Skip to content
EMS handbook

2.2 Recipe / program management

A machine recipe—such as a reflow profile, a torque script, or a pick-and-place file—is more than just a “setting”; it acts as a critical manufacturing specification. If a process engineer modifies a temperature profile by 5˚C to address a yield issue without proper validation, they have effectively created an undocumented product revision. It is essential to treat machine programs as Software Source Code, ensuring they are versioned, protected, and immutable during execution.

The “golden copy” architecture

Section titled “The “golden copy” architecture”

Relying on the machine’s local hard drive as the master repository creates isolated “Data Islands” where revision control is difficult to maintain.

  • The Repository: All Master Recipes should reside in a centralized PLM (Product Lifecycle Management) or MES database.
  • The Cache: The machine’s local storage is intended for buffering only.
  • Synchronization Logic:
    • When a Production Order starts, the MES pushes the specific “Golden Copy” directly to the machine.
    • When the network fails, the machine may safely run from the Local Cache only after the system verifies that its Checksum still matches the last known valid Master.

The “check-sum” handshake

Section titled “The “check-sum” handshake”

Assuming that a file name guarantees its content can lead to errors; for instance, “Profile_Rev2.rcp” on the server might theoretically differ from “Profile_Rev2.rcp” on the machine. Utilizing cryptographic hashes is a robust way to guarantee file integrity.

The Verification Logic

  1. Download: The MES downloads the recipe to the Machine.
  2. Calculate: The Machine or an Edge Gateway calculates a hash (like MD5 or SHA256) of the loaded parameter set.
  3. Verify: The Machine sends the calculated Hash back to the MES.
  4. Decision:
    • When the Machine Hash matches the Master Hash, the system enables the Start Button.
    • When the Machine Hash does not match the Master Hash, the system triggers an interlock to stop the line and alerts Engineering for immediate investigation.

Pro-Tip: Some legacy machines cannot calculate hashes. In this case, use “Parameter Scrape.” The MES reads back all 50 critical setpoints and compares them value-by-value against the database before allowing the run.

Lifecycle state machine & approvals

Section titled “Lifecycle state machine & approvals”

Recipes should mature through a defined governance process. It is best practice to prevent “Draft” programs from running on saleable product.

States

Section titled “States”
  1. Draft / Engineering: Editable. Allowed only on NPI (New Product Introduction) orders or “Engineering” flag.
  2. Pending Approval: Locked (Read-Only). Waiting for Quality Sign-off.
  3. Released (Active): The Standard. Read-Only. Executable on Production Orders.
  4. Obsolete: Archived. Blocked from execution.

The approval gate

Section titled “The approval gate”

A single individual should generally not have the unilateral authority to change a process variable and release it to production. Implementing a “Two-Person Rule” adds a layer of necessary oversight.

  • Editor (e.g. Process Engineer): Modifies the parameter and transitions the state to “Pending.”
  • Approver (e.g. Quality or Lead Engineer): Reviews the change (often via a Delta Report) and transitions the state to “Released.”
  • Constraint: The system should enforce that the Editor and the Approver are not the same User ID.

Role-based access control (RBAC) matrix

Section titled “Role-based access control (RBAC) matrix”

These permissions must be hard-coded into the machine HMI or managed via a centralized console. The use of shared or generic passwords (e.g. “1234”) must be eliminated.

RoleCapabilitiesConstraint
OperatorLoad Recipe, Start, Stop.Cannot edit process parameters or bypass safety interlocks.
Process EngineerEdit Parameters, Save As New Version.Cannot unilaterally Release to Production.
Quality ManagerView Parameters, Approve/Reject Release.Cannot Edit parameters directly.
MaintenanceCalibrate offsets (e.g. Z-height, Vision).Changes are limited to “Machine Constants,” not the specific “Product Recipe.”

Handling “tolerances” vs. “setpoints”

Section titled “Handling “tolerances” vs. “setpoints””

Operators frequently require minor adjustments to account for natural material variance. It is important to clearly define what parameters are “Fixed” and what is “Floating.”

  • Critical Process Parameters (CPPs): These are Fixed (e.g. Reflow Soldering Temperature, Press Force) and should remain Locked.
  • Machine Variables: These are Floating within a specific window (e.g. Conveyor Width, Vision Brightness).
  • The Window Logic:
    • The system can allow an Operator adjustment window, for example, of ± 5%.
    • When an adjustment request exceeds that 5% window, the system should require a Supervisor Password to authorize the change.

Final Checkout: Recipe / program management

Section titled “Final Checkout: Recipe / program management”
CategoryMetric / ControlThreshold / Rule
StorageCentralizationMaster Recipes are stored on a Central Server (not locally).
IntegrityHash CheckThe Machine verifies the Recipe Checksum before a run is permitted.
AccessSegregationOperators do not have Write access to critical process parameters.
LifecycleNPI Control”Draft” recipes are blocked from Mass Production Work Orders.
GovernanceDual Sign-offRelease requires 2 distinct digital signatures.
ChangeAudit TrailWho changed it, When, From Value X to Value Y.
BackupDisaster RecoveryNightly backup of all “Golden Copies” to off-site storage.