S-EG-06—Specifications relating to event loggers for electricity and gas metering devices


Category: Electricity and gas
Specification: S-EG-06 (rev. 1)
Issue date: 2018-09-13
Effective date: 2018-09-13
Supersedes: S-EG-06


Table of contents


1.0 Purpose

The purpose of these specifications is to establish the design, construction and performance requirements for the approval of event loggers for electricity and gas metering devices. These specifications address the information, format and integrity of both self-contained and exported event logs and identify the conditions and circumstances in which an event logger may be approved to augment existing sealing requirements for metering devices approved as configurable devices.

2.0 Scope

2.1 These specifications apply to event loggers incorporated in electricity and gas metering devices and systems as governed by the Electricity and Gas Inspection Act and Regulations.

2.2 These specifications do not apply to any device which is not approved for use by Measurement Canada, unless the device forms part of a measurement system which includes an approved device and that system is being used for a purpose governed by the Electricity and Gas Inspection Act and Regulations.

2.3 These specifications do not apply to test standards, equipment or apparatus used to repair, calibrate, inspect or verify devices or systems.

3.0 Authorization

This specification is issued pursuant to section 12 of the Electricity and Gas Inspection Regulations.

4.0 Definitions

Adjustment

A change in the value of any of a device's legally relevant parameters or adjustable features and includes the replacement or alteration of any component of a device that can have an effect on its metrological integrity.

Audit trail

An information record of changes to legally relevant parameters of a device.

Calibration parameter

Any adjustable parameter that can affect the measurement accuracy of a device.

Configurable device

A device which is designed such that the information received from its measurement inputs can be selected and/or processed in different ways to suit different measurement applications. A configurable device includes any device that has been approved to permit legally relevant parameters to be deleted, appended to, modified, or substituted in whole or in part directly by the authorized operator or by any type of communications link from another device, such as a geographically local or remote console or computer, whether or not the secondary apparatus is part of the network connecting the devices.

Configurable parameter

Any adjustable or selectable parameter for a device feature that can have an effect on the accuracy of a device or can significantly increase the potential for fraudulent use of the device and, based on its nature, may need to be updated on an ongoing basis or only during device installation or upon replacement of a component.

Configuration

To make adjustments to legally relevant parameters.

Device

Includes a Measurement Canada approved meter or a measurement system incorporating one or more approved meters.

Device-specific parameter

Legally relevant parameter with a value that depends on the individual instrument. Device-specific parameters comprise calibration parameters, metrological parameters and configuration parameters.

Disabling hardware

Sealable hardware, such as a switch or jumper, located on a configurable device, that enables or inhibits the capability to receive adjustment values or changes to legally relevant parameters from a remote source.

Event

An action in which one or more changes are made to a legally relevant parameter(s) and includes the actions of software updating and event log exporting.

Event log

A compilation of event records.

Event logger

A secure form of audit trail containing a series of records where each record contains a number corresponding to the occurrence of a specific event.

Exporting

The process of transferring a copy of the event log in an event logger residing within a device into a remote event logger.

Automatic

Exporting via a communication link whereby a copy of the event log within a device is made in a remote event logger. The export is initiated by either a time-driven or event-driven process and requires no operator intervention.

Semi-automatic

Exporting via a communication link whereby a copy of the event log within a device is made in a remote event logger. The export requires operator intervention only to initiate the process. All other aspects of the process must progress and conclude without human intervention.

Legally relevant

Software, hardware, data or a part thereof which interferes with properties regulated by legal metrology.

Legally relevant parameter

Parameter of a measuring instrument, electronic device or a sub-assembly subject to legal control. Legally relevant parameters typically form part of the legally relevant functions performed by a device. The following types of legally relevant parameters can be distinguished: type-specific parameters and device-specific parameters. For the purposes of this specification, legally relevant parameters are those parameters which are, either individually or as part of a function, subject to verification under the Electricity and Gas Inspection Act.

Metrological adjustment

Any physical means or method that is designed, or intended to be used or that is used to alter and/or correct the measurement characteristics of a device or system. This includes altering or replacing the register, components, connections or working parts of a device and also includes the alteration of any required information that is available from the device or any output from the device.

Metrological parameter

Any constant, factor or algorithm used by a device to produce results for trade measurement purposes.

Physical seal

A physical mechanism that is used to secure access to a device's metrological adjustments or legally relevant parameters.

Reconfiguration

Changing the configuration of a configurable device.

Reprogramming

Includes event logger software updating and modifications originating from or performed by the event logger manufacturer or its representative as identified in the notice of approval.

Software updating

The act of modifying, updating or reinstalling a device's software.

Seal

A means to secure a device so that access or changes to metrological adjustments and legally relevant parameters will be detectable.

Signature (digital)

The result of encryption (by private key) of a hash code generated by the sender hash function. The receiver may require a cryptographic certificate of the sender to be confident of the authenticity of the public key.

Type-specific parameter

Legally relevant parameter with a value that depends on the type of device. Type-specific parameters have identical values for all specimens of an approved type and are fixed at type approval of the device.

Verification triggering event

Any event deemed by Measurement Canada to require a verification of the device before it is permitted to be used or continued for use in trade. The recording of a verification triggering event is analogous to breaking a physical seal and must have the same ramifications and consequences as the breaking of a physical seal.

5.0 Legally relevant parameters

5.1 General conditions

5.1.1 Except as set out herein, a device must be provided with security arrangements to prevent access to its internal working parts, adjustments, reprogramming and reconfiguration. Security arrangements must not prevent the normal operation of the device, correct operation of any of the output mechanisms of the device, access to any of the information necessary to verify the device, or access via a communication port to data accumulated by the device.

5.1.2 Subject to the provisions of clauses 5.1.1 to 5.1.11, legally relevant parameters which can affect the measurement performance of a device or the accuracy of a transaction, or that can significantly increase the potential for misuse or fraudulent use must be secured.

5.1.3 All modifications to legally relevant device-specific parameters which form part of an approved function are verification triggering events, unless the modification is a reconfiguration which results in the switching of one verified legally relevant parameter for another legally relevant parameter which has also been verified.

5.1.4 Where a configurable device includes a legally relevant function that has been specifically approved as a function intended to be utilized with variable parameters falling within an approved range, all discrete parameters which lie within the approved range are legally relevant and must be considered as having been verified as part of a device's verification process.

5.1.5 The notice of approval for a configurable device must specify:

  1. the provisions authorized for the effective sealing and securing of the device; and
  2. the device-specific legally relevant parameters that are capable of being reconfigured without requiring device reverification.

5.1.6 Where the capability for software updating is recognized in a device's notice of approval, the security arrangements may be such that they do not prevent access to the means to update the device's software, as long as such updating complies with all applicable specifications and is recorded in an event logger meeting the requirements set out in this document. It must be possible to readily determine whether or not a device has been metrologically compromised or has had its software updated since its last verification.

5.1.7 The programmed legally relevant parameters of a device must reside in the device.

5.1.8 Any component that forms part of a measuring system that is connected by a signal carrying wire or cable must be terminated such that either a physical seal must be broken or an event must occur in order to connect or disconnect it. The only exception is where an approval recognizes component interchangeability and:

  1. the exchange process is either approved or established by specification;
  2. the interchangeability does not require alteration of other metrological adjustments or manual alteration of the legally relevant parameters of the device; and
  3. the component interchange does not degrade the metrological performance of the device.

5.1.9 Modifications to legally relevant parameters that are type specific are not permissible.

5.1.10 Modifications to calibration parameters, parameters with a hardware dependency, and any parameter protected by a physical seal are verification triggering events.

5.1.11 Modifications to legally non-relevant parameters or unapproved parameters are not verification triggering events and are not required to be logged as an event in the event log.

5.2 Legally relevant type-specific or device-specific parameters

5.2.1 Calibration parameters

Calibration parameters include, but are not limited to, the following: electronic accuracy adjustors or any other type of accuracy adjustment parameter, voltage or current sensors, or other auxiliary sensor, zero, span, offset settings and compensation factors.

5.2.2 Configuration parameters

Configuration parameters include, but are not limited to, the following: units of measurement (if not displayed or printed on the primary register) and adjustable or selectable parameters used to set up a device to suit specific measurement applications or service configurations, zero reading cut off, and meter factor(s).

5.2.3 Metrological parameters

Metrological parameters include, but are not limited to, the following: measurement constants, factors, variables, equations and algorithms contained in or processed by legally relevant software.

Table A: Categories of devices and methods of sealing/securing legally relevant parameters

Categories of devices and methods of sealing/securing legally relevant parameters
Device categories Minimum methods of sealing /securing
Category 1: No remote configuration capability, and the device either has no local configuration capability or access to the local configuration capability is precluded by a physical seal. Access to local configuration capability must be precluded by a physical seal.
Category 2: Remote configuration capability but access is controlled by physical hardware, and the device either has no local configuration capability or access to the local configuration capability is precluded by a physical seal. The disabling hardware for access to remote configuration capability must be located on the device and must be sealed, in the disabled mode, using a physical seal. Access to local configuration capability must be precluded by a physical seal.
Category 3: Configuration capability, but access is controlled by a software switch or alternate security means, as appropriate. An event logger is required to secure legally relevant parameters that are accessible through the configuration capabilities and access to the configuration capability must be controlled by an appropriate security provision.

6.0 Security

6.1 Categories of devices

6.1.1 Category 1: A device that has no remote configuration capabilities because its legally relevant parameters must be sealed as described in the appropriate section of Table A.

6.1.2 Category 2: A device offering remote configuration capability which is disabled by physical hardware. The device either has no local configuration capability or access to the local configuration capability is precluded by physical hardware. The device must be sealed as described in the appropriate section of Table A.

6.1.3 Category 3: A device that has active local and/or remote configuration capability and must be sealed as described in the appropriate section of Table A.

6.2 Configuration

6.2.1 When a configurable device is being reconfigured, the reconfiguration must be readily apparent to the operator and the device must:

  1. not indicate or record values; or
  2. provide a clear and continuous indication that the device is in configuration mode; and
  3. measure continuously and accurately using the existing values until the precise moment that new values are set in place, unless it does not perform trade measurement functions when in configuration mode.

6.2.2 Where measurement indication or recording is suppressed during configuration, the configuration process must be limited by a timeout. After a predetermined period of operator inactivity, the device must automatically return to the operational mode. The predetermined period should be as brief as practicable.

6.3 Event log integrity

6.3.1 The event log must be:

  1. stored in non-volatile memory; and
  2. protected from modification, replacement, corruption, deterioration and unauthorized erasure, seizure or deletion.

6.3.2 The event log data must be encrypted or secured by the manufacturer to prevent manipulation of or unauthorized access to the data, other than in accordance with the requirements of these specifications. User access to the data must not be permissible, other than for the purposes of review.

6.3.3 Where a device has been approved to perform traced software updates under Measurement Canada's Specifications for the Approval of Software Controlled Electricity and Gas Metering Devices, the integrity requirements of section 6.3.1 must continue to be met. An event logger must be designed such that the software update process must not be capable of affecting any of the event log data that may be stored on the device.

6.4 Event log access

6.4.1 Access to the event log for the purpose of review must:

  1. be a distinct operation;
  2. not affect the normal functioning of a device before, during or after accessing the information;
  3. not require the removal of any parts of a device and must be accessible if a physical seal is in place; and
  4. not be logged as an event.

6.4.2 An enforcement official must have ready access to event log information for the purpose of printing or viewing its contents. The information must be readily interpretable by the enforcement official.

7.0 Event loggers

7.1 Type A: Event logger with self-contained event log

7.1.1 The event log in a device must contain, as a minimum, the following information:

  1. the date and time of the change in the all-numeric SI format (YYYY/MM/DD/HH/MM) or other formats in which the information is provided unambiguously, such as an abbreviation for the month;
  2. a unique event number;
  3. identification of the legally relevant parameter(s) being changed and the new value(s);
  4. identifier for the authorized user that caused the event; and
  5. where a device is approved for software updates:
    1. a record of the successful software update;
    2. version number of the previously installed software.

7.1.2 Where a verification triggering event has occurred, the device's verified status must be voided and the event logger must record the occurrence of the verification triggering event.

7.1.3 The information described in clause 7.1.1 must be automatically entered in the event log in the device each time a legally relevant parameter is changed. The creation of the event log entry and the parameter change must occur successively.

7.1.4 The event number described in clause 7.1.1 (b) must:

  1. commence with zero or one with the first event logged and must increment by one for each subsequent event to a minimum of 32,768 (215) events before any event number is repeated;
  2. increment once for each event or change to a legally relevant parameter(s) (where each new value must be retained in the event log); and
  3. continue to increment to the maximum value of event capacity although the event log may retain fewer records than the event count capacity identified in (a).

7.1.5 An event may include the reconfiguration of more than one parameter provided that all parameters changed during the event are changed successively and all changes are logged.

7.1.6 A copy of the event log information must be made available upon demand from the device or from an associated device on site (the enforcement official may accept an electronic file that is compatible with a relevant version of a Microsoft Windows-based operating system).

7.1.7 The event log information must be displayed or printed in order, from the most recent event to the oldest event. The device or associated device must be capable of displaying all the information for a single event on one line at one time or it must display the information in readily understandable blocks of data.

7.1.8 The event log must have a capacity equal to at least ten times the number of configurable parameters; however, not more than 1,000 events are required to be retained for all parameters combined.

7.1.9 Once the number of events stored in the event log has reached the capacity of the event logger, it must not be possible to make further changes unless the device is reverified in accordance with Measurement Canada requirements.

7.1.10 Where a device is subject to reverification, it must be possible, through the breaking of a physical seal, to access the event logger's set-up for the purpose of allowing each new post-verification event to be recorded in a manner that results in the disappearance of the oldest event. This reconfiguration of the event logger must be recorded as an event and does not preclude the requirements of clause 7.1.9, such that the device must be capable of recognizing that it has reached its capacity since the last verification.

7.1.11 It must not be possible to create a false or unsubstantiated entry in the event log and it must not be possible to reprogram the device without creating an entry in the event log.

7.1.12 Where the device programming includes the capability of deferring and automatically executing changes to legally relevant parameters, the event logger must:

  1. reserve adequate event log capacity to meet the requirements of clauses 7.1.9, 7.1.12(b) and 7.1.12 (c);
  2. generate an event log record at the time that the automatic program is armed; and
  3. generate the required event log record at the time the change(s) is processed or the automatic program is deactivated or cancelled.

7.1.13 Additional relevant information is permitted to be logged. However, in these instances, the device or associated device must be capable of displaying or printing both the complete log information record and a log information record that excludes information that is not directly related to changes to legally relevant parameters. Alternatively, a device may be equipped with two separate event logs or loggers.

7.2 Type B: Event logger with exportable event log

7.2.1 Exported event logs must be subjected to the same integrity and security requirements as those of the original log during both transmission and storage.

7.2.2 Exported event log data must be securely transferred from the event logger in a device to the remote event logger retained in a permanent storage facility that is located in a secure and controlled environment.

7.2.3 Exporting must not result in erasure or loss of the information in the remote event log.

7.2.4 The exported event log must be retained for a period of at least 12 months after the date the device ceases to be used, and includes the remainder of any verification period for which the device is eligible or which is applied to the device.

7.2.5 The event log in a device must contain, as a minimum, the following information:

  1. The date and time of the change in the all-numeric SI format (YYYY/MM/DD/HH/MM) or other formats in which the information is provided unambiguously, such as an abbreviation for the month.
  2. A unique event number.
  3. Identification of the parameter(s) being changed, and the new value(s).
  4. Where a device is approved for software updates:
    1. a record of the successful software update;
    2. version number of the previously installed software;
  5. Identifier for the authorized user that caused the event.
  6. A unique and secure hash value that can be used to link the event record(s) with the corresponding record(s) in the remote event log.

7.2.6 The remote event log must contain, as a minimum, the following information:

  1. The date and time of the change in the all-numeric SI format (YYYY/MM/DD/HH/MM) or other formats in which the information is provided unambiguously, such as an abbreviation for the month.
  2. The unique event number.
  3. Identification of the parameter(s) being changed, and the new value(s).
  4. Where a device is approved for software updates:
    1. a record of the successful software update;
    2. version number of the previously installed software;
  5. Identifier for the authorized user that caused the event.
  6. The unique owner-assigned identifier for the device.
  7. The unique and secure hash value that can be used to link the event record(s) with the corresponding record(s) in the event logger.

7.2.7 Where a verification triggering event has occurred, the device's verified status must be voided and the event logger must record this occurrence as an event.

7.2.8 The information described in clause 7.2.5 must be automatically entered in the event log in the device each time a legally relevant parameter is changed. The creation of the event log entry and the parameter change must occur successively.

7.2.9 The event number described in clause 7.2.5 (b) must:

  1. commence with zero or one with the first event logged and must increment by one for each subsequent event to a minimum of 32,768 (215) events before any event number is repeated.
  2. increment once for each event or change to a legally relevant parameter (each new value must be retained in the event log).
  3. continue to increment to the maximum value of event capacity, although the event log may retain fewer records than the event count capacity identified in (a).

7.2.10 An event may include the reconfiguration of more than one parameter provided that all parameters changed during the event are changed successively and all changes are logged.

7.2.11 The event log contained in a device must have sufficient capacity to store the maximum number of changes which could be made in 100 events, even where more than one parameter change is treated as a single event.

7.2.12 Once the number of events stored in the event log contained in a device is within one event of capacity, it must not be possible to make further changes until a copy of the event log information has been exported.

7.2.13 Once a copy of the event log contained in a device has been exported, each new event must be recorded in a manner that results in the disappearance of the oldest event. This does not preclude the requirements of clause 7.2.12 and the device must be able to recognize that it is within the equivalent of one event of the capacity since the last export occurred.

7.2.14 A copy of the event log information must be available upon demand from the device or from an associated device on site (the enforcement official may accept an electronic file that is compatible with a relevant version of a Microsoft Windows-based operating system).

7.2.15 The information contained in the event log must be displayed or printed in order, from the most recent event to the oldest event. All the information for a single event must be displayed one line at one time or in readily understandable blocks of data.

7.2.16 Additional relevant information is permitted to be logged. However, in these instances, the device must be capable of displaying or printing both the complete log information record and a log information record that excludes information that is not directly related to changes to legally relevant parameters. Alternatively, a device may be equipped with two separate event logs or loggers.

7.2.17 Exporting may be accomplished automatically or semi-automatically but must in no case require human intervention beyond initiation of the process.

7.2.18 An event logger which is capable of having its event log information exported via a communication link must be designed and constructed so that if the communication link is not present, the requirements of clause 7.2.12 are met automatically.

7.2.19 Exporting must not result in erasure of the event log information. Where an event log has unused capacity at the time of event log export, new events must be recorded in the device in a manner that does not result in the disappearance of previously exported events until the device's event capacity has been reached.

7.2.20 It must not be possible to reprogram the device or export the event log without creating an entry in the event log and it must not be possible to create a false or unsubstantiated export-related event entry in the event log.

7.2.21 Where the device programming includes the capability of deferring and automatically executing changes to legally relevant parameters, the event logger must:

  1. reserve adequate event log capacity to meet the requirements of clauses 7.2.12, 7.2.21(b) and 7.2.21(c);
  2. generate an event log record at the time that the automatic program is armed, and
  3. generate the required event log record at the time the change(s) is processed or the automatic program is deactivated or cancelled.

8.0 Revisions

The purpose of revision 1 was to remove the requirement of 7.1.1(e)(ii), 7.2.5(d)(ii) and 7.2.6(d)(ii) to record the hash code of the previously installed software version.

Date modified: