Dairy Establishment Inspection Manual – Chapter 19 Appendices
Appendix 5 Criteria for the Evaluation of Computerized Public Health Controls Glossary

This page is part of the Guidance Document Repository (GDR).

Looking for related documents?
Search for related documents in the Guidance Document Repository

Address
A numerical label on each input or output of the computer. The computer uses this address when communicating with the input or output.
Computer
A very large number of on-off switches arranged in a manner to sequentially perform logical and numerical functions.
Default mode
The predescribed position of some memory locations during start-up and standby operations.
Electrically Alterable Programmable, Read Only Memory (EAPROM)
An electrically alterable programmable, read only memory. Individual memory locations may be altered without erasing the remaining memory.
Electrically Erasable Programmable, Read Only Memory (EEPROM)
An electrically erasable programmable, read only memory. The entire memory is erased with one electrical signal.
Erasable, Programmable, Read-only Memory (ERPOM)
An erasable, programmable, read-only memory. The entire memory is erased by exposure to ultra-violet light.
Fail Safe
Design considerations that cause the instrument or system to move to the safe position upon failure of electricity, air, or other support systems.
Field alterable
A device having a specific design or function that is readily changed by user and/or maintenance personnel.
Force off
A programmable computer instruction that places any input or output in the "off" state, independently of any other program instructions.
Force on
A programmable computer instruction that places any input or output in the "on" state, independently of any other program instructions.
Input
A data set applied to the input bus of the computer that is used by the computer to make logical decisions an whether or not to activate one or more outputs. Input consists of data from temperature and pressure instruments, liquid level controls, tachometers, microswitches, and operator-controlled panel switches.
Input/Output bus
An electrical connection panel that provides for the connection of all inputs and outputs to the computer. The input/output address labels are found on this panel. Indicator lights showing the status (on/off) of all inputs and outputs are usually available on this panel.
Last state switch
A manually operated switch located on the input/output bus that instructs the computer to place all outputs in the "on", "off" or "last state" during a start up. The "last state" position instructs the computer to place the outputs in whatever state (on or off) occurred during the last loss of power.
Operator override switch
A manually operated switch located on the input/output bus that permits the operator to place any input or output in the on or off position, independently of any program instructions.
Output
Electrical signals from the computer that turn on or off: valves, motors, lights, horns, and other devices being controlled by the computer. Outputs may also consist of messages and data to the operator.
Programmable controller
A computer, with only limited mathematical ability, that is used to control industrial machines, instruments and processes. Most computers used on high-temperature short-time (HTST) pasteurizers will be programmable controllers.
Random access memory (RAM)
A memory used by the computer to run programs, store data, read input and control outputs. The computer may either read the memory or write data into the memory.
Read-only memory (ROM)
A memory used by the computer to run its own internal unchangeable programs. The computer may only read from the memory; it cannot write into the memory or alter the memory in any way.
Standby status
The computer is turned on, running, and waiting for instructions to start processing input data. This instruction is usually accomplished by a manually operated switch.
Status printing
Some computers are programmed to interrupt printing of the chart record print the status of key set points and conditions such as: cold milk temperature, holding tube temperature, diversion temperature setting and chart speed.

Criteria

The following listed criteria shall be complied with for all computers or programmable controllers when applied to HTST, high heat short time (HHST) and ultra-high temperature (UHT) pasteurization systems used for milk and milk products. In addition, all systems shall conform to all other requirements outlined in the Dairy Products Inspection Manual.

  1. A computer or programmable controller used for public health control of pasteurizers must be a system dedicated only to the public health control of the pasteurizer. The public health computer shall have no other assignments involving the routine operation of the plant.
  2. The public health computer shall not be under the command or control of any other computer system. It shall not have an address to be addressable by any other computer system. A host computer cannot override its commands or place it on standby status. All output addresses of the public health computer must be ready to process data at any time.
  3. A separate public health computer must be used on each pasteurizing system.
  4. The status of the Input/Output bus of the public health computer may be provided as inputs-only, to other computer systems. The wiring connections must be provided with isolation protection such as solenoid relays, diodes, or optical-coupling devices to prevent the public health Input/Output bus from being driven by the other computer system.
  5. On loss of power to the computer, all public health controls must assume the fail-safe position. Most computers can be placed in standby status by either a program instruction or manual switches. When the computer is in standby status, all public health controls must assume the fail-safe position. Some computers have internal diagnostic checks that are performed automatically during start-up. During this time, the computer places all outputs in default mode. In this default mode, all public health controls must be in the fail-safe position.
  6. Some computers or programmable controllers have Input/Output buses with "last state switches" that permit the operator to decide what state the output bus will take on power-up after a shutdown or loss of power. The choices are on, off, or "last state" occurring when the computer lost power. These "last state switches" must be placed in the fail-safe position.
  7. The computer performs its tasks sequentially, and for most of real time, the computer outputs are locked in the on or off position, while waiting for the computer to come back through the cycle. Consequently, the computer program must be written so that the computer monitors all inputs, and updates all outputs on a precise schedule - at least once every second. Most computers will be capable of performing this function many times in one second.
  8. Programs must be stored in some form of read-only memory, and be available when the computer is turned on. Tapes or disks are nor acceptable.
  9. The computer program access must be sealed. Any telephone modem accesses must also be sealed. If the Input/Output bus contains "last state switches", the Input/Output bus must be sealed. The vendor must supply the Regulatory Official with procedures and instructions to confirm that the program currently in use by the computer is the correct program. The Regulatory Official will use this test procedure to confirm that the correct program is in use, during a start-up, and whenever the seal is broken.
  10. If the computer contains Force-On, Force-Off functions, the computer must provide indicator lights showing the status of the Force-On, Force-Off function. The vendor instructions must remind the Regulatory Official that all Force-On, Force-Off function must be cleared before the computer is sealed.
  11. The input/output buses of the public health computer shall contain no operator override switches.
  12. Computerized systems which provide for printing the recording chart by the computer must ensure that proper calibration is maintained. During chart printing, the computer must not be diverted from its public health tasks for more than one second. Upon returning to public health control, the computer shall complete at least one full cycle of its public health tasks before returning to chart printing.
  13. When printing a chart, some systems provide status reports on the chart paper of selected Input/Output conditions. This is usually done by interrupting the printing of the chart and printing the Input/Output conditions. Such interrupts, for status printing, are permitted only when a continuous record is recorded on the chart. When an interrupt is started, the time of the start of the interrupt will be printed on the chart at the beginning of the interrupt and at the end of the interrupt. The time interval during which the computer is diverted from its public health control tasks for status printing shall not exceed one second. Upon returning to public health control, the computer shall complete at least one full cycle of its public health tasks before returning to status printing.
  14. When the computer prints the temperature trace of temperature in the holding tube, at specific intervals, rather than a continuously changing line, temperature readings shall be printed not less than once every five seconds, except that during the thermometric lag test, the temperature shall be printed or indicated fast enough that the Regulatory Official can place the temperature sensor in a bath at a temperature 4°C (7°F) above the diversion setting and accurately determine the point in time when the temperature rises to a point  7°C (12°F) below the diversion point setting so that the Regulatory Official can start the timing of the thermometric lag test.
  15. When the computer prints the frequency pen position (the position of the flow diversion device, forward or divert) at specific intervals, rather than continuously, all changes of position shall he recognized by the computer and printed on the chart. In addition, the frequency pen position and temperature in the holding tube must be printed on the chart in a manner that the temperature in the holding tube can be determined at the moment of a change of position of the flow diversion device.
  16. The vendor shall provide a built-in program for test procedures, or a protocol shall be provided so that all applicable tests outlined in Canadian Food Inspection Agency's (CFIA) "Critical Process Test Procedures" for each instrument can be performed by recognized official:
    • Recording Thermometers
      • temperature accuracy
      • time accuracy
      • check against indicating thermometer
      • thermometric response
    • Flow Diversion Devices
      • valve seat leakage
      • operation of valve stem(s)
      • device assembly
      • manual diversion
      • response time
      • time delay intervals if used
    • Booster Pumps
      • proper wiring
      • proper pressure control settings
    • Flow Promoting Devices (timing pumps)
      • holding time in holder
      • proper wiring interlocks
  17. Computers require high quality (clean) well regulated power supplies to operate reliably and safely. Spurious voltage spikes can cause unwanted changes in computer RAM. Some mechanical and electrical components also deteriorate with age. One solution is to have two permanent programs in the computer; one in RAM and one in ROM. Through a self-diagnostic test, these two programs could be compared routinely. If there were differences in the programs, the computer would go into default mode. Another solution would be to download the program from ROM to RAM at every start-up. A third solution would be to have the computer read program directly from ROM, that is unchangeable. However, this approach is practical only in large volume applications such as microwave ovens. For most small volume applications, the read-only memories are field alterable, such as EPROM, EEPROM and EAPROM. EPROM, EEPROM, and EAPROM cannot be relied upon to maintain a permanent record. Something is needed to ensure that the proper program is in computer memory when Regulatory Official seals the computer.
  18. Computer program used for Public Health Controls Pasteurizers must conform to the attached logic diagrams. Minor modifications to these diagrams are permissible to accommodate or delete items that are unique to a specific HTST Pasteurizer system such as; magnetic flow meters used as replacement for timing pump, the flush cycle on the detect stem of the flow diversion device, and the ten minute delay of the booster pump and flow diversion device that permits the timing pump to run during cleaning operations. The vendor must provide a protocol in the user's manual so that the installer, user, and/or Regulatory Official can demonstrate that the program performs as designed under actual production conditions.
  19. The logic diagrams for the flow diversion device and booster pump show a programmed clean in-place (CIP) operation as part of the computerized system. Some plant operators may wish to use another computer for CIP operations, so that CIP programs may be changed by plant personnel, as needed to achieve good plant sanitation. When this is done, the connections between the flow diversion device, booster pump, and plant computer, must be provided with solenoid relays or similar devices on the outputs to the flow diversion device and booster pump to prevent them from being operated by the plant computer, except when the mode switch of the flow diversion device is in the "CIP" position.

Test Procedure

One method of confirming proper operation of all required public health controls is as follows:

  1. Identify all system components which are micro-processor controlled for CIP.
  2. Locate and identify outputs for the above.
  3. With the Inspect-Process-CIP selector switch at CIP and after 10 minutes time delay, manually Force On each output and confirm the operation of the controlled component.
  4. Then with the Inspect-Process-CIP selector switch at Process, again Force On the above defined outputs. The booster pump, Flow Diversion Device (FDD) and devices interlocked with these components shall not operate. And, with the FCD (timing pump) off, those components required to be interlocked with the FCD (timing pump) shall not operate.

Click on image for larger view
Flowchart - Logic Diagram Flow Diversion Device (Divert Valve Stem). Description follows.

Description for Flowchart - Logic Diagram Flow Diversion Device (Divert Valve Stem)

This image shows a Logic Diagram of a Flow Diversion Device (Divert Valve Stem) for a computer or programmable logic controller (PLC).

  • From the start position, if Power "On", the program can go into Inspect, Product, or clean in place Mode.
  • In Inspect Mode, if the time is greater than the time required for the flow promoters to stop, a signal is sent to the divert valve solenoid.
  • In Product Mode, the following conditions must be met for the system to remain in forward flow:
    • The Temperature must be greater than pasteurization temperature
    • The manual divert must be off

    In addition, if the system is a magnetic flow meter system:

    • The flow must be greater than 5% of the maximum (this refers to a loss of signal set point)
    • The flow must be less than the high flow alarm
    • The time must be greater than the legal hold Forward Flow Delay

    If any of these conditions are not met, the Divert Valve Solenoid is signalled to divert the flow.

    A Frequency pen solenoid records whether the product is in forward or divert flow.

  • In clean in place mode, after a delay of greater than 10 minutes, or the time necessary for all flow promoters to stop (if they cannot operate), clean in place programming begins to clean the system. The divert valve solenoid allows the valve to move for cleaning.

Click on image for larger view
Flowchart - Logic Diagram Flow Diversion Device (Leak Detect Valve Stem). Description follows.

Description for Flowchart - Logic Diagram Flow Diversion Device (Leak Detect Valve Stem)

This image is a Logic Diagram of a Flow Diversion Device (Leak Detect Valve Stem) for a computer or programmable logic controller (PLC).

  • From the start position, if Power "On", the program can go into Inspect, Product, or clean in place Mode.
  • In Inspect Mode, if the time is greater than the time required for the flow promoters to stop, a signal is sent to the detect valve solenoid.
  • In Product Mode, the following conditions must be met for the system to go into and remain in forward flow:
    • The Temperature must be greater than pasteurization temperature
    • The manual divert must be off

    For the magnetic flow meter system:

    • The flow must be greater than 5% of the maximum (this refers to a loss of signal set point)
    • The flow must be less than the high flow alarm
    • The time must be greater than the legal hold Forward Flow Delay

    As well:

    • The Divert Microswitch must be in forward position and;
    • The time must be greater than the flush time

    If any of these conditions are not met, the detect Valve Solenoid is signalled to divert the flow.

  • In clean in place mode, after a delay of greater than 10 minutes, or the time necessary for all flow promoters to stop (if they cannot operate), clean in place programming begins to clean the system. The detect valve solenoid allows the valve to move for cleaning.

Click on image for larger view
Flowchart - Logic Diagram Safety Thermal Limit Recorder - Controller. Description follows.

Description for Flowchart - Logic Diagram Safety Thermal Limit Recorder - Controller

This image is a Logic Diagram of a Safety Thermal Limit Recorder-Controller for a computer or programmable logic controller.

  • When the program starts the chart motor is activated.
  • If the divert micro switch is on and the divert flow is detected by the detect micro switch, a red light appears and the timing pump is powered. If the divert flow is not detected by the detect micro switch, no light appears.
  • If the legal pasteurization temperature is met the, power goes to the flow control device and the flow diversion device. The micro switch is in forward flow mode, a green light appears and the frequency pen solenoid is activated to record forward flow.

Click on image for larger view
Flowchart - Logic Diagram Flow Control Device. Description follows.

Description for Flowchart - Logic Diagram Flow Control Device

This image is a Logic Diagram of a Flow Control Device for a computer or programmable logic controller.

  • In Inspect Mode, the Flow Control Device is Off
  • In Product Mode, if the temperature is greater than Legal Pasteurization temperature, a signal goes to the flow control device starter to operate. If the temperature is not met, a signal is sent by the divert micro switch and the detect micro switch which signal the fully diverted flow position. The flow control device starter is then energized. When the pasteurization temperature goes below the legal pasteurization temperature a time delay relay may be installed to permit the flow control device to continue operating during the normal time it takes for the flow diversion device to move from forward flow to diverted flow (not more than one second delay).
  • In clean in-place mode, there is a 10 minute delay before the clean in-place operation starts and a signal is sent to the flow control device starter. If the 10 minute delay is not used when clean in-place is initiated then no signal can be sent to the flow control device starter.

Click on image for larger view
Flowchart - Logic Diagram Booster Pump. Description follows.

Description for Flowchart - Logic Diagram Booster Pump

This image is a Logic Diagram of a Flow Control Device for a computer or programmable logic controller.

  • In Inspect Mode, the Flow Control Device is Off
  • In Product Mode, if the temperature is greater than Legal Pasteurization temperature, a signal goes to the flow control device starter to operate. If the temperature is not met, a signal is sent by the divert micro switch and the detect micro switch which signal the fully diverted flow position. The flow control device starter is then energized. When the pasteurization temperature goes below the legal pasteurization temperature a time delay relay may be installed to permit the flow control device to continue operating during the normal time it takes for the flow diversion device to move from forward flow to diverted flow (not more than one second delay).
  • In clean in-place mode, there is a 10 minute delay before the clean in-place operation starts and a signal is sent to the flow control device starter. If the 10 minute delay is not used when clean in-place is initiated then no signal can be sent to the flow control device starter.
Date modified: