Terms and conditions for the approval of metrological audit trails

Table of contents


1.0 Application

These Terms and conditions apply to audit trails incorporated in weighing and measuring devices and systemsFootnote 1.

2.0 Definitions

In this document:

Adjustment

means a change in the value of any of a device's sealable calibration or sealable configuration parameters.

Adjustment Mode

means an operational mode of a device which enables the user to make adjustments to sealable parameters, including changes to configuration parameters.

Audit Trail

means an electronic count and/or information record of the changes to the values of the calibration or configuration parameters of a device.

Calibration Parameter

means any adjustable parameter that can affect measurement or performance accuracy, and due to its nature, needs to be updated on an ongoing basis to maintain device accuracy.

Configuration Parameter

means any adjustable or selectable parameter for a device feature that can have an affect on the accuracy of a transaction or can significantly increase the potential for fraudulent use of the device and, due to its nature, needs to be updated only during device installation or upon replacement of a component.

Enabling/Disabling Sealable Hardware

means physically sealable hardware, such as a two-position switch, located on a remotely configurable device that enables and inhibits the capability to receive adjustment values or changes to sealable configuration parameters from a remote source.

Event

means an action in which one or more changes are made to configuration parameters, or adjustments are made to one value (or a set of values) for a calibration parameter, while in the adjustment mode.

Event Counter

means a non-resettable counter that increments once for each time the mode that permits changes to sealable parameters is entered and one or more changes are made to sealable calibration or configuration parameters of a device.

Event Logger

means a form of audit trail containing a series of records where each record contains the number from the event counter corresponding to a change to a sealable parameter, the identification of the parameter that was changed, the time and date when the parameter was changed and the new value of the parameter.

Physical Seal

means a physical mechanism, such as lead and wire, used to seal access to a device's adjustable parameters that require to be sealed.

Remote Configuration Capability

means the ability to adjust a weighing or measuring device or change its sealable parameters from or through some other device which is not itself necessary to the operation of the weighing or measuring device or is not a permanent part of that device.

Remote Device

means a device that (1) is not required for the measurement operation of the primary device or computing the transaction information in one or more of the available operating modes for commercial measurements, or (2) is not a permanent part of the primary device. In the context of this paper, a remote device has the ability to adjust the weighing or measuring device or change its sealable configuration parameters.

Remotely Configurable Device

means a device that (1) is not required for the measurement operation of the primary device or computing the transaction information in one or more of the available operating modes for commercial measurements, or (2) is not a permanent part of the primary device. In the context of this paper, a remote device has the ability to adjust the weighing or measuring device or change its sealable configuration parameters.

Seal

means, as a verb, to make a device secure so that access to adjustments and other sealable parameters will be detectable.

Sealable Parameter

means calibration and configuration parameters that are required to be sealed.

Unrestricted Access to Sealable Parameters

means that a physical security seal is not present, so that access to sealable parameters is available from a remote device at any time at the request of an authorized operator subject to the operating status of the weighing or measuring device.

3.0 Categories of devices

Category 1: A device that does not have remote configuration shall be sealed as described in the appropriate section of Table A.

Category 2: A device offering remote configuration capability for its sealable parameters and providing enabling/disabling hardware to control remote configuration use shall be sealed as described in the appropriate section of Table A.

Category 3: A device that provides unrestricted access to its sealable parameters shall be sealed as described in the appropriate section on Table A.

Table A: Categories of devices and methods of sealing
Categories of Device Methods of Sealing
Category 1: No remote configuration capability Physical seal or two event counters: one for calibration parameters and one for configuration parameters
Category 2: Remote configuration capability but access is controlled by physical hardware Enabling/disabling hardware access for remote communication must be located at the device and must be sealed using a physical seal or two event counters: one for calibration parameters and one for configuration parameters
Category 3: Remote configuration capability may be unlimited or controlled by a software switch (ex. password) An event logger is required in the device

4.0 Event counters

The minimum form of audit trail shall consist of two event counters: one for calibration parameters and one for configuration parameters.

Each event counter shall have a capacity of at least 1000 values (ex. 0 to 999).

An event counter for calibration parameters or configuration parameters shall increment only once regardless of the number of changes made while in the adjustment mode. If the mode is accessed and no changes are made, this does not constitute an event and the counter shall not increment.

5.0 Event loggers

The event logger shall contain the following information, as a minimum:

  1. a count of the events;
  2. date and time;
  3. parameter identification; and
  4. new value.

The information described in the list above shall be automatically entered in the event logger by the device each time a sealable parameter is changed.

Additional relevant information is permitted, such as the identification of the person who made the adjustment or the old value of the parameter that was changed. Information that is not directly related to the changes to sealable parameters, such as transaction data, operator inventory records, or shift totals shall be excluded when event logger contents are displayed or printed.

The event counter shall increment once for each change to a sealable parameter since each new value must be retained in the event logger.

The date shall include the year, month and day; the time shall include the hour and minutes. This information shall be presented in a recognizable format.

A hard-copy printout of the contents of the event logger shall be available upon demand from the device or from an associated device on site.

An event logger shall have the capacity of at least ten times the number of sealable parameters; however, not more than one thousand events are required to be retained for all parameters combined.

When the storage memory of the event logger has been filled to capacity, any new event will cause the oldest event to be deleted.

The event counter used in an event logger shall continue to increment to capacity although the event logger may retain fewer records than the count capacity of the event counter.

6.0 Centralized event logger

A centralized event logger may be used when several "satellite" devices are interfaced to a host computer or other host instrument with remote configuration capability.

When changes to sealable parameters are made at the device, rather than through the host instrument containing the centralized event logger, the changes shall be transferred to and maintained in the centralized event logger.

It shall not be possible to circumvent the device containing the centralized event logger. If the event logger is inhibited, or disconnected, the attached network of devices shall be inoperable and impossible to adjust electronically when in the network configuration.

When the same values for a change to a sealable parameter are sent from the host instrument to several satellite devices, this shall be considered a single event.

When changes to sealable parameters are made to individual devices, the centralized event logger shall identify both the device and the parameter that was changed.

A device installed in a "stand-alone" operation must have the minimum form of audit trail required by Table A.

7.0 Category 2 devices—remote configuration mode

When a remotely configurable device is in remote configuration mode, the device shall either:

  1. not indicate or record (if equipped with a printer) values; or,
  2. provide a clear and continuous indication that the device is in remote configuration mode. Any printed ticket or receipt shall include a message with each ticket or receipt that the device is in an adjustment mode.

Note: A "clear and continuous indication" must discourage the use of the device for normal transactions when in an adjustment mode. This may consist of a partial obscuring of the indication, an alternate display message, or some other obvious indication. The lighting of an annunciator is not sufficient. If values can be printed when in an adjustment mode, the system shall record a message to indicate that the device is in an adjustment mode.

8.0 Audit trail integrity

The audit trail shall be:

  1. stored in non-volatile memory and retained for at least 30 days if power is removed from the device; and
  2. protected from unauthorized erasure, seizure, substitution, or modification.

9.0 Audit trail access

The inspector shall have ready access to audit trail information for the purpose of printing or viewing its contents.

Access to the audit trail for the purpose of review shall be separate from the calibration and configuration modes.

Access to the audit trail for the purpose of review shall not affect the normal operation of a device before or after accessing the information.

Access to the audit trail information shall not require the removal of any parts of a device other than normal requirements to inspect the integrity of a physical seal.

Note: A key (for a panel lock, for example), is acceptable to gain access and view the contents of the audit trail. Such access may be through the "supervisor's mode" of a device.

10.0 Displayed and recorded information

The displayed and/or printed form of the audit trail shall be readily interpretable by the enforcement official.

The information contained in the audit trail shall be displayed and/or printed in order, from the most recent event to the oldest event. The device shall be capable of displaying all the information for a single event on one line at one time, or it shall display the information in readily understandable blocks of data.

11.0 Sealable parameters

Calibration and configuration parameters that can affect measurement performance of a device, the accuracy of a transaction, or can significantly increase the potential for fraudulent use, shall be sealed.

Note: The need to seal specific features also depends upon:

  1. The ease with which the feature or the selection of the feature can be used to facilitate fraud; and
  2. The likelihood that the use of the feature will result in fraud not being detected.

The adjustment mode containing sealable parameters shall access only sealable parameters. Features and functions that are routinely used by the operator as part of the device operation, such as setting unit prices and maintaining unit prices in price look-up (PLU) codes stored in memory, are not sealable parameters. Access to these features shall be separate from the access to sealable parameters.

When the selection of a parameter or a set of parameters will result in device performance that will obviously be in error, such as the selection of parameters for a different country, the selection of the parameter or set of parameters in question is not required to be sealed.

Access to any programming mode or menu that allows individual characteristics of a device to be selected and changed must be sealed.

Any physical act, such as cutting a wire and physically repairing the cut to reactivate the parameter, is considered an acceptable way to select parameters without requiring a physical seal or an audit trail.

A list of adjustments, features and parameters that require to be sealed is found in Table B. This list is not intended to be all inclusive.

Note: A device manufacturer must demonstrate that any features that are not sealed will not affect the metrological performance of the device.

Table B – Sealable parameters
Device Type Calibration Parameters Configuration Parameters
Non-Automatic Weighing Devices
  • Zero (coarse)
  • Sensitivity (span)
  • Linearity correction points
  • Motion detection (on/off, bandwidth)
  • Scale interval (value of d or location of decimal)
  • Number of scale divisions
  • Range of overcapacity
  • Automatic zero setting mechanism (on/off and range of a single step)
  • Zero and automatic zero setting mechanism total range (if the range can be set for more than 4% and if this increases the device weighing capacity)
  • Filter (number samples averaged for weight readings)
  • Filter (averaging time for weight indications)
  • Units of measurement (if not displayed or printed on
  • the primary register).
Liquid Measuring Devices
  • Mechanical accuracy adjustor, electronic meter factor or any other type of accuracy adjustment parameter and associated flow rate if applicable
  • Mass flow meter zero and span adjustments
  • Temperature, pressure and density or other auxiliary sensor zero, span and offset settings
  • Units of measurement (if not displayed or printed on the primary register)
  • Temperature compensation table, liquid coefficient of expansion or, compressibility factors or tables used if not indicated on a printed ticket
  • Liquid density (if not displayed or printed on the primary register)
  • Vapour pressure of liquids if used in calculations to establish quantity
  • Meter or sensor temperature compensation factors if used
  • False or missing pulse limit for dual pulse systems
  • Automatic temperature, pressure, or density (ATC, APC, ADC) compensation on/off status
  • Sensor auto/manual data input modes if not apparent when the device is used or not printed on a ticket
  • Dual pulse checking feature on/off status
  • Flow control settings (optional)
  • Filtering constants

Sealable parameters for conveyor belt scales shall include those listed for non automatic weighing devices as well as the following:

  1. Length of the weighing element;
  2. Number of pulses per unit of length (or equivalent);
  3. Maximum belt speed;
  4. Maximum/minimum instantaneous load (units of mass), or maximum/minimum rate of product flow (mass per unit length);
  5. Finest increment of registration of the Master Weight Totalizer;
  6. Alarm levels;
  7. Any associated filtering functions;
  8. Summing box; and
  9. Displacement transducer casing.

Sealable parameters for discontinuous totalizing automatic weighing devices, such as bulkweighers and automatic hopper scales shall include those listed for non automatic weighing devices as well as interlocks (software or hardware, control panel, etc.) that monitor level sensors, limit switches, motion detectors or any other interlocks.

Sealable parameters for in-motion rail weighing systems shall include those listed for non automatic weighing devices as well as the following:

  1. Maximum and minimum weighing speed for legal for trade weighing;
  2. Restrictions on train travel direction for legal for trade weighing (if applicable);
  3. Maximum number of wagons that shall be weighed as part of a legal for trade weighing (if such a limitation is imposed on the device); and
  4. Any associated filtering functions.

Alan E. Johnston
President
Measurement Canada

Footnotes

Footnote 1

The requirements of these terms and conditions were included in draft specifications related to Metrological Audit Trails.

Return to footnote 1 referrer