Services		CFTM		Approvals		Electricity		Volume
Sector Review		Authorized Service  Providers		Consumer Page		Natural Gas		Mass

1999-11-19 Principles for Event Loggers

PDF Version

Introduction

The event logger principles are an extension of the sealing principles which were finalized on July 15, 1999. These principles do not diminish, replace or supercede the original sealing principles in any way.

Based on consultation, Measurement Canada has determined that the event logger principles outlined here are reasonable and respect the obligations of our mandate as well as the viewpoint of industry as a whole.

The principles outlined in this document are being used as the basis for developing the metrological audit trail requirements which are also supported by the sealing principles.

The purpose of an event logger is to secure the integrity of metrologically sensitive adjustments and sealable parameters, while allowing changes to non-metrological features and functions. The role of the event logger is to store changes made to the device in memory so that a record of the device’s metrological integrity and functionality is available for the administration of applicable legislation and in case it becomes necessary to reconstruct the device’s programming over time in order to assist in the resolution of a complaint and/or dispute.

Principles for an Effective Event Logger

The following are the principles, and their underlying rationale, which must be satisfied by any event logging system.

The first two items above constitute the minimum information considered necessary to reconstruct a device’s attributes over time.

The third item above is required as a means of validating the continuity of the event log and of the device owner’s records. Gaps in the numbering would expose gaps in the records.

The fourth item above is valuable in providing information necessary for the administration of the legislation by indicating traceability of work performed on the device.

Additional information, intended to be of assistance in these objectives might also be included. On the other hand, too much additional information is not advantageous because it makes extraction of the critical information more difficult. See principle 2 below for more on this principle.

This principle prevents formats which force inspectors to sort through a lot of extraneous information (e.g., history logs, process alarms) to find the information they need. In practice, databases which include non-metrological information along with "events" are possible, provided they are capable of presenting the metrologically-important information for each device on its own and in correct numerical sequence.

The reason for a simultaneous (or very nearly so) change is to ensure that non-simultaneous changes will be recorded as individual events and not as one event.

In the case where the event log is within the device, the relative cost of memory in the past has placed limitations on the amount of data which could be stored locally. In situations where two-way communication is in place, the accessibility requirement could be satisfied by a remotely-located data base which can be read from the in-service location of the device. In addition to cost considerations, the latter architecture has the added advantage that all entries in the log can be accessible from the device.

This means that it shall not be possible to metrologically affect the characteristics of the device which are intended to be secured by the event logger without creating an entry in the event log, and it shall not be possible to create an entry in the event log without affecting the secured characteristics of the device. This requirement applies even during deliberate attempts to disable the protective systems. In addition, it implies that where the system uses communications links to satisfy this objective, it must be sufficiently intelligent to reject attempts to reprogram or create entries should the communications links not be functional.

This means that the storage medium shall be such that the data will not be affected by changes in ambient conditions, power outages, accidental or deliberate attempts to access, alter or tamper with it, and so on. This also means that the information which is entered into the event logger, or that is downloaded from it, shall be protected from erasure, loss, seizure, substitution, or modification.

This means that devices should be such that they will continue to operate satisfactorily, and can be verified, without access to communication links.

This means that devices should be such that the event logger can be examined at in service conditions, with inconsequential disruption to the customer, but does not limit testing to in service conditions only.

This means that, for the purposes and administration of the legislation, the recording of a verification triggering event shall have the same ramifications and consequences as the breaking of a physical seal.

In many cases, a device which employs an event logger will still require a physical seal to secure access to critical components, connections, firmware, hardware, etc. Where this function of a physical seal is performed by means of a record in the event log, the event logger will not require augmentation by a physical seal.

This requirement could be satisfied by an annunciator or some other simple flag.