.

The GUI displays in the various “work areas” the current version of these data. The archive with all the previous versions, listed by date and time, is in the “ALARM & DATA LOGGING” area, where it is possible to select a file for display and printout.

Records The records collect all the significant events (“alarms” and “audit trails”) that must be acquired and stored for correct system management. Some of these records (e.g. the “audit trail”) are archived continuously and permanently in a single file whose integrity is constantly checked by the PCS. Others (such as the “active alarm” list) are stored only temporarily in the RAM memory of the primary Panel PC and are therefore lost at system shutdown (in this case one does not speak of electronically archived data).

The printouts of all these data are of the “manual” type, since they always require an operator selection.


SP-102190 -8

Page 29 of 35

6.2 “PROCESS REPORT” PRINTOUT

6.2.1 AUTOMATIC OR MANUAL PRINTOUT “Process reports” can be printed in two ways: automatically, during or at the end of the cycle (automatic printing), or at the operator’s request (“manual” printing).

• Automatic printing

Automatic printing of process reports is of two types: on-line or end-of-cycle. Automatic printing is termed “on-line” if it is performed gradually during the cycle. This type of printing is possible only on the onboard printer and is not derived from a previously archived electronic record but from the data received during execution, which are stored but not yet archived (archiving occurs at the end of the cycle). In this case, the printout is identified by the wording “automatic printing” (AUT) and the heading of the report only provides the identification of the user who launched the cycle. Automatic printing is instead termed “end-of-cycle” only if it is performed automatically at the end of the cycle after archiving the process data. This printout is possible only on the remote printer. In this case, the “automatic printing” request must be configured in the “print preferences” of the GUI. In this case, the printout is identified by the wording “automatic printout” (AUT) and the heading of the report includes, in addition to the identification of the user who launched the cycle, the identification of the user who has a work session in progress (if a work session is open). • Manual printing Manual printing is a printout of process reports generated at the operator’s request. This printout is possible both on the onboard printer and on the remote printer by manually selecting the process report to be printed (Alarms & Data Logging function) and is derived from a previously archived electronic record (log file). In this case, the printout is identified by the wording “manual printout” MAN, and the heading of the report includes, in addition to the identification of the user who launched the cycle, the identification of the user who requested the printout (date and Public Name).

6.2.2 REDUCED OR NORMAL PRINTOUT FORMAT “Process reports” can be printed in two different formats:

• Reduced: using the process data printing rate derived from the Phase Groups. • Extended: using the process data printing rate equal to the archiving time (10 sec).

The format of the printout is identified by the wording Reduced (RED) /Extended (EXT) in the heading of the printout report. On-line automatic printing is always a terse printout. Printouts generated from an archived file, automatic printouts at end of cycle and manual printouts can be in terse or verbose format depending on specific parameters. These parameters also allow to enable or disable the printing of parts of the process report: initial data, final data, T and P charts, sterilization charts and alarm summary.


SP-102190 -8

Page 30 of 35

7 DOOR MANAGEMENT

The doors (one or two) of an autoclave are almost always of the motorized type, either sliding (fully automatic) or hinged (semiautomatic), although the hinged type can also be actuated entirely manually. The control system interlocks shall ensure that the autoclave door cannot be opened when a potentially dangerous condition exists within the autoclave and that the cycle cannot be initiated until the doors are completed closed and the chamber is sealed.

7.1 DOORS CONFIGURATION

The configuration of the doors is carried out by means of the work section “Set-up & Configuration” that gives access to the “System Parameters” (refer to section 4.1.4). The access level to the “System Parameters” are described in the following table (see section 3.1):

PROFESSIONAL FIGURE ACCESS LEVEL Administrator (A) Block the access to the function Supervisor (S) Possibility to modifying the data and activating any command Maintenance (M) User (U) Visualization without modifying the data and activating any command

The above configuration is defined as default, the administrator can modify it and install different operating procedures. The “System Parameters” gives access to the section “Door Configuration” that allow to define the following options: • Manual / Motorized The “Motorized” option must be selected if the sterilizer is provided with a motorized door or doors, i.e., fully automatic or semiautomatic sliding door or doors; if not, “Manual” must be selected. • One door / Two doors This parameter must be set to “One” or “Two” door(s) depending on the number of doors of the sterilizer.

If two doors are configured, the following subsidiary parameters are available: • Initial Door 1 or 2 This parameter allows to select which door can be opened when Thema4 is switched on and before launching a run. It also indicates that this opening is authorized as an alternative after a run provided that the unloading door has already been moved from the fully close position, closed and locked again.

• Door control "Sterility" conditions prescribed by the actual settings of Door Subsidiary Parameters must also be satisfied to open the Initial Door.

- Door 1 control (i.e. Door Subsidiary Parameter 2) If this parameter is different from nought, a “sterile” condition is required to authorize opening of Door 1. “Sterile” means in this case that a sterilization has been completed after the last release of Door 2, regardless of the program parameter relevant to the door opening sequence. If Thema4 is reset, the "sterile" condition, if present, is deemed lost, so that, if this parameter is different from nought, it is not possible to open Door 1 as Initial Door even if this door is selected by the above parameter 1. If this parameter is different from nought, it is also impossible to open Door 1 during the preparation phase of a program with odd Door Opening Sequence (see section 7.2) if the "sterile" condition is not verified. If this parameter is different from nought, the execution of programs with Door Opening Sequence = 6 (see section 7.2), i.e. pass-through programs from Door 2 to Door 1, is refused. If this parameter is equal to "2", after Door 2 has been released or after having reset Thema4, the execution of any program not of the "HP" or "Decon" type is also refused.


SP-102190 -8

Page 31 of 35

- Door 2 control (i.e. Door Subsidiary Parameter 3) This parameter is fully symmetrical to that of the above parameter 2, and the effects of these two parameters may be additional. If this parameter is different from nought, a “sterile” condition is required to authorize opening of Door 2. “Sterile” means in this case that a sterilization has been completed after the last release of Door 1, regardless of the program parameter relevant to the door opening sequence (see section 7.2). If Thema4 is reset, the "sterile" condition, if present, is deemed lost, so that, if this parameter is different from nought, it is not possible to open Door 2 as Initial Door even if this door is selected by the above parameter 1. If this parameter is different from nought, it is also impossible to open Door 2 during the preparation phase of a program with even Door Opening Sequence (see section 7.2) if the "sterile" condition is not verified. If this parameter is different from nought, the execution of programs with Door Opening Sequence = 5 (see section 7.2), i.e. pass-through programs from Door 1 to Door 2, is refused.If this parameter is equal to "2", after Door 1 has been released or after having reset Thema4, the execution of any program not of the "HP" or "Decon" type is also refused.

7.2 DOORS OPENING MANAGEMENT

The doors are termed by convention "Side 1 door", which is often directed toward the non-sterile area, and "Side 2 door", which is often directed toward the sterile area. The “General Parameters”, in the work area “Programs Management” (refer to section 4.1.2), gives access to the “Other parameters” that allows the access to the section “Door Open Sequence”. The access level to the “General Parameters” are described in the following table (see section 3.1):

PROFESSIONAL FIGURE ACCESS LEVEL Administrator (A) Block the access to the function Supervisor (S) Possibility to modifying the data and activating any command Maintenance (M) User (U) Visualization without modifying the data and activating any command

The above configuration is defined as default, the administrator can modify it and install different operating procedures. The “Door Open Sequence” allows to select the loading/unloading direction of the sterilizer by means of the parameters “Door Number”, as follows: 1 = "normal" loading direction, Side 1 to Side 2 (from "non-sterile" to "sterile");

2 = "reverse" loading direction, Side 2 to Side 1 (from "sterile to "non-sterile");

3 = opening always in the Side 1 area (loading and unloading from the "non-sterile" side);

4 = opening always in the Side 2 area (loading and unloading from the "sterile side");

5 = “priority” loading direction, Side 1 to Side 2 without sterilization control. The execution of programs with this Door Opening Sequence is rejected if the System Parameter “Door 2 control” is different from nought;

6 = “reverse priority” loading direction, Side 2 to Side 1 without sterilization control. The execution of programs with this Door Opening Sequence is rejected if the System Parameter “Door 1 control” is different from nought.

From the software standpoint, the possibility to open a door is regulated by the presence of a clearance that depends both on process conditions and on safety requirements. The Thema4 process controller identifies the status of the doors by means of digital input logic numbers.

7.2.1 PROCESS CONDITIONS FOR OPENING DOOR To be able to open a door, two general process conditions must be met: • no cycle must be in progress;


SP-102190 -8

Page 32 of 35

• the absolute pressure of the chamber must be close to the atmospheric pressure. Only the loading side door shall be opened if the cycle is aborted during the exposure phase before the sterilization condition is reached. The unloading side door shall be allowed to be opened if the cycle is aborted during the post conditioning phase when the sterile condition is reached.

7.2.2 SAFETY REQUIREMENTS FOR OPENING DOOR Doors will be equipped with safety features to prevent them being opened when the load is not in safe conditions: • The relative pressure inside the chamber is less than 50 mbar detected by two independent pressure

switches (PRS and PRS1). • The vacuum measured in the autoclave chamber by the safety differential vacuum gauge PRS2 must be

less than 50 mbar with respect to the outside (if configured). • The gas detector NOGAS must not detect any residual presence of sterilizing gases (for example

ethylene oxide, formalin) inside the chamber (if configured). • The liquid sensor HLS, installed in some model FOF autoclaves, must not detect the presence of liquid

inside the chamber. • The liquid sensor SELA, installed in model FOF and FOA autoclaves, must not detect the presence of

liquid inside the chamber. • The liquid sensor RL3W, installed in model FOW autoclaves, must not detect the presence of enough

liquid to cause overflow at the door if the door is opened. • The temperature value in chamber is less than the value set on the independent thermometer TESIC. However, these conditions are not sufficient to allow the doors opening, as the machine is equipped with a redundant circuit whose contacts exclude “hard-wire” the doors’ gasket compressed air venting and motor opening feeding. This “fail-safe” circuit is composed by the following components in series:

• Security thermometer with minimal contact TESIC. • First pressure switch for atmospheric balancing control PRS. • Second pressure switch for atmospheric balancing control PRS1.

7.3 CRITERIA FOR MOVING MOTORIZED DOORS

The movements for closing-locking and for releasing-opening all the motorized doors comply with the following basic criteria • As an active protection for the operator, the doors can be closed only if the control is kept pressed (if it is

released, the door automatically reverses its direction motion). • For sliding doors a passive protection is assured by a photocell which is located at the end portion of the

stroke and which, if activated, immediately issues the door’s opening command. • The opening button must be pressed in order to start release and opening, but it can then be released. • At the end of a program, the unloading door is considered to have been opened only if it has reached the

fully open position, i.e., if the input channel connected to the opening stroke limit proximity switch has been energized.

• The digital output that controls the door motors (in both directions of motion) is deactivated immediately if the corresponding digital input is configured but not excited while the digital output is active. The return of the input channel to the excited state does not automatically reactivate the output.

7.3.1 DOOR SYSTEM ALARMS The following six abnormal conditions cause activation of alarms no. 58 or 59. • The upper limit pressure gauge signal is present and the closure limit switch signal is not present: this

means that the seat of the locking gasket of a door is pressurized, although the door is not in a fully closed position.

• The upper limit pressure gauge signal is present and the opening limit switch signal is also present: this means that the seat of the locking gasket of a door is still pressurized, although the door is in a fully open position.

• The lower limit pressure gauge signal is not present and the closure limit switch signal is not present: this means that the seat of the locking gasket of a door has not yet depressurized, although the door is not in a fully closed position.


SP-102190 -8

Page 33 of 35

• The lower limit pressure gauge signal is not present and the signal of the opening limit switch is present: this means that the seat of the locking gasket of a door has not yet depressurized, although the door is in a fully open position.

• The lower limit pressure gauge signal is present and the upper limit pressure gauge signal is present: this would mean that the seat of the locking gasket of a door is simultaneously depressurized and pressurized.

• The opening limit switch signal is present and the closing limit switch signal is present: this would mean that a door is simultaneously in a fully open position and a fully closed position.

If one of these abnormal conditions occurs while a door motor is in operation, the motor is stopped immediately and does not restart automatically after restoring normal conditions: a new command is required to restart it.

7.4 SAFETY REQUIREMENTS FOR THE INTRODUCTION OF PRESSURIZED FLUID IN CHAMBER

During the machine’s operations the process controller is enabled to adduct into the chamber pressure fluids (compressed air and steam) only when both doors are in closed door position and the doors seals are inflated. Only when the above conditions are satisfied and when the operator presses the cycle start push-button, the process controller allows the adduction of pressure fluids into the chamber. However, this condition is not sufficient to allow the adduction of pressure fluids into the chamber, as the machine is equipped with a redundant circuit, whose contacts exclude “hard-wire” the piloting electrovalves of fluids’ inlet valves to the chamber. This “fail-safe” circuit is composed by the following components in series:

• Security thermometer with maximal contact TESIC. • Seal of machine’s door side 1 PR10.1 ( to verify that the seal is pressurized). • Seal of machine’s door side 2 PR11.1. • Mechanical limit switch door closed side 1 F2.1 ( to verify that the door is in locking position). • Mechanical limit switch door closed side 2 F2.2.


SP-102190 -8

Page 34 of 35

8 CALCULATION OF F0

The sterilization is checked by means of the algorithm F0. F0 is defined as the time during which sterilization is actually performed at 121°C or the time during which sterilization is performed at another sterilization temperature, related by calculation to 121°C so as to be equivalent in terms of lethal heat dose, i.e. of microbial destruction effectiveness. F0 is calculated as follows:

F0 = Σ ∆t ⋅ 10 ((T-Trif)/z) Trif is assumed equal to 121°C while the z-value is function of the micro-organisms contained in the products to be sterilized. The following table lists z-values for some “typical” micro-organisms:

AVERAGE VALUE OF Z FOR SOME TYPICAL MICRO-ORGANISMSMicro-organism z (°C) Clostridium botulinum Bacillus stearothermophilus Bacillus subtilis Bacillus megaterium Bacillus cereus Clostridium sporogenes Clostridium histolyticum

10 6

10 7

10 13 10


SP-102190 -8

Page 35 of 35

9 GLOSSARY

a FECP SRVR

Fedegari External Communication Protocol SERVER

a GUI

Graphical User Interface

a NL

Logic Number

a NLIA

Analog Input Logic Number

a NLID

Digital Input Logic Number

a NLOA

Analog Output Logic Number

a NLOD

Digital Output Logic Number

a P/G

Phase Group

a PCS

Process Control System

a PGL

Phase Group Library

a PLC

Programmable Logic Controller

a R.T.O.S.

Real Time Operating System

a USB

Universal Serial Bus

a UPS

Uninterruptible Power Supply

3. Utilities Required demands6 4. Process Description7 5 ... · FUNCTIONAL DESIGN SPECIFICATION...

Documents

Transcript of 3. Utilities Required demands6 4. Process Description7 5 ... · FUNCTIONAL DESIGN SPECIFICATION...