S-EG-06—Specifications relating to event loggers for electricity and gas metering devices


Category: Electricity and gas
Specification: S-EG-06
Issue date: 2011-11-07
Effective date: 2011-11-07
Supersedes: IS-E-01


Table of contents


1.0 Purpose

The purpose of these specifications is to establish the design, construction, and performance requirements for the approval of event loggers for electricity and gas metering devices. These specifications address the information, format and integrity of both self contained and exported event logs and identify the conditions and circumstances in which an event logger may be approved to augment existing sealing requirements in metering devices approved as configurable devices.

2.0 Scope

2.1 These specifications apply to event loggers incorporated in electricity and gas metering devices and systems as governed by the Electricity and Gas Inspection Act and Regulations.

2.2 These specifications do not apply to any device which is not approved for use by Measurement Canada, unless the device forms part of a measurement system which includes an approved device and that system is being used for a purpose governed by the Electricity and Gas Inspection Act and Regulations.

2.3 These specifications do not apply to test standards, equipment or apparatus that is used to repair, calibrate, inspect or verify devices or systems.

3.0 Authorization

This specification is issued pursuant to section 12 of the Electricity and Gas Inspection Regulations (EGIR).

4.0 Terminology

Adjustment

A change in the value of any of a device's legally relevant parameters or adjustable features and includes the replacement or alteration of any component of a device that can have an affect on its metrological integrity.

Audit trail

An information record of changes to legally relevant parameters of a device.

Calibration parameter

Any adjustable parameter that can affect the measurement accuracy of a device.

Configurable device

A device which is designed such that the information received from its measurement inputs can be selected and/or processed in different ways to suit different measurement applications. A configurable device includes any device that has been approved to permit legally relevant parameters to be deleted, appended to, modified, or substituted in whole or in part directly by the authorized operator or by any type of communications link from another device, such as a geographically local or remote console or computer, whether or not the secondary apparatus is part of the network connecting the devices.

Configurable parameter

Any adjustable or selectable parameter for a device feature that can have an affect on the accuracy of a device or can significantly increase the potential for fraudulent use of the device and, based on its nature, may need to be updated on an ongoing basis or only during device installation or upon replacement of a component.

Configuration

To make adjustments to legally relevant parameters.

Device

Includes a Measurement Canada approved meter, or a measurement system incorporating an approved meter(s).

Device specific parameter

Legally relevant parameter with a value that depends on the individual instrument. Device specific parameters comprise calibration parameters, metrological parameters and configuration parameters.

Disabling hardware

Sealable hardware, such as a switch or jumper, located on a configurable device, that enables or inhibits the capability to receive adjustment values or changes to legally relevant parameters from a remote source.

Event

An action in which one or more changes are made to a legally relevant parameter(s) and includes the actions of software updating and event log exporting.

Event log

A compilation of event records.

Event logger

A secure form of audit trail containing a series of records where each record contains a number corresponding to the occurrence of a specific event.

Exporting

The process of transferring a copy of the event log in an event logger residing within a device into a remote event logger.

Automatic

Exporting via a communication link whereby a copy of the event log within a device is made in a remote event logger. The export is initiated by either a time-driven or event-driven process and requires no operator intervention.

Semi-automatic

Exporting via a communication link whereby a copy of the event log within a device is made in a remote event logger. The export requires operator intervention only to initiate the process. All other aspects of the process shall progress and conclude without human intervention.

Legally relevant

Software, hardware, data or a part thereof which interferes with properties regulated by legal metrology.

Legally relevant parameter

Parameter of a measuring instrument, electronic device or a sub-assembly subject to legal control. Legally relevant parameters typically form part of the legally relevant functions performed by a device. The following types of legally relevant parameters can be distinguished: type-specific parameters and device-specific parameters. For the purposes of this specification, legally relevant parameters are those parameters which are, either individually or as part of a function, subject to verification under the Electricity and Gas Inspection Act.

Metrological adjustments

Any physical means or method that is designed, or intended to be used or that is used to alter and/or correct the measurement characteristics of a device or system. This includes altering or replacing the register, components, connections or working parts of a device and also includes the alteration of any required information that is available from the device or any output from the device.

Metrological parameter

Any constant, factor or algorithm used by a device to produce results for trade measurement purposes.

Physical seal

A physical mechanism that is used to secure access to a device's metrological adjustments or legally relevant parameters.

Reconfiguration

Changing the configuration of a configurable device.

Reprogramming

Includes event logger software updating and modifications originating from or performed by the event logger manufacturer or its representative as identified in the notice of approval.

Software updating

The act of modifying, updating or reinstalling a device's software.

Seal

A means to secure a device so that access or changes to metrological adjustments and legally relevant parameters will be detectable.

Signature (digital)

The result of encryption (by private key) of a hash code generated by the sender hash function. The receiver may require a cryptographic certificate of the sender to be confident of the authenticity of the public key.

Type specific parameter

Legally relevant parameter with a value that depends on the type of device. Type-specific parameters have identical values for all specimens of an approved type and are fixed at type approval of the device.

Verification triggering event

Any event deemed by Measurement Canada to require a verification of the device before it is permitted to be used or continued for use in trade. The recording of a verification triggering event is analogous to breaking a physical seal and shall have the same ramifications and consequences as the breaking of a physical seal.

5.0 Legally relevant parameters

5.1 General conditions

5.1.1 Except as set out herein, a device shall be provided with security arrangements to prevent access to its internal working parts, adjustments, reprogramming and reconfiguration. Security arrangements shall not prevent the normal operation of the device, correct operation of any of the output mechanisms of the device, access to any of the information necessary to verify the device, or access via a communication port to data accumulated by the device.

5.1.2 Subject to the provisions of clauses 5.1.1 to 5.1.11, legally relevant parameters which can affect the measurement performance of a device, the accuracy of a transaction, or that can significantly increase the potential for misuse or fraudulent use, shall be secured.

5.1.3 All modifications to legally relevant device specific parameters (which form part of an approved function) are verification triggering events, unless the modification is a reconfiguration which results in the switching of one verified legally relevant parameter for another legally relevant parameter which has also been verified.

5.1.4 Where a configurable device includes a legally relevant function that has been specifically approved as a function intended to be utilized with variable parameters falling within an approved range, all discrete parameters which lie within the approved range are legally relevant and shall be considered as having been verified as part of a device's verification process.

5.1.5 The Notice of Approval for a configurable device shall specify:

  1. the provisions authorized for the effective sealing and securing of the device; and
  2. the device specific legally relevant parameters that are capable of being reconfigured without requiring device reverification.

5.1.6 Where the capability for software updating is recognized in a device's notice of approval, the security arrangements may be such that they do not prevent access to the means to update the device's software, as long as such updating complies with all applicable specifications and is recorded in an event logger meeting the requirements set out in this document. It shall be possible to readily determine whether or not a device has been metrologically compromised or has had its software updated since its last verification.

5.1.7 The programmed legally relevant parameters of a device shall reside in the device.

5.1.8 Any component that forms part of a measuring system that is connected by a signal carrying wire or cable, shall be terminated such that either a physical seal shall be broken or an event occurs in order to connect or disconnect it. The only exception is where an approval recognizes component interchangeability, and:

  1. the exchange process is either approved or established by specification;
  2. the interchangeability does not require alteration of other metrological adjustments or manual alteration of the legally relevant parameters of the device, and
  3. the component interchange does not degrade the metrological performance of the device.

5.1.9 Modifications to legally relevant parameters that are type specific are not permissible.

5.1.10 Modifications to calibration parameters, parameters with a hardware dependancy, and any parameter protected by a physical seal are verification triggering events.

5.1.11 Modifications to legally non-relevant parameters or unapproved parameters are not verification triggering events and are not required to be logged as an event in the event log.

5.2 Legally relevant type specific or device specific parameters

5.2.1 Calibration parameters

Calibration parameters include, but are not limited to, the following: electronic accuracy adjustors or any other type of accuracy adjustment parameter, Voltage or current or other auxiliary sensor, zero, span, offset settings, and compensation factors.

5.2.2 Configuration parameters

Configuration parameters include, but are not limited to, the following: units of measurement (if not displayed or printed on the primary register) and adjustable or selectable parameters used to set up a device to suit specific measurement applications or service configurations, zero reading cutoff, and meter factor(s).

5.2.3 Metrological parameters

Metrological parameters include, but are not limited to, the following: measurement constants, factors, variables, equations and algorithms contained in or processed by legally relevant software.

Table A—Categories of devices and methods of sealing / securing legally relevant parameters

Categories of devices and methods of sealing / securing legally relevant parameters
Categories of device Minimum methods of sealing / securing
Category 1: No remote configuration capability, and the device either has no local configuration capability or access to the local configuration capability is precluded by a physical seal. Access to local configuration capability shall be precluded by a physical seal.
Category 2: Remote configuration capability but access is controlled by physical hardware, and the device either has no local configuration capability or access to the local configuration capability is precluded by a physical seal. The disabling hardware for access to remote configuration capability shall be located at the device and shall be sealed, in the disabled mode, using a physical seal. Access to local configuration capability shall be precluded by a physical seal.
Category 3: Configuration capability, but access is controlled by a software switch or alternate security means, as appropriate. An event logger is required to secure legally relevant parameters that are accessible through the configuration capabilities and access to the configuration capability shall be controlled by an appropriate security provision.

6.0 Security

6.1 Categories of devices

6.1.1 Category 1 - A device that has no remote configuration capabilities for its legally relevant parameters shall be sealed as described in the appropriate section of Table A.

6.1.2 Category 2 - A device offering remote configuration capability which is disabled by physical hardware and the device either has no local configuration capability or access to the local configuration capability is precluded by physical hardware, shall be sealed as described in the appropriate section of Table A.

6.1.3 Category 3 - A device that has active local and/or remote configuration capability shall be sealed as described in the appropriate section of Table A.

6.2 Configuration

6.2.1 When a configurable device is being reconfigured, the reconfiguration action being undertaken shall be readily apparent to the operator and the device shall:

  1. not indicate or record values; or
  2. provide a clear and continuous indication that the device is in configuration mode; and
  3. measure continuously and accurately using the existing values until the precise moment that new values are set in place; unless the device does not perform trade measurement functions when in configuration mode.

6.2.2 Where measurement indication or recording is suppressed during configuration, the configuration process shall be limited by a timeout. After a predetermined period of operator inactivity, the device shall automatically return to the operational mode. The predetermined period should be as brief as practicable.

6.3 Event log integrity

6.3.1 The event log shall be:

  1. stored in non-volatile memory, and
  2. protected from alteration, modification, replacement, substitution, corruption, deterioration and unauthorized erasure, seizure or deletion.

6.3.2 The event log data shall be encrypted or secured by the manufacturer to prevent manipulation of or unauthorized access to the data, other than in accordance with the requirements of these specifications. User access to the data shall not be permissible, other than for the purposes of review.

6.3.3 Where a device has been approved to perform traced software updates under Measurement Canada's

Specifications for the Approval of Software Controlled Electricity and Gas Metering Devices, the integrity requirements of section 6.3.1 shall continue to be met. An event logger shall be designed such that the software update process shall not be capable of affecting any of the event log data that may be stored on the device.

6.4 Event log access

6.4.1 Access to the event log for the purpose of review:

  1. shall be a distinct operation;
  2. shall not affect the normal functioning of a device before, during, or after accessing the information;
  3. shall not require the removal of any parts of a device and shall be accessible if a physical seal is in place, and
  4. shall not be logged as an event.

6.4.2 An enforcement official shall have ready access to event log information for the purpose of printing or viewing its contents. The information shall be readily interpretable by the enforcement official.

7.0 Event loggers

7.1 Type A—Event logger with self-contained event log

7.1.1 The event log in a device shall contain, as a minimum, the following information:

  1. the date and time of the change in the all-numeric SI format i.e., YYYY/MM/DD/HH/MM, or other formats in which the information is provided unambiguously, such as an abbreviation for the month;
  2. a unique event number;
  3. identification of the legally relevant parameter (s) being changed, and the new value(s);
  4. identifier for the authorized user that caused the event, and
  5. where a device is approved for software updates:
    1. a record of the successful software update;
    2. software identification and hash code of the previously installed software version.

7.1.2 Where a verification triggering event has occurred, the device's verified status shall be voided and the event logger shall record the occurrence of the verification triggering event.

7.1.3 The information described in clause 7.1.1 shall be automatically entered in the event log in the device each time a legally relevant parameter is changed. The creation of the event log entry and the parameter change shall occur successively.

7.1.4 The event number described in clause 7.1.1 (b) shall:

  1. commence with zero or one with the first event logged and shall increment by one for each subsequent event to a minimum of 32768 (215) events before any event number is repeated;
  2. increment once for each event or change to a legally relevant parameter(s) (where each new value shall be retained in the event log), and
  3. continue to increment to the maximum value of event capacity although the event log may retain fewer records than the event count capacity identified in (a).

7.1.5 An event may include the reconfiguration of more than one parameter provided that all parameters changed during the event are changed successively and all changes are logged.

7.1.6 A copy of the event log information shall be available upon demand from the device or from an associated device on site. (The enforcement official may accept an electronic file that is compatible with a relevant version of a Microsoft Windows based operating system).

7.1.7 The event log information shall be displayed or printed in order, from the most recent event to the oldest event. The device or associated device shall be capable of displaying all the information for a single event on one line at one time or it shall display the information in readily understandable blocks of data.

7.1.8 The event log shall have a capacity equal to at least ten times the number of configurable parameters, however, not more than one thousand events are required to be retained for all parameters combined.

7.1.9 Once the number of events stored in the event log has reached the capacity of the event logger, it shall not be possible to make further changes unless the device is reverified as set out by Measurement Canada requirements.

7.1.10 Where a device is subject to reverification it shall be possible, through the breaking of a physical seal, to access the event logger's set-up for the purposes of allowing each new post verification event to be recorded in a manner that results in the disappearance of the oldest event. This reconfiguration of the event logger shall be recorded as an event and does not preclude the requirements of clause 7.1.9, such that the device shall be capable of recognizing that it is has reached its capacity since occurrence of the last verification.

7.1.11 It shall not be possible to create a false or unsubstantiated entry in the event log and it shall not be possible to reprogram the device without creating an entry in the event log.

7.1.12 Where the device programming includes the capability of deferring and automatically executing changes to legally relevant parameters, the event logger shall:

  1. reserve adequate event log capacity to meet the requirements of clauses 7.1.9, 7.1.12(b) and 7.1.12 (c) or 7.1.12(d);
  2. generate an event log record at the time that the automatic program is armed, and
  3. generate the required event log record at the time the change(s) is processed, or
  4. generate an event log record at the time that the automatic program is deactivated or cancelled.

7.1.13 Additional relevant information is permitted to be logged. However, in these instances, the device or associated device shall be capable of displaying or printing both the complete log information record and a log information record that excludes information that is not directly related to changes to legally relevant parameters. Alternatively, a device may be equipped with two separate event logs or loggers.

7.2 Type B—Event logger with exportable event log

7.2.1 Exported event logs shall be subjected to the same integrity and security requirements as that of the original log during both transmission and storage.

7.2.2 Exported event log data shall be securely transferred from the event logger in a device to the remote event logger retained in a permanent storage facility that is located in a secure and controlled environment.

7.2.3 Exporting shall not result in erasure, or loss of the information in the remote event log.

7.2.4 The exported event log shall be retained for a period of at least 12 months after the date the device ceases to be used, and includes the remainder of any verification period for which the device is eligible or which is applied to the device.

7.2.5 The event log in a device shall contain, as a minimum, the following information:

  1. the date and time of the change in the all-numeric SI format i.e., YYYY/MM/DD/HH/MM, or other formats in which the information is provided unambiguously, such as an abbreviation for the month;
  2. a unique event number;
  3. identification of the parameter(s) being changed, and the new value(s);
  4. where a device is approved for software updates:
    1. a record of the succcesful software update;
    2. software identification and hash code of the previously installed software version;
  5. identifier for the authorized user that caused the event.
  6. a unique and secure hash value that can be used to link the event record(s) with the corresponding record(s) in the remote event log.

7.2.6 The remote event log shall contain, as a minimum, the following information:

  1. the date and time of the change in the all-numeric SI format i.e., YYYY/MM/DD/HH/MM, or other formats in which the information is provided unambiguously, such as an abbreviation for the month;
  2. the unique event number;
  3. identification of the parameter(s) being changed, and the new value(s);
  4. where a device is approved for software updates:
    1. a record of the successful software update;
    2. software identification and hash code of the previously installed software version;
  5. identifier for the authorized user that caused the event, and
  6. the unique owner assigned identifier for the device.
  7. the unique and secure hash value that can be used to link the event record(s) with the corresponding record(s) in the event logger.

7.2.7 Where a verification triggering event has occurred, the device's verified status shall be voided and the event logger shall record this occurrence as an event.

7.2.8 The information described in clause 7.2.5 shall be automatically entered in the event log in the device each time a legally relevant parameter is changed. The creation of the event log entry and the parameter change shall occur successively.

7.2.9 The event number described in clause 7.2.5 (b) shall:

  1. commence with zero or one with the first event logged and shall increment by one for each subsequent event to a minimum of 32768 (215) events before any event number is repeated;
  2. increment once for each event or change to a legally relevant parameter (each new value shall be retained in the event log), and
  3. continue to increment to the maximum value of event capacity, although the event log may retain fewer records than the event count capacity identified in (a).

7.2.10 An event may include the reconfiguration of more than one parameter provided that all parameters changed during the event are changed successively and all changes are logged.

7.2.11 The event log contained in a device shall have sufficient capacity to store the maximum number of changes which could be made in 100 events, even where more than one parameter change is treated as a single event.

7.2.12 Once the number of events stored in the event log contained in a device is within one event of capacity, it shall not be possible to make further changes until a copy of the event log information has been exported.

7.2.13 Once a copy of the event log contained in a device has been exported, each new event shall be recorded in a manner that results in the disappearance of the oldest event. This does not preclude the requirements of clause 7.2.12 and the device shall be able to recognize that it is within the equivalent of one event of the capacity since the last export occurred.

7.2.14 A copy of the event log information shall be available upon demand from the device or from an associated device on site. (The enforcement official may accept an electronic file that is compatible with a relevant version of a Microsoft Windows based operating system).

7.2.15 The information contained in the event log shall be displayed or printed in order, from the most recent event to the oldest event. All the information for a single event shall be displayed one line at one time, or in readily understandable blocks of data.

7.2.16 Additional relevant information is permitted to be logged. However, in these instances, the device shall be capable of displaying or printing both the complete log information record and a log information record that excludes information that is not directly related to changes to legally relevant parameters. Alternatively, a device may be equipped with two separate event logs or loggers.

7.2.17 Exporting may be accomplished automatically or semi-automatically but shall in no case require human intervention beyond initiation of the process.

7.2.18 An event logger which is capable of having its event log information exported via a communication link shall be designed and constructed so that if the communication link is not present, the requirements of clause 7.2.12 are met automatically.

7.2.19 Exporting shall not result in erasure of the event log information. Where an event log has unused capacity at the time of event log export, new events shall be recorded in the device in a manner that does not result in the disappearance of previously exported events until the device's event capacity has been reached.

7.2.20 It shall not be possible to reprogram the device or export the event log without creating an entry in the event log and it shall not be possible to create a false or unsubstantiated export related event entry in the event log.

7.2.21 Where the device programming includes the capability of deferring and automatically executing changes to legally relevant parameters, the event logger shall:

  1. reserve adequate event log capacity to meet the requirements of clauses 7.2.12, 7.2.21(b) and 7.2.21(c) or 7.2.21(d);
  2. generate an event log record at the time that the automatic program is armed, and
  3. generate the required event log record at the time the change(s) is processed, or
  4. generate an event log record at the time that the automatic program is deactivated or cancelled.

Alan E. Johnston
President

Date modified: