2.2 Recipe / program management
A machine recipe—such as a reflow profile, a torque script, or a pick-and-place file—is more than just a “setting”; it acts as a critical manufacturing specification. If a process engineer modifies a temperature profile by 5˚C to address a yield issue without proper validation, they have effectively created an undocumented product revision. It is essential to treat machine programs as Software Source Code, ensuring they are versioned, protected, and immutable during execution.
The “golden copy” architecture
Section titled “The “golden copy” architecture”Relying on the machine’s local hard drive as the master repository creates isolated “Data Islands” where revision control is difficult to maintain.
- The Repository: All Master Recipes should reside in a centralized PLM (Product Lifecycle Management) or MES database.
- The Cache: The machine’s local storage is intended for buffering only.
- Synchronization Logic:
- When a Production Order starts, the MES pushes the specific “Golden Copy” directly to the machine.
- When the network fails, the machine may safely run from the Local Cache only after the system verifies that its Checksum still matches the last known valid Master.
The “check-sum” handshake
Section titled “The “check-sum” handshake”Assuming that a file name guarantees its content can lead to errors; for instance, “Profile_Rev2.rcp” on the server might theoretically differ from “Profile_Rev2.rcp” on the machine. Utilizing cryptographic hashes is a robust way to guarantee file integrity.
The Verification Logic
- Download: The MES downloads the recipe to the Machine.
- Calculate: The Machine or an Edge Gateway calculates a hash (like MD5 or SHA256) of the loaded parameter set.
- Verify: The Machine sends the calculated Hash back to the MES.
- Decision:
- When the Machine Hash matches the Master Hash, the system enables the Start Button.
- When the Machine Hash does not match the Master Hash, the system triggers an interlock to stop the line and alerts Engineering for immediate investigation.
Lifecycle state machine & approvals
Section titled “Lifecycle state machine & approvals”Recipes should mature through a defined governance process. It is best practice to prevent “Draft” programs from running on saleable product.
States
Section titled “States”- Draft / Engineering: Editable. Allowed only on NPI (New Product Introduction) orders or “Engineering” flag.
- Pending Approval: Locked (Read-Only). Waiting for Quality Sign-off.
- Released (Active): The Standard. Read-Only. Executable on Production Orders.
- Obsolete: Archived. Blocked from execution.
The approval gate
Section titled “The approval gate”A single individual should generally not have the unilateral authority to change a process variable and release it to production. Implementing a “Two-Person Rule” adds a layer of necessary oversight.
- Editor (e.g. Process Engineer): Modifies the parameter and transitions the state to “Pending.”
- Approver (e.g. Quality or Lead Engineer): Reviews the change (often via a Delta Report) and transitions the state to “Released.”
- Constraint: The system should enforce that the Editor and the Approver are not the same User ID.
Role-based access control (RBAC) matrix
Section titled “Role-based access control (RBAC) matrix”These permissions must be hard-coded into the machine HMI or managed via a centralized console. The use of shared or generic passwords (e.g. “1234”) must be eliminated.
| Role | Capabilities | Constraint |
|---|---|---|
| Operator | Load Recipe, Start, Stop. | Cannot edit process parameters or bypass safety interlocks. |
| Process Engineer | Edit Parameters, Save As New Version. | Cannot unilaterally Release to Production. |
| Quality Manager | View Parameters, Approve/Reject Release. | Cannot Edit parameters directly. |
| Maintenance | Calibrate offsets (e.g. Z-height, Vision). | Changes are limited to “Machine Constants,” not the specific “Product Recipe.” |
Handling “tolerances” vs. “setpoints”
Section titled “Handling “tolerances” vs. “setpoints””Operators frequently require minor adjustments to account for natural material variance. It is important to clearly define what parameters are “Fixed” and what is “Floating.”
- Critical Process Parameters (CPPs): These are Fixed (e.g. Reflow Soldering Temperature, Press Force) and should remain Locked.
- Machine Variables: These are Floating within a specific window (e.g. Conveyor Width, Vision Brightness).
- The Window Logic:
- The system shall allow an Operator adjustment only within a defined window, for example, of ± 5%.
- If an adjustment exceeds the permitted window, the system shall require a Supervisor Password to authorize the change.
Recap: Recipe/Program Management
Section titled “Recap: Recipe/Program Management”| Control Object | Requirement | Value / Action | Condition / Constraint |
|---|---|---|---|
| Recipe Integrity | Cryptographic hash verification (MD5/SHA256) | Match: Enable start. Mismatch: Trigger line interlock & alert engineering. | Mandatory for all recipe transfers. For legacy machines, use parameter scrape (50 critical setpoints). |
| Recipe Lifecycle State | State-based execution control | Draft: NPI/Engineering orders only. Pending: Read-only, awaiting approval. Released: Read-only, executable. Obsolete: Blocked. | System must enforce state logic. |
| Recipe Change Approval | Two-Person Rule enforcement | Editor modifies & sets to Pending. Approver reviews & sets to Released. | System must enforce Editor and Approver are different User IDs. |
| Parameter Adjustment | Operator adjustment window | Floating variables: Allowed ±5% of setpoint. Exceeds ±5%: Requires supervisor password authorization. | Critical Process Parameters (CPPs) are fixed and locked for operators. |
| Master Recipe Source | Golden Copy architecture | Master recipes reside in centralized PLM/MES. Machine local storage is cache only. | On production order start, MES pushes Golden Copy to machine. Network fail: Run from cache only if checksum matches last valid master. |