Software Guide (Measuring Instruments Directive 2004
Contents
1. Requirement MID No __ Denotation Article Annex No Denotation Al Annex l A Al 6 Reliability 13 2 Back up Facilities MI 001 7 1 MI 002 3 1 Specific Requirements for Utility 14 2 MI 003 4 3 1 MI 004 4 Meters Hy Wake up Facilities and Re Dieartued 13 3 stotin p MI 001 7 1 MI 002 3 1 Specific Requirements for Utility a 9 MI 003 4 3 1 MI 004 4 Meters 11 4 12 4 Sarin hasta Specific Requirements for Utility 13 4 Internal Resolution MI 002 5 3 MI 003 5 2 Meters 14 4 11 5 Inhibit resetting of cumulative Al 8 5 Protection against corruption 2 5 measurement values 13 5 14 5 11 6 Indication for the customer Al 7 2 Suitability 12 6 Al 10 5 Indication of result 13 6 14 6 12 7 Acc Sol for monitoring of MI 002 5 2 Specific Requirements for Gas battery lifetime Meters 12 8 Acc Sol for monitoring of MI 002 9 1 Specific Requirements for Gas gas volume converters Meters 12 9 Test element MI 002 5 5 Specific Requirements for Gas Meters l6 1 Fault detection MI 006 IV MI O06 V Discontinuous and continuous Totalisers 16 2 Back up facilities MI 006 IV MI 006 V Discontinuous and continuous Totalisers 13 2 Interpretation of MID Articles and Annexes by MID Software Requirements Software Mp Guide Article Annex No Denotation Comment Pi M o Al Annex l Article Part 1 2 3 No specific software relevance 4 b Definitions Arrange Transmission of lega2. Requirement block P2 Requirement block U2 Software requirements for IT configurations Requirements for long term storage of legally relevant data Extension L Requirements for software separation Extension S Requirements for download of legally relevant software Requirements for transmission of legally relevant data Extension T Extension D Requirement block L1 Requirement block L2 Requirement block T1 Requirement block T2 Requirement block S1 Requirement block D1 Requirement block S2 Requirement block D2 Instrument specific software requirements Water meters Electricity meters Liquid meters Gas meters Heat meters Weighing Instr Requirement block 15 1 Requirement block 13 1 Requirement block 11 1 Requirement block I6 1 Requirement block 14 1 Requirement block 12 1 Figure 3 2 Overview of requirement sets 11 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 In addition to the structure described the requirements of th
3. Note It is assumed that the voltage level interrupt has a high interrupt priority and can dominate any normal processing or any arbitrary endless loop i e the program control always jumps to the interrupt routine if the voltage drops 10 7 4 Examples of legally relevant functions and data In the following some typical parameters of taximeters are given Parameter Protected Settable Comment k factor x Impulses per km Tariffs X x Currency Unit km Currency Unit h Interface parameters x Baud rate etc 10 7 5 Other aspects It is recommended that the Automotive Directive is revised or any other regulation is made to give requirements for the distance signal generators of vehicles used as taxi A preliminary proposal reads For vehicles intended to be used as taxi the following requirements apply 1 The distance signal generator shall give a signal with a resolution of at least 2m 2 The distance signal generator shall give a stable signal at every speed travelled 3 The distance signal generator shall have defined characteristics regarding voltage level pulse width and the relation of speed and frequency 4 Testability 95 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 10 7 6 Assignment of risk class For the present according to the result of the WELMEC WG7 questionnaire 2004 and subject to future decisions of the responsible WELMEC Working Group the fol lowing risk class should
4. WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Solution a Random password generated automatically known to nobody Change of the legally relevant configuration only possible by performing a new operating system set up Solution b Password chosen by the authorised person and hidden and sealed in a envelope or in at the housing e Circumvention of the protection means of the operating system by direct writing to mass storages or physical replacement is prohibited by sealing Additions for Risk Class E Required Documeniation in addition to the documentation required for risk classes B and C Source code of the instrument Validation Guidance in addition to the guidance required for risk classes B and C Checks based on the source code e Check communication with the additional securing hardware Check that changes of programs or data are detected and program execution stops in this case Risk Class B Risk Class C Risk Class D U7 Parameter protection Legally relevant parameters shall be secured against unauthorised modification Specifying Notes 1 Type specific parameters are identical for each specimen of the type and are in general part of the program code i e part of the legally relevant software Therefore requirement U6 applies to them 2 Device specific parameters e Secured parameters may be changed using an on board keypad or switches or via interfaces but onl
5. Amendment in Requirement L8 Specifying Note 1 Addition of an explanation to Requirement S1 Specifying Note 1 Replacement of Requirement D5 by a remark Change of the Risk Class for Measuring Systems for Liquids other than Water Change of Risk Classes for Weighing Instruments Various minor editorial changes in the document Addition of this revision table March 2008 Addition of exceptions for the indication of the software identifica tion new requirements 11 5 12 9 13 6 14 5 and 15 1 May 2009 Restriction of the application area of software download clarifica tion of identification requirements in connection with software download Revision of requirements P2 and U2 Deletion of void text frag ments May 2011 Revision of chapter 5 part U Advancement with respect to oper ating systems Replacement of the term component by other appropriate terms through the guide to avoid misunderstandings Addition of requirement D1 in section 9 2 by introduction of a sealable setting for the download mechanism 118 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Refinement of the specifying notes of requirements P2 and U2 in section 4 2 and 5 2 respectively with regard to software identifi cation Extension of examples of acceptable solutions in requirement L2 section 6 2 and in requirement U8 section 5 2 Table 15 1 Revision history 119 WELMEC WG7 16
6. documentation and through functional tests Example of an Acceptable Solution 1 Authenticity For integrity reasons see D3 an electronic signature is generated over the software part to be downloaded Authenticity is guaranteed if a key stored in the fixed software part of the instrument confirms that the signature originates from the manufacturer Key matching shall be done automatically 2 NB The key is stored in the fixed software part before initial verification 3 Correct type of measuring instrument Checking the instrument type requires automatically matching an identification of instrument type that is stored in the fixed software part of the instrument with a compatibility list attached to the lems ON oN Ne RN le Sere a eg ten a emule ae Ot oe Reena eT eee 4 NB Approval 4 NB Approval If authenticity is guaranteed through the use of To check that software has been genuinely the manufacturer s key then NB approval may be approved one solution is that all assumed downloaded approved software contains the responsible authority s signature The responsible authority s public key is stored in the measuring instrument and is used to automatically check the signature attached to the software It can be visualised at the instrument for comparison with the key published by the responsible authority 58 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Additions for Risk Class E Required Documeniation
7. The documentation shall contain a operating system e g administrator user Measuring protocol that shows the tests of all Task Assignment of permissions granted to these roles commands e Documentation of remote control of the functions of the operating system e g started services and means for protection e g configuration of a firewall Validation Guidance Validation Guidance in addition to the Checks based on documentation guidance for risk classes B and C e Judge that documented commands are admissible i e Checks based on documentation that they have an allowed impact on the measuring Check whether the measures taken functions and relevant data or none at all and test protocols are appropriate for e Check that manufacturer has supplied an explicit the high protection level declaration of completeness of the command documentation e Check the measures to secure the operating system Functional checks e Carry out practical tests spot checks with both documented and undocumented commands Test all menu items if any Acceptable Solution e A module in the legally relevant software filters out inadmissible commands Only this module receives commands and there is no circumvention of it Any false input is blocked The user is controlled or guided when inputting commands by a special software module This guiding module is inextricably linked with the module that filters o
8. e g a CRC checksum generated exclusively over the fixed part of the executable code and one for the rest e g a version number the whole software has to be defined as fixed and be identifiable by a checksum 24 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Validation Guidance Validation Guidance in addition Checks based on documentation to the documentation required for ie are risk classes B and C e Examine description of the generation and visualisation of the software identification Checks based on documentation e Check whether all legally relevant software is clearly identified Check whether the measures and described so that it should be clear to both Notified Body taken to protect from and manufacturer which software functions are covered by the falsification are appropriate software identification and which are not e Check whether a nominal value of the identification version number or functional checksum is supplied by the manufacturer This must be quoted in the test certificate Functional checks e Check whether the software identification can be visualised as described in the documentation e Check whether the presented identification is correct Example of an Acceptable Solution e The identification of legally relevant software comprises two parts Part A hast to be changed if changes to the software require a new examination Part B indicates only minor changes to
9. f An overview of the parts of the operating system used security aspects of the operating system utilised e g protection user accounts privileges etc g The operating manual S Risk Class B U2 Software identification The legally relevant software shall be clearly identified An identification of the software shall be inextricably linked to the software itself It shall be determined and presented on command or during operation Pa Notes Identification excludes low level drivers e g video drivers printer drivers disk drivers etc but it 2 Risk Class C Risk Class D E Notes Restriction of 1B Low level drivers that are defined as relevant at type examination shall be identified Additional to 2 risk class B Each change to legally relevant does include drivers specially programmed for a specific legally relevant task Changes to metrologically relevant software require information of the NB The NB decides whether a new unique software identification program code defined as fixed at type examination or changes of type specific parameters require a new soft ware identification If not the whole legally relevant software is defined as fixed there might be an additional part that is treated like in B even for risk class C However if it is technically not possi ble to realise one software identification for the fixed part is necessary or not A new software identification i
10. first n SE Additions for Risk Class E Required Documentation in addition to the documentation required for risk classes B C and D Source code that realises storing of data Validation Guidance in addition to the guidance for risk classes B C and D Checks based on the source code eCheck whether measures taken for storing are appropriate and correctly implemented 42 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 7 Extension T Transmission of Measurement Data via Communication Networks This is an extension to the software requirements of the basic guides P and U It must be used only if measurement data are transmitted via communication networks to a distant device where they are further processed and or used for legally regulated purposes This extension does not apply if there is no subsequent legally relevant data processing If software is downloaded to a device subject to legal control the requirements of Extension D apply 7 1 Technical description The set of requirements of this extension applies only if the device under consideration is connected to a network and transmits or receives measurement data that are legally relevant In the following table three network configurations are identified The simplest is an array of devices that are all subject to legal control The participants are fixed at legal verification A variant to this closed network partly under legal control is
11. 128 160 bits EC 37 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Additions for Risk Class E Required Documeniation in addition to the documentation required for risk classes B and C Source code that realises the integrity of stored data Validation Guidance in addition to the guidance for risk classes B and C Checks based on the source code e Check whether measures taken for guaranteeing integrity are appropriate and correctly implemented Risk Class B Risk Class C Risk Class D L4 Authenticity of measurement data stored The measurement data stored must be capable of being authentically traced back to the measurement that generated them Specifying Notes 1 The authenticity of measurement data may be needed for reference at a later date e g for checking invoices 2 Authenticity requires the correct assignment linking of measurement data to the measurement that has generated the data 3 Authenticity presupposes an identification of data sets 4 Ensuring authenticity does not necessarily require an encryption of the data Required Documentation Required Documentation in addition to Description of the method used for ensuring the authenticity the documentation required for risk classes B and C The protection measures taken shall be shown Validation Guidance Validation Guidance in addition to the Checks based on documentation guidance for risk classe
12. Heat meters Risk Class B Risk Class C Risk Class D 14 1 Fault Recovery The software shall recover from a disturbance to normal processing Specifying Notes Date stamped flags should be raised to help log periods of faulty operation Required Documentation A brief description of the fault recovery mechanism and when it is invoked Validation Guidance Checks based on documentation e Check whether the realisation of fault recovery is appropriate Functional checks e None additional to those completed during type examination to confirm correct functioning in the presence of defined influencing quantities Example of an Acceptable Solution A hardware watchdog is reset by a cyclically processed microprocessor subroutine in order to inhibit the firing of the watchdog If any function has not been processed or in the worst case the micro processor hangs in an arbitrary endless loop the reset of the watchdog doesn t happen and it fires after a certain time span Risk Class B Risk Class C Risk Class D 14 2 Back up Facilities There shall be a facility that provides for periodic back up of legally relevant data such as measure ment values and the current status of the process in case of a disturbance This data shall be stored in a non volatile storage Specifying Notes The storage intervals must be sufficiently small so that the discrepancy between the current and sa
13. Influence via communication Al 7 1 Suitability Interface Al 8 1 Protection against corruption P5 Protection Against Accidental Al 7 1 Al 7 2 Suitability or Unintentional Changes Al 8 4 Protection against corruption P6 Protection Against Intentional Al 7 1 Suitability Changes Al 8 2 Al 8 3 Al 8 4 Protection against corruption P7 Parameter Protection Al 7 1 Suitability Al 8 2 Al 8 3 Al 8 4 Protection against corruption Basic Guide U U1 Manufacturers Documenta Al 9 3 Information to be borne by and to tion accompany the instrument Al 12 Conformity Evaluation Article 10 Technical Documentation U2 Software Identification Al 7 6 Suitability Al 8 3 Protection against corruption U3 Influence via user interfaces Al 7 1 Suitabilit U4 Influence via Communication Al 7 1 Suitability Interface Al 8 1 Protection against corruption U5 Protection against accidental Al 7 1 Al 7 2 Suitability or unintentional changes Al 8 4 Protection against corruption U6 _ Protection against Intentional Al 7 1 Suitability Changes Al 8 2 Al 8 3 Al 8 4 Protection against corruption U7 Parameter Protection Al 7 1 Suitability Al 8 2 Al 8 3 Al 8 4 Protection against corruption U8 Software authenticity and Al 7 1 Al 7 2 Al 7 6 Suitability Presentation of Results Al 8 3 Protection against corruption Al 10 2 Al 10 3 Al 10 4 Indication of result U9 ___ Influence of other software Al 7 6 Suitability Extension L L1 Completeness of st
14. Latest information relating to the Guides and the work of WELMEC Working Group 7 is available on the web site http www welmecwg 7 ptb de WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 2 Terminology The terminology explained in this section describes the vocabulary as used in this guide References to a standard or to any other source are given if the definition is completely or in essential parts taken from it Acceptable solution A design or a principle of a software module or hardware unit or of a feature that is considered to comply with a particular requirement An acceptable solution provides an example of how a particular requirement may be met It does not prejudice any other solution that also meets the requirement Audit trail A software counter e g event counter and or information record e g event logger of the changes to legally relevant software or parameter Authentication Verification of the declared or alleged identity of a user process or device Basic configuration Design of the measuring instrument with respect to the basic architecture There are two different basic configurations built for purpose measuring instruments and measuring instruments using a universal computer The terms are accordingly applicable to sub assemblies Built for purpose measuring instrument type P A measuring instrument designed and built specially for the task in hand Accordingly the entire application software
15. Legally relevant software cannot be started if code is falsified Validation Guidance in addition to the guidance for risk classes B and C Checks based on documentation e Check whether the measures taken are appropriate with respect to the required state of the art for a high protection level Example of an Acceptable Solution e Program code and data may be protected by means of checksums The program is calculating its own checksum and compares is with a desired value that is hidden in the executable code If the self check fails the program is blocked e Any signature algorithm should have a key length of at least 2 bytes a CRC 16 checksum with a secret initial vector hidden in the executable code would be satisfactory See also Extensions L and T The unauthorised manipulation of legally relevant software may be controlled by the access control or privacy protection attributes of the operating system The administration level of these systems shall be secured by sealing or equivalent means e The access to the administrator account is a blocked for everyone or b only granted to authorised persons as regulated by the national market surveillance laws Example of an Solution e Program code may be secured by storing the legally relevant software in a dedicated plug in unit which is sealed The plug in unit may include for example a read only memory and a microcontroller Acceptable 30
16. OIML recommendations and standards have not been taken into consideration 10 4 2 Technical description 10 4 2 1 Hardware Configuration Heat meters are typically realised as built for purpose devices Type P in this document A heat meter is either a complete instrument or a combined instrument consisting of the sub assemblies flow sensor temperature sensor pair and calculator as defined in MID Article 4 b or a combination thereof 10 4 2 2 Software Configuration This is specific to each manufacturer but would normally be expected to follow the recommendations given in the main body of this guide 10 4 2 3 Measuring Principle Heat meters continually cumulate the energy consumed in a heating circuit The cumulated thermal energy is displayed at the instrument Various principles are employed The energy measurement may not be repeated 10 4 2 4 Fault Detection and Reaction The requirement MI 004 4 1 and 4 2 deal with electromagnetic disturbances There is a need to interpret these requirements for software controlled instruments because detection of a disturbance and recovery is only possible by co operation of specific hardware parts and specific software From the software point of view it makes no difference what the reason for a disturbance was electromagnetic electrical mechanical etc the recovery procedures are all the same 82 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 10 4 3 Specific software requirements
17. WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Risk Class B Risk Class C Risk Class D L8 Storage capacity and continuity Specifying Notes 1 When a storage is full or removed disconnected from the instrument a warning shall be given to the operator A warning is not necessary if it is assured by construction that only outdated data can be overwritten For further necessary actions refer to the measuring instrument specific requirements Extension l 2 The regulation concerning the minimum period for storing measurement data is beyond the scope of this requirement and is left to national regulations It is the responsibility of the owner to have an instrument with sufficient storage capacity to fulfil the requirements applicable to his activity The notified body for EC type examination will check only that the data are stored and retrieved correctly and whether new transactions are inhibited when the storage is full 3 It is also beyond the scope of this requirement to require certain inscriptions on the device as concerning the capacity of the storage the capacity or other accompanying information that allow calculating the capacity However the manufacturer shall make available the information on the capacity Required Documentation Description of management of exceptional cases when storing measurement values Validation Guidance Checks based on documentation e Check that the capacity of storage or a formula for ca
18. records to be retained A parameter determining the number of days before measurement data can be deleted may be set and secured at initial verification according to the user s needs and data storage size The instrument shall stop if the memory is full and all the records are not old enough to be over written Manual deletion with prior authorisation may be performed in that case In cases where an in terruption of measurement is problematic e g utility meters the storage size must be sufficient to avoid an interruption due to insufficient memory space Additions for Risk Class E Required Documeniation in addition to the documentation required for risk classes B C and D Source code that realises the protection of stored data Validation Guidance in addition to the guidance for risk classes B C and D Checks based on the source code eCheck whether measures taken for protecting stored date are appropriate and correctly implemented 36 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Risk Class B Risk Class C Risk Class D L3 Integrity of data The measurement data stored must be protected against intentional changes tance Notes This requirement applies to all types of storages except integrated storages 2 The protection must apply against intentional changes carried out by simple common software tools 3 Simple common software tools are understood as tools which
19. 1 to ss MI 001 6 No specific software relevance me Fault detection o Fea aA i ImMU Back up facilities 11 1 to 11 3 Pe y Wake up facilities and restoring MI 001 7 1 3 to No specific software relevance MI 001 9 Annex MI 002 MI 002 1 to oT MI 002 2 No specific software relevance Electromagnetic immu Fault deretan MI 002 3 1 hit Back up facilities 12 1 to 12 3 y Wake up facilities and restoring MI 002 3 1 3 A to MI 002 5 1 No specific software relevance MI 002 5 2 Suitability a u solution for monitoring battery 57 MI 002 5 3 Suitability Internal resolution 12 4 MI 002 5 4 to ia MI 002 8 No specific software relevance MI 002 5 5 Suitability Test element 12 9 MI 002 5 6 to ia MI 002 8 No specific software relevance Volume conversion fete MI 002 9 1 devices Acceptable solution for monitoring the gas 12 8 EAAS volume converter Suitability MI 002 9 2 to ia MI 002 10 No specific software relevance Annex MI 003 MI 003 1 to A MI 003 4 2 No specific software relevance Permissible effect of Fault detection MI 003 4 3 transient electromag Back up facilities 13 1 to 13 3 netic phenomena Wake up facilities and restoring 116 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 MI 003 5 1 No specific software relevance Software ae Guide Article Annex No Denotation Comment eens o Al Annex Annex MI 004 MI 003 5 2 Suitability Internal resolution 13 4 MI 003 5 3 to
20. 2 3 Measuring Principle Active electrical energy meters continually cumulate the energy consumed in a circuit The cumulative energy value is displayed at the instrument Various transducer and multiplier principles are employed The energy measurement may not be repeated 10 3 2 4 Fault Detection and Reaction The requirement MI 003 4 3 1 deals with electromagnetic disturbances There is a need to interpret this requirement for software controlled instruments because detection of a disturbance and recovery is only possible by co operation of specific hardware parts and specific software From the software point of view it makes on the other hand no difference what the reason of a disturbance was electromagnetic electrical mechanical etc the recovery procedures are all the same 76 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 10 3 3 Specific software requirements Active electrical energy meters Risk Class B Risk Class C Risk Class D 13 1 Fault Recovery The software shall recover from a disturbance to normal processing Specifying Notes Required Documentation A brief description of the fault recovery mechanism and when it is invoked Brief description of the related tests carried out by the manufacturer Validation Guidance Checks based on documentation e Check whether the realisation of fault recovery is appropriate Functional checks e None additional to those completed during type exa
21. 3 If downloaded software fails any of the above tests see D1 4 If a manufacturer intends to change or update the legally relevant software he shall announce the intended changes to the responsible notified body The notified body decides whether an addition to the existing TEC is necessary or not For software download it is indispensable that there is a software identification which is unambiguously assigned to the approved software version Required Documentation Required Documentation in addition to The documentation should describe the documentation required for risk e How authenticity of the software identification is classes B and C guaranteed The realisation of authentication shall be e How the authenticity of NB approval is guaranteed shown by the documentation e How it is guaranteed that the downloaded software is approved for the type of measuring instrument to which it has been downloaded Validation Guidance Validation Guidance in addition to the Checks based on documentation and functional checks guidance for risk classes B and C e Check the documentation how a download of Checks based on documentation fraudulent software is prevented e Check whether the measures taken e Check through functional tests that a download of are appropriate with respect to the fraudulent software is prevented required state of the art for a high Ensure the authentication check of software according to protection level
22. B The instrument does not have any interface to communicate the software identification C After production of the instrument a change of the software is not possible or only possible if also the hardware or a hardware part is changed Specifying notes The tag showing the software identification must be non erasable and non transferable The manufacturer of the hardware or the concerned hardware cempenent is responsible that the software identification is correctly marked on the concerned hardware e All other Specifying Notes of P2 U2 apply Required Documentation e According to P2 U2 Validation Guidance Checks based on documentation e According to P2 U2 Functional checks e According to P2 U2 Example of an acceptable solution Imprint of the software identification on the type plate of the instrument 10 5 4 and 10 5 5 will be filled in if considered necessary in the future 10 5 6 Assignment of risk class For the present according to the result of the WELMEC WG7 questionnaire 2004 and subject to future decisions of the responsible WELMEC Working Group the following risk class should be applied if software examinations based on this guide are carried out for software controlled measuring systems for the continuous and dynamic measurement of quantities of liquids other than water Risk class C 87 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 10 6 Weighing Instrume
23. If the values match the data set is valid and may be used otherwise it must be deleted or marked invalid Note The algorithm is not secret and in contrast to requirement T3 neither is the initial vector of the CRC register nor the generator polynomial i e the devisor in the algorithm The initial vector and generator polynomial are known to both of the programs that create and verify the checksums 2 Use of means provided by transmission protocols e g TCP IP IFSF Additions for Risk Class E Required Documeniation in addition to the documentation required for risk classes B C and D Source code that realises the protection of transmitted data Validation Guidance in addition to the guidance for risk classes B C and D Checks based on the source code e Check whether measures taken for protecting transmitted data are appropriate 45 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Risk Class B Risk Class C Risk Class D T3 Integrity of data The legally relevant transmitted data must be protected against intentional changes with software tools oer Notes This requirement only applies to networks that are open or only partly under legal control not to closed networks 2 The protection must apply against intentional changes carried out by common simple software tools 3 Simple common software tools are understood as tools which are easily available and manageable
24. Index audit trail 7 22 31 60 authentication 7 38 47 58 113 authenticity 9 32 33 38 39 40 47 56 58 59 109 110 112 113 basic configuration 7 8 10 12 107 built for purpose 7 12 15 34 35 51 55 certification of keys 9 checklist 13 107 108 109 110 111 checksum 8 17 20 25 29 37 45 circuit 22 command 16 17 18 19 24 25 26 28 41 54 communication interface 19 108 confidentiality 39 48 113 cross reference 112 data domain 54 data flow 18 20 27 28 52 54 110 dimensional measuring instrument 98 direct trust 39 48 documentation 13 16 24 electrical energy meter 76 77 embedded 7 15 34 62 event logger 7 22 60 exhaust gas analysers 99 fault detection 20 62 114 115 116 117 gas meter 69 114 hash algorithm 9 25 37 46 heat meter 82 identification 8 16 17 22 24 25 33 35 38 40 44 47 52 58 60 108 indication 53 92 113 integrity 7 9 37 38 40 46 47 56 58 59 112 113 IT configuration 7 10 12 107 key actuation 18 26 legal control 8 legally relevant 7 8 16 21 29 33 51 54 55 63 material measure 97 memory 21 22 34 62 108 MID 6 8 12 61 network 7 8 16 23 24 34 43 47 50 110 closed 7 8 23 43 46 47 48 55 62 Software Guide 120 open 7 8 23 43 46 55 62 notified body NB 13 42 operating system 15 23 24 26 29 30 34 51 62 107 p
25. a PC based system for performing legally relevant functions A type U system is assumed if the conditions of a built for purpose measuring instrument type P are not fulfilled Open network A network of arbitrary participants devices with arbitrary functions The number identity and location of a participant can be dynamic and unknown to the other participants see also Closed network Risk class Class of measurement instrument types with comparable risk assessments Software download The process of automatically transferring software to a target measuring instrument or hardware unit using any technical means from a local or distant source e g exchangeable storage media portable computer remote computer via arbitrary connections e g direct links networks Software identification A sequence of readable characters of software and that is inextricably linked to the software e g version number checksum Software separation The unambiguous separation of software into legally relevant software and legally non relevant software If no software separation exists the whole software is to consider as legally relevant Sub assembly A hardware device hardware unit that functions independently and makes up a measuring instrument together with other sub assemblies or a measuring instrument with which it is compatible MID Article 4 Transmission of measurement data Transmission of measurement data via communication netwo
26. a net with participants that are not subject to legal control but all are known and do not change during operation An open network has no limitation in identity functionality presence and location of the participants Description of configurations Closed network completely under legal control Only a fixed number of participants with clear identity functionality and location are connected All devices are subject to legal control No devices exist in the network that are not subject to legal control Closed network partly under legal control A fixed number of participants with clear identity and location are connected to the network Not all devices are subject to legal control and therefore their functionality is unknown Open network Arbitrary participants devices with arbitrary functions can connect to the network The identity and functionality of a participating device and its location may be unknown to other participants Any network that contains legally controlled devices with IR or wireless network communications interfaces shall be considered to be an open network Table 7 1 Technical description of communication networks 43 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 7 2 Specific software Requirements for Data Transmission Risk Class B Risk Class C Risk Class D T1 Completeness of transmitted data The transmitted data must contain all relevant information necessary to present or
27. a signature really compares calculated and the nominal values e Check that secret data e g key initial value if used are kept secret against spying out with simple tools Functional checks e Check that a falsified data set is rejected by the retrieval program Validation Guidance in addition to the guidance for risk classes B and C Checks based on documentation e Check whether the measures taken are appropriate with respect to the required state of the art for a high protection level Example of an Acceptable Solution Just before the data is reused the value of the checksum is recalculated and compared with the stored nominal value If the values match the data set is valid and may be used otherwise it must be deleted or marked invalid An acceptable solution is the CRC 16 algorithm Note The algorithm is not secret but in contrast to requirement L2 the initial vector of the CRC register or the generator polynomial i e the divisor in the algorithm must be The initial vector and generator polynomial are known only to the programs generating and verifying the checksums They must be treated as keys see L5 Example of an Acceptable Solution Instead of the CRC a signature is calculated A suitable signature algorithm would be one of the hash algorithms e g SHA 1 or RipeMD160 in combination with an encryption algorithm such as RSA or Elliptic Curves The minimum key length is 768 bits RSA or
28. additional to those completed during type examination to confirm correct functioning in the presence of defined influencing quantities Example of an Acceptable Solution The registers for volume are protected against changes and resetting by the same means as parame ters see P7 Risk Class B Risk Class C Risk Class D 14 4 Dynamic behaviour The legally non relevant software shall not adversely influence the dynamic behaviour of a measur ing process Specifying notes e This requirement applies in addition to S 1 S 2 and S 3 if software separation has been realised in accordance with extension S e The additional requirement ensures that for real time applications of meters the dynamic behaviour of the legally relevant software is not inadmissibly influenced by legally non relevant software i e the resources of the legally relevant software are not inadmissibly reduced by the non legal part Required Documentation Description of the interrupt hierarchy e Timing diagram of the software tasks Limits of proportionate runtime for legally non relevant tasks Validation Guidance Checks based on documentation e Documentation of the limits of the proportionate runtime for legally non relevant tasks is available for the programmer of the legally non relevant software part Functional checks e None additional to those completed during type examination to confirm correct functioning in the presence of
29. an Acceptable Solution e The identification of legally relevant software comprises two parts Part A hast to be changed if changes to the software require a new examination Part B indicates only minor changes to the software e g bug fixes which need no new examination __ The identification is generated and displayed on command aooaa e Part A of the identification Part A of the identification consists of an automatically consists of a version number or the generated checksum over the legally relevant software that number of the TEC has been declared fixed at type examination For other legally relevant software part A is a version number or the number of the TEC e An example of an acceptable solution for performing the checksum is the CRC 16 algorithm Additions for Risk Class E Required Documentation in addition to the documentation required for risk classes B and C Source code that contains the generation of the identification Validation Guidance in addition to the guidance for risk classes B and C Checks based on the source code e Check whether all relevant software parts are covered by the algorithm for generating the identification Check the correct implementation of the algorithm WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Risk Class B Risk Class C Risk Class D P3 Influence via user interface Commands entered via the user interface shall not inadmis
30. are interpreted and explained for software This report describes the examination of software needed to state conformance with the MID Client Dynaflow P O Box 1120333 100 Reykjavik Iceland Reference Mr Bjarnur Sigfridson Test Object The Dynaflow flow meter DF100 is a measuring instrument intended to measure flow in liquids The intended range is from 1 l s up to 2000 l s The basic functions of the instrument are measuring of flow in liquids indication of measured volume interface to transducer According to the WELMEC Guide 7 2 the flow meter is described as follows abuilt for purpose Measuring instrument an embedded system long term storage of legally relevant data The flow meter DF100 is an independent instrument with a transducer connected The transducer is fixed to the instrument and cannot be disconnected The measured volume is indicated on a display No communication with other devices is possible The embedded software of the measuring instrument was developed by Dynaflow P O Box 1120333 100 Reykjavik Iceland 104 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 The version of the software validated is V1 2c The source code comprises following files main c 12301 byte 23 Nov 2003 int c 6509 byte 23 Nov 2003 filter c 10897 byte 20 Oct 2003 input c 2004 byte 20 Oct 2003 display c 32000 byte 23 Nov 2003 Ethernet c 23455 byte 15 June 2002 driver c 11670 byte 15 June 2002 calculate c 67
31. be applied if software examinations based on this guide are carried out for software controlled taximeters Risk class C for type P instruments Risk class D for type U instruments 96 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 10 8 Material Measures Material measures are subject to regulations in MID The specific requirements are in Annex MI 008 Subject to future developments and decisions material measures in the sense of MID Annex MI 008 are not considered to be software controlled measuring instruments Thus for the present this software guide does not apply to material measures 97 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 10 9 Dimensional Measuring Instruments Dimensional Measuring Instruments are subject to regulations in MID The specific requirements are in Annex MI 009 Neither these specific requirements nor any normative documents have yet been taken into consideration 10 9 1 10 9 5 will be filled in if considered necessary in the future 10 9 6 Assignment of risk class For the present according to the result of the WELMEC WG7 questionnaire 2004 and subject to future decisions of the responsible WELMEC Working Group the following risk class should be applied if software examinations based on this guide are carried out for software controlled dimensional measuring instruments Risk class B for type P instruments Risk class C for type U instruments 98 WELMEC WG7 Software Guide WE
32. checking installation how the level of protection is required for risk classes B and guaranteed on completion what happens if a fault occurs C The realisation of the download mechanism shall be shown by the documentation Validation Guidance Validation Guidance in Checks based on documentation addition to the guidance for e Check the documentation how the download procedure is isk classes B and C managed Checks based on e Check that downloading and installation is handled automatically documentation that the measuring instrument is locked if appropriate and that e Check whether the software protection is not compromised following a download realisation of the download e Check that there exists non downloadable fixed legally relevant mechanism is correct software for authenticity and integrity checks e Check that during software download no measurement is possible or correct measurement is guaranteed Functional checks e Perform at least one software download to check the correct software download 56 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Example of an Acceptable Solution A utility program resident in the fixed part of the software that Handshakes with the sender and checks for consent Automatically inhibits measurement unless correct measurement can be guaranteed Automatically downloads the legally relevant software to a secure holding area Automatically carries out the
33. checks required by D2 to D4 Automatically installs the software into the correct location Takes care of housekeeping e g deletes redundant files etc Ensures that any protection removed to facilitate downloading and installation is automatically replaced to the approved level on completion h Initiates the appropriate fault handling procedures if a fault occurs gmoaogp Additions for Risk Class E Required Documeniation in addition to the documentation required for risk classes B and C Source code of the fixed software part responsible for the management of the download process Validation Guidance in addition to the guidance for risk classes B and C Checks based on the source code e Check whether measures taken for managing the download process are appropriate 57 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Risk Class B Risk Class C Risk Class D D2 Authentication of downloaded software Means shall be employed to guarantee that the downloaded software is authentic and to indicate that Specifying Notes 1 Before the downloaded software is used for the first time the measuring instrument shall automatically check that a The software is authentic not a fraudulent simulation b The software is approved for that type of measuring instrument 2 The means by which the software identifies its NB approval status shall be made secure to prevent counterfeiting of the NB status
34. defined influencing quantities Example of an acceptable solution The interrupt hierarchy is designed in a way that avoids adverse influences 84 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Risk Class B Risk Class C Risk Class D 14 5 Imprinted Software Identification The software identification is usually presented on a display As an exception for heat meters an imprint of the software identification on the name plate of an instrument shall be an acceptable solution if the following conditions A B and C are fulfilled A The user interface does not have any control capability to activate the indication of the software identification on the display or the display does not allow technically showing the identification of the software mechanical counter B The instrument does not have any interface to communicate the software identification C After production of a meter a change of the software is not possible or only possible if also the hardware or a hardware part is changed Specifying notes The manufacturer of the hardware or the concerned hardware compenentis responsible that the software identification is correctly marked on the concerned hardware e All other Specifying Notes of P2 U2 apply Required Documentation e According to P2 U2 Validation Guidance Checks based on documentation e According to P2 U2 Functional checks e According to P2 U2 Example of an acceptable sol
35. having reached the limit of the event logger it shall be ensured by technical means that further downloads are impossible Audit trails may only be erased by breaking a physical or electronic seal and may be resealed only by the inspection authorities Additions for Risk Class E Required Documeniation in addition to the documentation required for risk classes B and C Source code of the fixed software part responsible for tracing download processes and managing the audit trail Validation Guidance in addition to the guidance for risk classes B and C Checks based on the source code e Check whether measures taken for tracing the download process are appropriate e Check whether measures taken for protecting the audit trail are appropriate Download consent It is assumed that the manufacturer of the measuring instrument keeps his customer well informed about updates of the software especially the legally relevant part and that the customer will not deny updating it Furthermore it is assumed that manufacturer and customer user or owner of the instrument will agree on an appropriate procedure of performing a download depending on the use and location of the instrument 60 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 10 Extension I Instrument Specific Software Requirements This extension is intended to complement the general software requirements of the previous chapters and cannot be considered isolat
36. in addition to the documentation required for risk classes B and C Source code of the fixed software part responsible for checking the authenticity of the downloaded software Validation Guidance in addition to the guidance for risk classes B and C Checks based on the source code e Check whether measures taken for checking the authenticity are appropriate Risk Class B Risk Class C Risk Class D D3 Integrity of downloaded software Means shall be ee to guarantee that the downloaded software has not been inadmissibly Specifying Notes 1 Before the downloaded software is used for the first time the measuring instrument shall automatically check that the downloaded software has not been inadmissibly changed 2 If the downloaded software fails this test see D1 Required Documentation Required Documentation in addition to the The documentation shall describe how the integrity documentation required for risk classes B and of the software is guaranteed C The measures of ensuring integrity shall be shown by the documentation Validation Guidance Validation Guidance in addition to the e Ensure the integrity check of software after guidance for risk classes B and C downloading according to documentation and Checks based on documentation through functional tests e Check whether the measures taken are appropriate with respect to the required state of the art for a high protection l
37. list the software identifications and describe addition to the documentation how the software identification is created how it is inextricably linked required for risk classes B and to the software itself how it may be accessed for viewing and how it is C structured in order to differentiate between version changes with and The documentation shall show without requiring a type examination the measures taken to protect the software identification from falsification WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Validation Guidance Validation Guidance in addition Checks based on documentation to the guidance for risk classes B e Examine description of the generation and visualisation of the 4nd C software identification Checks based on documentation e Check whether all programs performing legally relevant functions e Check whether the measures are clearly identified and described so that it is clear to both Notified taken to protect from Body and manufacturer which software functions are covered by falsification are appropriate the software identification and which are not e Check whether a nominal value of the identification version number or functional checksum is supplied by the manufacturer This must be quoted in the test certificate Functional Checks e The software identification can be visualised as described in the documentation e The presented identification is correct Example of
38. practical tests spot checks using peripheral equipment if available Example of an Acceptable Solution There is a software module that receives and interprets commands from the interface This module belongs to the legally relevant software It only forwards allowed commands to the other legally relevant software modules All unknown or not allowed commands are rejected and have no impact on the legally relevant software or measurement data The access to the operating system via the interfaces is restricted see U3 U6 Additions for Risk Class E Required Documeniation in addition to the documentation required for risk classes B and C Source code of the instrument Validation Guidance in addition to the guidance for risk classes B and C Checks based on the source code e Check the software design whether data flow concerning commands is unambiguously defined in the legally relevant software and can be verified e Search inadmissible data flow from the interface to domains to be protected e Check with tools or manually that commands are decoded correctly and no undocumented commands exist 28 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Risk Class B Risk Class C Risk Class D U5 Protection against accidental or unintentional changes Legally relevant software and measurement data shall be protected against accidental or unintentional changes Specifying Notes 1 Unintentional ch
39. register but to record the start and end date time and register values of the out of range period in an event logger see P7 Both quantities can be indicated The user can clearly identify and distinguish the regular and the failure indication by means of a status indication 72 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 12 7 MI 002 5 5 Test element The gas meter shall have a test element which shall enable tests to be carried out in a reasonable time Specifying Notes The test element for accelerating time consuming test procedures is normally used for testing before installation and normal operation During the test mode the same registers and software parts shall be used as during standard operat ing mode Required Documentation Documentation of the test element and instructions for activating the test mode Validation Guidance Checks based on documentation e Check whether all time consuming test procedures of the gas meter can be completed by means of the test element Example of an Acceptable Solution The time base of the internal clock can be accelerated Processes that last e g a week a month or even a year and overrun of registers may be tested in the test mode within a time span of minutes or hours Risk Class B Risk Class C Risk Class D 12 8 Dynamic behaviour The legally non relevant software shall not adversely influence the dynamic behaviour of a measur ing process Specifying no
40. results are of a general nature and may be applied beyond The issue 4 and the newest issue 5 considers further experience gained from the ap plications of the Guide WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 1 Introduction This document provides guidance to all those concerned with the application of the Measuring Instruments Directive MID especially for software equipped measuring instruments It addresses both manufacturers of measuring instruments and notified bodies which are responsible for conformity assessment of measuring instruments By following the Guide a compliance with the software related requirements contained in the MID can be assumed It can be further assumed that all notified bodies accept this Guide as a compliant interpretation of the MID with respect to software To show how the requirements set up in this Guide are related to the respective requirements in the MID a cross reference has been included in this guide as an annex Chapter 13 The predecessor of this Guide was the Guide 7 1 worked out by WELMEC Working Group 7 Both Guides are based on the same principles and were derived from the requirements of the MID Guide 7 1 has been revised and exists further on Issue 2 but it is now only of informative character whereas the Guide 7 2 is the one that has been recommended by WELMEC for software construction examination and validation of software controlled measuring instruments being subject to the MID
41. test report Specific checklists for the respective technical parts 108 12 4 Information to be included in the type examination certificate 111 Cross Reference for MID Software Requirements to MID Articles and Annexes 112 13 1 Given software requirement reference to MID ssssssssssssssssrerrrrnerrssrrrrrrrrnnrssee 112 13 2 Interpretation of MID Articles and Annexes by MID Software Requirements 114 References and Literature cccccececcceeeccceeeeeeeeeeeeeeaeeeeeeeeeeeeseeeeaeaaeeeeeeeeeeenees 118 Revision HIStory eeaeee alah an ed aot au ea ant anatase ama he 118 G8 eereee eee ere tetera atten ena en rire eye OT eee Taree Seen Tree een nee ee er ee 120 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Foreword The Guide in hand is based on the Software Requirements and Validation Guide Version 1 00 29 October 2004 developed and delivered by the European Growth Network M D Software The Network was supported from January 2002 to December 2004 by the EU commission under the contract number G7RT CT 2001 05064 The Guide is purely advisory and does not itself impose any restrictions or additional technical requirements beyond those contained in the MID Alternative approaches may be acceptable but the guidance provided in this document represents the con sidered view of WELMEC as to a good practice to be followed Although the Guide is oriented on instruments included in the regulations of the MID the
42. the software e g bug fixes which need no new examination e Part A of the identification consists e Part A of the identification consists of an automatically of a version number or the number generated checksum over the fixed code For other legally of the TEC To prevent it from being relevant software part A is a version number or the changed with simple software tools number of the TEC To prevent it from being changed with it is stored in binary format in the simple software tools it is stored in binary format in the executable program file executable program file eee e An acceptable solution Acceptable algorithms for the for performing the checksum are CRC 32 or hash checksum is the CRC algorithms like SHA 1 SHA 2 16 MD5 RipeMD160 etc Additions for Risk Class E Required Documentation in addition to the documentation required for risk classes B and C Source code that contains the generation of the identification Validation Guidance in addition to the guidance for risk classes B and C Checks based on the source code e Check whether all relevant software parts are covered by the algorithm for generating the identification e Check the correct implementation of the algorithm 25 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Risk Class B Risk Class C Risk Class D U3 Influence via user interfaces Commands entered via the user interface shall not inadmissibly influ
43. 1 Suitability Al 8 4 Protection against corruption T4 Authenticity of transmitted Al 7 1 Suitability data Al 8 4 Protection against corruption T5 Confidentiality of keys Al 7 1 Suitability Al 8 4 Protection against corruption T6 Handling of corrupted data Al 7 1 Suitability Al 8 4 Protection against corruption T7 Transmission delay Al 7 1 Suitability Al 8 4 Protection against corruption T8 Availability of transmission Al 7 1 Suitability services Al 8 4 Protection against corruption Extension S S1 Realisation of software sepa Al 7 6 Suitability ration Al 10 1 Indication of result S2 Mixed indication Al 7 1 Al 7 2 Al 7 6 Suitability Al 10 2 Indication of result S3___ Protective software interface Al 7 6 Suitability Extension D D1 Download mechanism Al 8 2 Al 8 4 Protection against corruption D2 Authentication of Al 7 6 Suitability downloaded software Al 8 3 Al 8 4 Protection against corruption Al 12 Conformity evaluation D3 Integrity of downloaded soft Al 7 1 Suitability ware Al 8 4 Protection against corruption D4 Traceability of legally rele Al 7 1 Al 7 6 Suitability vant Software Download Al 8 2 Al 8 3 Protection against corruption Al 12 Conformity evaluation Extension Instrument specific Software Requirements 11 1 Al 6 Reliability l z Fo Fault Detection MI 001 7 1 MI 002 3 1 n POORE TO Mity 14 1 MI 003 4 3 1 MI 004 4 113 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5
44. 5 No reset of cumulative registers D I2 5 13 5 Information to be borne Al 9 by and to accompany the instrument Measuring capacity aia rest of items not relevant for software La Al 9 2 No specific software relevance Instructions for installation conditions Al 9 3 for compatibility with interface sub P1 U1 assemblies or measuring instruments A FIB No specific software relevance Al 9 8 Al 10 Indication of result Al 10 1 on by means of a display or hard U8 L6 S2 Al 10 2 Significance of result no confusion with U8 L1 L4 L6 additional indications S2 115 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Software Jule Guide Article i Annex No Denotation Comment pac aoa o Al Annex l Print or record easily legible and non Al 10 3 arasabl U8 L6 S2 For direct sales presentation of the result AINA to both parties U8 S2 Al 10 5 For utility meters display for the customer ce 1276 16 Further processing of Al 11 data to conclude the trading transaction Al 11 1 Record of measurement results by a dura L1 L8 ble means Durable proof of the measurement result APENES and information to identify a transaction rine Al 12 Conformity evaluation Ready evaluation of the conformity with the P1 P2 U1 U2 Shon Svauatio requirements of the Directive D2 D4 Annexes A1 to H1 Sure No requirements to features of instruments Annex MI 001 MI 001
45. 88 byte 23 Nov 2003 The validation has been supported by following documents from the manufacturer DF 100 User Manual DF 100 Maintenance Manual Software description DF100 internal design document dated 22 Nov 2003 Electronic circuit diagram DF100 drawing no 222 31 date 15 Oct 2003 The final version of the test object was delivered to National Testing amp Measurement Laboratory on 25 November 2003 Examination Procedure The validation has been performed according to the WELMEC 7 2 Software Guide Issue 1 downloaded at www welmec org The validation was performed between 1 November and 23 December 2003 A design review was held on 3 December by Dr K Fehler at Dynaflow head office in Reykjavik Other validation work has been carried out at the National Testing amp Measurement Lab by Dr K Fehler and M S Probleme Following requirements have been validated Specific requirements for embedded software for a built for purpose measuring instrument type P Extension L Long term storage for legally relevant data Checklist for the selection of the configuration is found in annex 1 to this report Risk class C has been applied to this instrument Following validation methods have been applied identification of the software completeness of the documentation examination of the operating manual functional testing software design review review of software documentation data f
46. BA lea purpose HY _ If there is general purpose software is it accessible by or visible to the user N Is the user prevented from accessing the operating system if itis possible to switch to an operating mode not subject to eel y control 4 Are the implemented programs and the software environment invariable apart from updates Y 5 Are there any means for programming N Tick the empty boxes as appropriate If and only if all answers to the 5 questions can be given as in the P column then the requirements of the part P Chapter 4 apply In all other cases the requirements of the part U Chapter 5 are necessarily to apply The second checklist supports to decide which of the IT configuration applies for the instrument under test Decision on Required Extensions Not Applicable L either on an integrated storage or on a remote or removable storage Does the device have interfaces for transmission of data to devices subject to legal control OR is the device receiving data from another device subject to legal control Are there software parts with functions not subject to legal control AND are these software parts desired to be changed after type approval D Is loading of software possible or desired Consider the required extension for each question answered with YES i Lu gt Does the device have the ability to store the measurement data GF Consider the required
47. Checks based on documentation e Judge whether all documented commands are admissible i e whether they have an allowed impact on the measuring functions and relevant data or none at all e Check whether the manufacturer has given an explicit declaration of completeness of the command documentation Functional checks e Carry out practical equipment if available tests spot checks using peripheral Note If it is not possible to exclude inadmissible effects on the measurement functions or relevant data via the interface and the software cannot be amended accordingly then the test certificate must indicate that the interface is non protective and describe the securing sealing means required This also applies to interfaces that are not described in the documentation Validation Guidance in addition to the guidance for risk classes B and C Checks based on documentation e Check whether the measures taken and test protocols are appropriate for the high protection level Example of an Acceptable Solution There is a software module that receives and interprets data from the interface This module is part of the legally relevant software It only forwards allowed commands to the other legally relevant software modules All unknown or not allowed signal or code sequences are rejected and have no impact on the legally relevant software or measurement data WELMEC WG7 Software Guide WELMEC 7 2 Is
48. Documentation in addition to the Description of the detection of transmission faults or Gocumentation required for risk classes B intentional changes and C The measures taken for correct handling of corrupted data shall be shown Validation Guidance Validation Guidance in addition to the Checks based on documentation and functional checks guidance for risk classes B and C e Check that the corrupted data will not be used according Checks based on documentation to the delivered concept e Check whether the measures taken are appropriate with respect to the required state of the art for a high protection level Example of an Acceptable Solution When the program that is receiving data sets detects a discrepancy between the data set and the nominal value of the signature it first tries to reconstruct the original value if redundant information is available If reconstruction fails it generates a warning to the user does not output the measurement value and e Sets a flag in a special field of the data set status field with the meaning not valid OR e Deletes the corrupted data set Additions for Risk Class E Required Documeniation in addition to the documentation required for risk classes B and C Source code of the receiving device Validation Guidance in addition to the guidance for risk classes B and C Checks based on the source code e Check whether measures taken for handling c
49. Electronic signature A short code the signature that is unambiguously assigned to a text data block or binary software file to prove the integrity and authenticity of data stored or transmitted The signature is created using a signature algorithm and a secret signature key Usually the generation of an electronic signature is composed of two steps 1 first a hash algorithm compresses the contents of the information to be signed to a short value and 2 then a signature algorithm combines this number with the secret key to generate the signature Trust Centre An association that trustworthily generates keeps and issues information about the authenticity of public keys of persons or other entities e g measuring instruments WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 3 How to use this guide This section describes the organisation of the guide and explains how to use it 3 1 Overall structure of the guide The guide is organised as a structured set of requirement blocks The overall structure of the guide follows the classification of measuring instruments into basic configurations and the classification of so called IT configurations The set of requirements is complemented by instrument specific requirements Consequently there are three types of requirement sets 1 requirements for two basic configurations of measuring instruments called type P and U 2 requirements for four IT configurations called extensions L T S a
50. Guide WELMEC 7 2 Issue 5 6 Checklist for specific requirements extension D Checklist for Requirements of Extension T o S a a G 2 9 ro 2 lt x o pe o oc z Is downloading and the subsequent installation of software automatic Is it ensured that the software protection environment is at the approved level on completion Are means employed to guarantee that the downloaded software is authentic and to indicate that the downloaded software has been approved by an NB Are means employed to guarantee that the downloaded software has not been inadmissibly changed during download Is it guaranteed by appropriate technical means that downloads of legally relevant software are adequately traceable within the instrument for subsequent controls Explanations are needed if there are deviations from software requirements 12 4 Information to be included in the type examination certificate While the entire test report is a documentation of the object under test the validation carried out and the results a certain selection of the information contained in the test report are required for type examination certificate TEC This concerns the following information which should be appropriately included in the TEC e Reference to the documentation submitted for type examination e Identification and description of the electronic hardware parts subassemblies modules that are important for software IT function
51. LMEC 7 2 Issue 5 10 10 Exhaust Gas Analysers Exhaust Gas Analysers are subject to regulations in MID The specific requirements are in Annex MI 010 Neither these specific requirements nor any normative documents have yet been taken into consideration 10 10 1 10 10 5 will be filled in if considered necessary in the future 10 10 6 Assignment of risk class For the present according to the result of the WELMEC WG7 questionnaire 2004 and subject to future decisions of the responsible WELMEC Working Group the following risk class should be applied if software examinations based on this guide are carried out for software controlled exhaust gas analysers Risk class B for type P instruments Risk class C for type U instruments 99 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 11 Definition of Risk Classes 11 1 General principle The requirements of this guide are differentiated according to software risk classes Risks are related to software of the measuring instrument and not to any other risks For convenience reasons the shorter term risk class is used Each measuring instrument must be assigned to a risk class because the particular software requirements to be applied are governed by the risk class the instrument belongs to A risk class is defined by the combination of the appropriate levels required for software protection software examination and software conformity Three levels low middle and high are in
52. Rounding algorithm for price X X Span sensitivity X X X X X Corrections for non linearity X X X xX X Max Min e d x x x Xx Xx Units of measurement e g g kg X X X X X Weight value as displayed rounded to VV X X X X X multiples of e or d Tare preset tare VV X X X X X Unit price price to pay VV X X X Weight value in internal resolution VV X X X X X X X Status signals e g zero indication TF X X X X X X X stability of equilibrium Comparison of actual weight vs preset TF X X value Automatic printout release e g at TF X X interruption of automatic operation Warm up time TF TD X X X X X X X Interlock between functions TF X X e g zero setting tare X X X X automatic non automatic operation X zero setting totalizing X X Record of access to dynamic setting TF VV X X Maximum rate of operation range of DD TD X X X X X X operating speeds dynamic weighing Product Parameters for dynamic VV X X X weight calculation Preset weight value VV X X Width of adjustment range DD TD X X Criterion for automatic zero setting e g DD TD X X X X X time interval end of weighing cycle Minimum discharge rated minimum fill DD X X Limiting value of significant fault DD TD X X if not 1e or 1d Limiting value of battery power DD TD X X X X X X X Table 10 1 Examples of legally relevant device specific and type specific functions and data 92 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 The marked functi
53. UMOIOGY saiae aaa a a E aaa a aae aaa ap Ga raaa Eana Ei 7 3 How 10 sethis QUINGs c2ti stents e a A seh E eel belies 10 3 1 Overall Structure of the guide sx nicte Airc cenrpem iets tesioem eioedes acateeneerceme iets 10 3 2 How to select the appropriate parts of the QUIde ccceceeeeeeeeeeeeeeeeeeeeeeeeeeeeees 12 3 3 How to work with a requirement DIOCK cccceceeeeeeeeeeecceeeeeeeeeeesenaaaeeeeeeeeeees 13 3 4 How to work with the CheCkliISts 0 s0ccceeeateey ciate nei teeelne ote 13 4 Basic Requirements for Embedded Software in a Built for purpose Measuring Instrument Type P ced ceastena nat lasinnt detent ccatitad anctaseteneteuleedeted daeietedgtasastagetheuncatede 15 4 1 Technical DEsScriptioN isien aE a RE 15 4 2 Specific Requirements for Type P ssssssssssssesssnrrnnersserrrnrrrnrrsserrrrrrnnnrsserestrrrtrrnnn 16 5 Basic Requirements for Software of Measuring Instruments using a Universal CGomp ter CT Yi tee seed casei eee cad eh reio e ecarind denig n te 23 5 1 Technical Description sect tecs toes ac cetteer den adig ued ta cx teat wea eo everest eee 23 5 2 Specific Software Requirements for Type U eee cece cette eeeeeeeeeeeeeeeeeeeeeee 24 6 Extension L Long term Storage of Measurement Data cccceeeeeeeeeteeeeeeees 34 6 1 Technical description i a a esl E aera 34 6 2 Specific software requirements for Long term Storage sseeeeesssssrsrerrnresssrreene 35 7 Extension T Transmission
54. aid of the public key of the sending measuring instrument or the device that generated the relevant data set With this check the receiver can prove that value and signature belong together Appropriate methods equivalent electronic payment shall be used to Required Documentation Description of the key management and means for keeping keys and associated information secret Required Documentation in addition to the documentation required for risk classes B and C The protection measures taken shall shown be Validation Guidance Checks based on documentation e Check that the secret information compromised cannot be Validation Guidance in addition to the guidance for risk classes B and C Checks based on documentation e Check whether the measures taken are appropriate with respect to the required state of the art for a high protection level Example of an Acceptable Solution The secret key and accompanying data are stored in binary format in the executable code of the legally relevant software It is then not obvious at which address these data are stored The system software doesn t offer any features to view or edit these data If the CRC algorithm is used as a signature the initial vector or generator polynomial play the role of a key Example of an Acceptable Solution The secret key is stored in a hardware part that can be physically sealed The software doesn t off
55. ally cumulate the volume consumed The cumulative volume is displayed at the instrument Various principles are employed A volume converter is used to calculate the volume at base conditions The converter may be an integral part of the meter The volume measurement may not be repeated 10 2 2 4 Fault Detection and Reaction The requirement MI 002 4 3 1 deals with electromagnetic disturbances There is a need to interpret this requirement for software controlled instruments because detection of a disturbance and recovery is only possible by co operation of specific hardware parts and specific software From the software point of view it makes no difference what the reason for a disturbance was electromagnetic electrical mechanical etc the recovery procedures are all the same 69 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 10 2 3 Specific software requirements Gas meters and volume converters Risk Class B Risk Class C Risk Class D 12 1 Fault Recovery The software shall recover from a disturbance to normal processing Specifying Notes Date stamped flags should be raised to help log periods of faulty operation Required Documentation A brief description of the fault recovery mechanism and when it is invoked Validation Guidance Checks based on documentation e Check whether the realisation of fault recovery is appropriate Functional checks e None additional to those completed during type exami
56. amming or changing the legally relevant software Software download is only allowed if extension D is observed e Interfaces for transmission of measurement data via open or closed communication networks are allowed Extension T to be observed e The storage of measurement data either on an integrated storage on a remote or on removable storage is allowed Extension L to be observed WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 4 2 Specific Requirements for Type P Risk Classes B to E P1 Documentation In addition to the specific documentation required in each of the following requirements the documentation shall basically include a A description of the legally relevant software b A description of the accuracy of the measuring algorithms e g price calculation and rounding algorithms c A description of the user interface menus and dialogues d The unambiguous software identification e An overview of the system hardware e g topology block diagram type of computer s type of network etc if not described in the operating manual f The operating manual Risk Class B Risk Class C Risk Class D P2 Software identification The legally relevant software shall be clearly identified An identification of the software shall be inextricably linked to the software itself It shall be presented on command or during operation ee Notes Specifying Notes 1 Changes to metrologically relevant 1 In a
57. anges could occur through a Incorrect program design e g incorrect loop operation changing global variables in a function etc the avoidance requires as far as possible testing b Misuse of the operating system the avoidance requires programmers who are sufficiently familiar with the operating system used C Accidental overwriting or deletion of stored data and programs refer also to Extension L d Incorrect assignment of measurement transaction data Measurements and data belonging to one measurement transaction must not be mixed with those of a different transaction due to incorrect programming or storage the avoidance requires as far as possible testing and additional requests for confirmation of actions wherever useful e Physical effects electromagnetic interference temperature vibration etc the avoidance requires selfchecks of the software Required Documentation Required Documentation in The documentation should show the measures that have been addition to the documentation taken to protect the software and data against unintentional required for risk classes B and C changes The documentation shall show the measures taken to validate the effectiveness of the protection means Validation Guidance Validation Guidance in addition Checks based on documentation to the guidance for risk classes B and C e Check that a checksum of the program code and the relevant parameters is gene
58. arameter 7 8 22 100 112 type specific 8 protective interface 52 53 54 56 110 113 public key structure 9 risk class 8 9 12 61 63 100 101 secure 7 21 22 30 31 57 58 108 signature algorithm 9 37 46 electronic 9 37 46 58 key 9 software download 7 8 10 15 19 21 27 52 56 60 software separation 8 10 12 15 33 51 52 55 113 low level 52 sophisticated tools 37 39 46 48 100 109 110 specific requirements 12 34 87 94 97 98 99 109 110 111 spoof 32 storage integrated 7 15 34 37 107 long term 7 8 10 34 42 109 sub assembly 8 subroutine 54 taximeter 94 TEC 17 25 31 33 56 111 test report 103 traceability 60 transmission 7 8 10 12 15 19 42 43 44 45 46 47 49 50 52 107 110 113 114 trust centre 9 39 48 type P 7 10 12 15 16 23 34 55 62 96 98 99 108 type U 8 12 15 34 96 98 99 108 user interface 8 15 16 18 23 24 26 27 34 62 108 112 validation 13 water meter 64 weighing instrument 41 61 88 WELMEC 7 2 Issue 5
59. are Configuration The entire software of the target device may be legally controlled or it may have software separation The download of legally relevant software must follow the requirements outlined below If there is no software separation in the measuring instrument then all of the requirements below apply to all downloads Table 9 1 Technical description of configurations for software download 55 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 9 2 Specific Software Requirements Risk Class B Risk Class C Risk Class D D1 Download mechanism Downloading and the subsequent installation of software shall be automatic and shall ensure that the software protection environment is at the approved level on completion Specifying Notes 1 Downloading shall be automatic to ensure that the existing level of protection is not compromised 2 The target device has a fixed legally relevant software that contains all of the checking functions necessary for fulfilling requirements D2 to D4 3 The instrument should be capable of detecting if the download or installation fails A warning shall be given If the download or installation is unsuccessful or is interrupted the original status of the measuring instrument shall be unaffected Alternatively the instrument shall display a permanent error message and its metrological functioning shall be inhibited until the cause of the error is corrected 4 On successful completion of t
60. are easily available and manageable as e g office packages geet i Notes This requirement applies to all types of storages except integrated storages 2 The protection must apply against intentional changes carried out by special sophisticated soft ware tools 3 Sophisticated software tools are for example de buggers re compilers software development tools etc 4 The protection level shall be equivalent to that re quired for electronic payment 5 Protection is realised by an electronic signature with an algorithm that guarantees that no identical signa ture results from different data sets Note Even if the algorithm and key meet the level high a technical solution with a standard personal computer would not realise this protection level provided that there are no appropriate protection means for the programs that sign or verify a data set see basic guide U for universal computers comment on requirement U6 D Required Documentation The method of how the protection is realised shall be documented Required Documentation in addition to the documentation required for risk classes B and C The protection measures taken shall be shown Validation Guidance Checks based on documentation f a checksum or signature is used Check that the checksum or signature is generated over the entire data set Check that legally relevant software which reads the data and calculate a checksum or decrypts
61. are is transferred via the protective interface see S3 to the legally relevant software Behind the interface it passes through a filter that detects inadmissible information The admissible information is then inserted into the indication controlled by the legally relevant software e On a window style display universal computer the legally relevant software checks in short time intervals whether the window with the legally relevant information is always visible and on top of the window stack If it is hidden minimised or outside the border the software generates a warning or stops the output and processing of measurement values When the measurement is finished the window for legal purposes may be closed Additions for Risk Class E Required Documeniation in addition to the documentation required for risk classes B and C Source code of the legally relevant software Validation Guidance in addition to the guidance for risk classes B and C Checks based on the source code e Check that legally relevant software generates the indication of measurement values e Check that this indication cannot be changed or suppressed by legally non relevant programs 53 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Risk Class B Risk Class C Risk Class D S3 Protective software interface The data exchange between the legally relevant and legally non relevant software must be performed via a protective software interface w
62. as e g office packages eee Notes This requirement applies to open networks and to closed networks partly under legal control Protection is realised by an electronic signature with an algorithm that guarantees that no identical signature results from different data sets The protection must apply against intentional changes carried out by special sophisticated software tools 4 Sophisticated software tools are e g debuggers re compilers software developing tools etc 5 The protection level shall be equivalent to that required for electronic payment Note Even if the algorithm and key meet the level high a technical solution with a standard personal computer would not realise this protection level provided that there are no appropriate protection means for the programs that sign or verify a data set see basic guide U for universal computers comment on requirement U6 D Required Documentation Description of the protection method Required Documentation in addition to the documentation required for risk classes B and C The protection measures taken shall be shown Validation Guidance Checks based on documentation If a checksum or signature is used Check that the checksum or signature is generated over the entire data set Check that legally relevant software that receives the data re calculates the checksum or decrypts the signature and compares it with the nominal value contained in
63. ata necessary for legal and metrological reasons shall be stored together with the measurement value Required Documentation Description of all fields of the data sets Validation Guidance Checks based on documentation e Check whether all information needed for the relevant legal and metrological purposes are contained in the data set Example of an Acceptable Solution A legally and metrologically complete data set comprises the following fields Measurement value s with correct resolution the legally correct unit of measure the unit price or the price to pay if applicable the place and time of the measurement if applicable identification of the instrument if applicable external storage Data are stored with the same resolution values units etc as indicated or printed on a delivery note o o o o Additions for Risk Class E Required Documentation in addition to the documentation required for risk classes B C and D Source code that generates the data sets for storing Validation Guidance in addition to the guidance for risk classes B C and D Checks based on the source code e Check whether the data sets are built correctly 35 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Risk Class B Risk Class C Risk Class D L2 Protection against accidental or unintentional changes Stored data shall be protected against accidental and unintentional changes Specifying No
64. ation required for risk classes B and C Source code showing the way of securing and viewing legally relevant parameters Validation Guidance in addition to the guidance for risk classes B and C Checks based on the source code e Check in the source code whether measures taken for protecting parameters are appropriate e g adjusting mode disabled after securing 22 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 5 Basic Requirements for Software of Measuring Instruments using a Universal Computer Type U 5 1 Technical Description The set of software requirements in this section apply to a measuring instrument based on a general purpose computer The technical description of the Type U measuring system is summarised below Basically a Type U system must be assumed if the conditions of a type P instrument see Chapter 4 1 are not fulfilled Hardware Configuration a A modular general purpose computer based system The computer system may be stand alone part of a closed network e g Ethernet token ring LAN or part of an open network e g Internet b Because the system is general purpose the sensor would normally be external to the computer unit and would normally be linked to it by a closed communications link The communication link could however also be open e g network whereby several sensors could be connected c The user interface may be switched from an operating mode which is not under le
65. by the functions and data of the measuring instrument documentation Validation Guidance Validation Guidance in Checks based on documentation addition to the guidance for risk e Check that functions of the legally relevant software that may be classes B and C triggered via the protective software interface are defined and Checks based on described documentation e Check that the parameters that may be exchanged via the Check whether realisation of interface are defined and described the software interface is e Check that the description of the functions and parameters is correct conclusive and complete Example of an Acceptable Solution e The data domains of the legally relevant software part are encapsulated by declaring only local variables in the legally relevant part The interface is realised as a subroutine belonging to the legally relevant software that is called from the legally non relevant software The data to be transferred to the legally relevant software are passed as parameters of the subroutine The legally relevant software filters out inadmissible interface commands Additions for Risk Class E Required Documentation in addition to the documentation required for risk classes B and C Source code of the legally relevant software Validation Guidance in addition to the guidance for risk classes B and C Checks based on the source code e Check the software design whether
66. ce of legally controlled instruments to back trace downloads of legally relevant software over an adequate period of time that depends on national legislation 2 The traceability means and records are part of the legally relevant software and should be protected as such Required Documentation Required Documentation in addition The documentation shall to the documentation required for risk e Briefly describe how the traceability means is classes B and C implemented and protected The measures of ensuring traceability e State how downloaded software may be traced shall be shown by the documentation Validation Guidance Validation Guidance in addition to the Checks based on documentation guidance for risk classes B and C e Check that traceability means are implemented and Checks based on documentation protected e Check whether the measures taken Functional checks are appropriate with respect to the e Check the functionality of the means through spot required state of the art for a high checks protection level Example of an Acceptable Solution An audit trail The measuring instrument may be equipped with an event logger that automatically records at least the date and time of the download identification of the downloaded legally relevant software the identification of the downloading party and an entry of the success An entry is generated for each download attempt regardless of the success After
67. chanisms The system supervisor should restore rights only when required Additions for Risk Class E Required Documeniation in addition to the documentation required for risk classes B and C Source code of the instrument Validation Guidance in addition to the guidance for risk classes B and C Checks based on the source code e Check whether measures taken for detection of changes faults are appropriate e Ifa checksum is realised check whether all parts of the legally relevant software are covered by it 29 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Risk Class B Risk Class C Risk Class D U6 Protection against intentional changes Specifying Notes 1 Changes with the intention of fraud could be attempted by a Changing the program code including integrated data if the program code is an executable format exe then it is sufficiently protected for risk classes B and C b Changing the stored measurement data refer to Extension 2a Means that consider the capabilities of the operating system shall be taken to prevent the approved software from being replaced by non approved software using the operating system see also U3 For authorised downloading software see Extension D 2b The mass storage device where relevant data configuration files programs and parameters are stored shall be protected against physical exchange 3 Means shall be taken to protec
68. cifying Notes of P2 U2 apply Required Documentation e According to P2 U2 Validation Guidance Checks based on documentation e According to P2 U2 Functional checks e According to P2 U2 Example of an acceptable solution Imprint of the software identification on the name plate of the instrument 10 3 4 Examples of legally relevant parameters Electronic utility meters often have a lot of parameters They are used as constants for calculations as configuration parameters etc but also for setting up the functionality of the device Concerning identification and protection of parameters and parameter sets refer to requirement P2 and P7 guide P In the following some typical parameters of active electrical energy meters are given This table will be updated when WELMEC Working Group 11 has decided on the final contents Parameter Protected Settable Comment Calibration factor x Linearisation factor x 10 3 5 Other aspects For domestic applications it is expected that download of software extension D Chapter 9 will not be very important The cumulating energy or volume register of domestic instruments is not a long term storage in the sense of extension L Chapter 6 For an instrument that only 80 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 measures cumulated energy volume the application of the extension L is not necessary 10 3 6 Assignment of risk class Fo
69. ctional Checks e Carry out practical tests spot checks with both documented and undocumented commands Test all menu items if any addition to the guidance for risk classes B and C Checks based on documentation e Check whether the measures taken and test protocols are appropriate for the high protection level Example of an Acceptable Solution There is a software module that receives and interprets commands from the user interface This module belongs to the legally relevant software It only forwards allowed commands to the other legally relevant software modules All unknown or not allowed sequences of switch or key actuations are rejected and have no impact on the legally relevant software or measurement data Additions for Risk Class E Required Documentation in addition to the documentation required for risk classes B and C Source code of the instrument Validation Guidance in addition to the guidance for risk classes B and C Checks based on the source code e Check the software design whether data flow concerning commands is unambiguously defined in the legally relevant software and can be verified e Search inadmissible data flow from the user interface to domains to be protected e Check with tools or manually that commands are decoded correctly and no undocumented commands exist WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Risk Class B Risk Class C Risk C
70. culation of the maximum error that can occur for cumulative values if a cyclical periodic back up is realised Validation Guidance Checks based on documentation e Check whether all legally relevant data are saved in case of a disturbance Functional checks e Check by simulating a disturbance whether back up mechanism works as described in the documentation Example of an Acceptable Solution A hardware watchdog fires when it is not cyclically reset This alarm actuates an interrupt in the microprocessor The assigned interrupt routine at once collects measurement values state values and other relevant data and stores them in a non volatile storage e g an EEPROM or other appropriate storage Note It is assumed that the watchdog interrupt has highest interrupt priority and can dominate any normal processing or any arbitrary endless loop i e the program control always jumps to the interrupt routine if the watchdog fires 91 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 10 6 4 Examples of legally relevant functions and data Table 10 1 Examples of legally relevant device specific and type specific functions and data DF DD TF TD for AWls in comparison with those of non automatic weighing instruments R76 VV indicates variable values OIML Recommendation No 50 51 51 X Y Functions data Weight calculation X X Stability analysis X X Price calculation X X
71. d by this software guide However the basic measurement function should be assessed as with all other type P instruments along with any other assessment deemed necessary to demonstrate that the associated software providing these functions has no inadmissible influence on the basic measurement 75 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 10 3 Active Electrical Energy Meters 10 3 1 Specific regulations standards and other normative documents Member states may in accordance with MID Article 2 prescribe Active electrical energy meters in residential commercial and light industrial use to be subject to regulations in MID The specific requirements of this chapter are based on Annex MI 003 only OIML recommendations or IEC standards have not been taken into consideration 10 3 2 Technical description Active electrical energy meters take voltages and currents measurements as inputs derive the active electrical power from them and integrate this with respect to time to give the active electrical energy 10 3 2 1 Hardware Configuration Active electrical energy meters typically are realised as built for purpose devices Type P in this document They may have one or more inputs and may be used in combination with external instrument transformers 10 3 2 2 Software Configuration This is specific to each manufacturer but would normally be expected to follow the recommendations given in the main body of this guide 10 3
72. data flow is unambiguously defined in the legally relevant software and can be verified e Check the data flow via the software interface with tools or manually Check whether all data flow between the parts has been documented no circumvention of the declared software interface e Search inadmissible data flow from the part not subject to control to domains to be protected e Check that commands if any are decoded correctly and no undocumented commands exist 54 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 9 Extension D Download of Legally Relevant Software This extension shall be used for the download of legally relevant software as long as the metrological characteristics remain unchanged and the declaration of conformity is still valid e g bug fixes These requirements are to be considered in addition to the basic requirements for Types P and Type U described in Chapters 4 and 5 in the guide 9 1 Technical Description Software may be downloaded only to measuring instruments that are characterised by the following properties Hardware Configuration The target device is subject to legal control It may be a built for purpose measuring instrument Type P or one based on a universal computer Type U Communications links for the download may be direct e g RS 232 USB over a closed network partly or wholly under legal control e g Ethernet token ring LAN or over an open network e g Internet Softw
73. ddition to 1 risk class B Each change to legally relevant software require information of the software defined as fixed at type examination requires a NB The NB decides whether a new software identification new unique software identification If not the whole legally relevant software firmware is is necessary or not A new defined as fixed there might be an additional part that is software identification is only treated like in B even for risk class C However if it is required if the software changes technically not possible to realise one software lead to changes of the approved identification for the fixed part e g a CRC checksum functions or characteristics generated exclusively over the fixed part of the executable code and one for the rest e g a version number the whole software firmware has to be defined as fixed and be identifiable by a checksum 2 The software identification has to be easily shown for verification and inspection purposes easily means by standard user interface without additional tools 3 The software identification shall have a structure that clearly identifies versions that require type examination and those that do not 4 If functions of the software can be switched by type specific parameters each function or variant may be identified separately or alternatively the complete package may be identified as a whole Required Documentation Required Documentation in The documentation shall
74. e appropriate with respect to the required state of the art for a high protection level Example of an Acceptable Solution The data set is read from the storage by the verifying program and the signature over all data fields is recalculated and compared with the stored nominal value If both values match the data set is correct otherwise the data are not used and are deleted or marked invalid by the program Additions for Risk Class E Source code of the retrieval program Required Documeniation in addition to the documentation required for risk classes B and C Checks based on the source code implemented Validation Guidance in addition to the guidance for risk classes B and C e Check whether measures taken for retrieval verification of signatures etc are appropriate and correctly 40 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Risk Class B Risk Class C Risk Class D L7 Automatic storing The measurement data must be stored automatically when the measurement is concluded Specifying Notes 1 This requirement applies to all types of storage 2 This requirement means that the storing function must not depend on the decision of the operator Nevertheless in some types of instrument e g weighing instruments a decision or command is required from the operator whether or not to accept the result In other words there might be some intermediate measurements that will not be stor
75. e corresponding possibility is held open 102 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 12 Pattern for Test Report Including Checklists This is a pattern for a test report which consists of a main part and two annexes The main part contains general statements on the object under test It must be correspondingly adapted in practice The annex 1 consists of two checklists to support the selection of the appropriate parts of the guide to be applied The annex 2 consists of specific checklists for the respective technical parts of the guide They are recommended as an aid for manufacturer and examiner to prove that they have considered all applicable requirements In addition to the pattern of the test report and the checklists the information required for the type examination certificate are listed in the last subsection of this chapter 103 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 12 1 Pattern for the general part of the test report Test report no XYZ122344 Flow meter Dynaflow model DF101 Validation of Software n annexes Commission The Measuring Instruments Directive MID gives the essential requirements for certain measuring instruments used in the European Union The software of the measuring instrument was validated to show conformance with the essential requirements of the MID The validation was based on the report WELMEC MID Software Requirements Guide WELMEC Guide 7 2 where the essential requirements
76. e following some typical parameters of gas meters and volume conversion devices are given This table will be updated when WELMEC Working Group 11 has decided on the final contents 10 2 5 Other aspects For domestic applications it is expected that download of software extension D Chapter 9 will not be very important The cumulating energy or volume register of domestic instruments is not a long term storage in the sense of extension L Chapter 6 For an instrument that only 74 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 measures cumulated energy volume the application of the extension L is not necessary 10 2 6 Assignment of risk class For the present according to the decisions of the responsible WELMEC Working Group 11 2 meeting 3 4 March 2005 the following risk class is considered appropriate and should be applied if software examinations based on this guide are carried out for software controlled gas meters and volume conversion devices Risk class C for instruments of type P A final decision has however not yet been taken and WG 11 will reconsider this item in connection with the discussion of appropriate risk class es for type U instruments WG11 considers prepayment and interval metering functionality to be additional to those essential measurement functions specified by MID Annex MI 002 therefore no greater risk category is allocated to these variants than to the basic meter types already covere
77. e volume registers Validation Guidance Checks based on documentation e Check that cumulative legally relevant measurement values cannot be reset without leaving a trace Functional checks e None additional to those completed during type examination to confirm correct functioning in the presence of defined influencing quantities Example of an Acceptable Solution The registers for volume are protected against changes and resetting by the same means as parame ters see P7 Risk Class B Risk Class C Risk Class D 11 4 Dynamic behaviour The legally non relevant software shall not adversely influence the dynamic behaviour of a measur ing process Specifying notes e This requirement applies in addition to S 1 S 2 and S 3 if software separation has been realised in accordance with extension S e The additional requirement ensures that for real time applications of meters the dynamic behaviour of the legally relevant software is not inadmissibly influenced by legally non relevant software i e the resources of the legally relevant software are not inadmissibly reduced by the non legal part Required Documentation Description of the interrupt hierarchy e Timing diagram of the software tasks Limits of proportionate runtime for legally non relevant tasks Validation Guidance Checks based on documentation e Documentation of the limits of the proportionate runtime for legally non relevant task
78. ed for example during loading or before the quantity of product requested is on the load receptor However even in this case the result will be stored automatically when the operator accepts the result 3 For the case of full storage refer to requirement L8 Required Documentation Confirmation that storing is automatically carried out Description of the Graphical User Interface Validation Guidance Functional checks e Examine by spot checks that the measurement values are stored automatically after measurement or acceptance of measurement is concluded Check that there are no buttons or menu items to interrupt or disable the automatic storing Example of an Acceptable Solution There is no menu item or button in the Graphical User Interface GUI that supports manual initiation of storing measurement results The measurement values are wrapped in a data set along with additional information such as time stamp and signature and are stored immediately after the measurement or the acceptance of measurement respectively Additions for Risk Class E Required Documeniation in addition to the documentation required for risk classes B C and D Source code of the instrument Validation Guidance in addition to the guidance for risk classes B C and D Checks based on the source code Check whether measures taken for automatic storing are appropriate and correctly implemented 41
79. ed from parts P or U and the other extensions see Chapter 3 It reflects the existence of instrument specific MID annexes MI x and contains specific aspects and requirements for measuring instruments or systems or sub assemblies These requirements do not however go beyond the requirements of the MID If reference is made to OIML recommendations or ISO IEC standards this is done only if these can be considered as normative documents in the sense of the MID and if this supports a harmonised interpretation of the MID requirements Besides instrument specific software aspects and requirements Extension contains the instrument or category specific assignment of risk classes which ensures a harmonised level of software examination software protection and software conformity For the present Extension is intended to be an initial draft to be completed by the respective WELMEC Working Group that has the corresponding specific knowledge Therefore Extension has an open structure i e it provides a skeleton that is besides the initial assignment of risk classes filled in only partly e g for utility meters and automatic weighing instruments It may be used for other MID or non MID instruments too according to the experiences gained and decisions taken by the responsible WELMEC Working Groups The numbering x of the sub chapters 10 x follows the numbering of the specific MID Annex MI x Non MID instruments could be added starting fr
80. ed with the nominal value of the battery lifetime If 90 of the lifetime has elapsed an appropriate warning is shown The software detects the exchange of the power source and resets the counter Another solution would be to monitor the health of the power supply continuously Risk Class B Risk Class C Risk Class D 12 6 MI 002 9 1 Electronic conversion device An electronic conversion device shall be capable of detecting when it is operating outside the operat ing range s stated by the manufacturer for parameters that are relevant for measurement accuracy In such a case the conversion device must stop integrating the converted quantity and may totalise separately the converted quantity for the time it is operating outside the operating range s Specifying Notes There shall be a display indication of the failure state Required Documentation Documentation of the different registers for converted quantity and failure quantity Validation Guidance Checks based on documentation e Check whether the measures taken are appropriate for the management of unusual operating conditions Example of an Acceptable Solution The software monitors the relevant input values and compares them with predefined limits If all val ues are inside the limits the converted quantity is integrated to the normal register a dedicated varia ble Else it totalises the quantity in another variable Another solution would be to have only one cumulating
81. el if there were no appropriate hardware protection means for the key and other secret data see basic guide for universal computers U6 1 Public Key Infrastructure The public key of the storage subject to legal control has been certified by an accredited Trust Centre Direct Trust It is not necessary to involve a trust centre if by prior agreement both parties are able to read the public key of the measuring instrument directly at a device subject to legal control that is displaying the relevant data set Additions for Risk Class E Required Documeniation in addition to the documentation required for risk classes B and C Source code that realises key management Validation Guidance in addition to the guidance for risk classes B and C Checks based on the source code e Check whether measures taken for key management are appropriate 39 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Risk Class B L6 Retrieval of stored data Risk Class C must not be used Specifying Notes 1 L5 stored Risk Class D The software used for verifying measurement data sets stored shall display or print the data check the data for changes and warn if a change has occurred Data that are detected as having been corrupted The measurement data stored might need to be referred to at a later date e g transactions that are queried If there is a doubt on the correctness of a delivery note
82. ence legally relevant software and measurement data oe Notes This implies that there is an unambiguous assignment of each command to an initiated function or data change 2 This implies that switch or key actuations that are not declared and documented as commands have no effect on the instrument s functions and measurement data 3 Commands may be a single action or a sequence of actions carried out by the operator The user shall be guided which commands are allowed 4 Functions for changing the legally relevant configuration of the operating system shall not be offered to the user neither locally nor remotely The configuration shall be secured against inadmissible Deen changes a aaa caa ha O a a a a O a 5 The user shell shall be closed i e the user shall not be able to load vv programs write programs or perform commands to the operating system Required Documentation Required Documentation in addition The documentation shall include to the documentation required for risk A complete list of all commands together with a Classes B and C declaration of completeness e The documentation shall show the A brief description of their meaning and their effect on the measures to validate the functions and data of the measuring instrument completeness of the documentation e Description how a secure configuration of the operating or commands system is achieved Assignment of roles accounts in the
83. equired Required Documentation Network with unknown participants Description of the IT means for correct assigning of measurement value to measurement Closed network Description of the hardware means preserving the number of participants in the network Description of initial identification of the participants Required Documentation in addition to the documentation required for risk classes B and C The protection measures taken shall be shown Validation Guidance Checks based on documentation e Check that there is a correct linking between each measurement value and the corresponding measurement e Check that data are digitally signed to ensure their proper identification and authentication Validation Guidance in addition to the guidance for risk classes B and C Checks based on documentation e Check whether the measures taken are appropriate with respect to the required state of the art for a high protection level Example of an Acceptable Solution measurement has been performed time stamp e The receiver of the data set checks all data for plausibility e Each data set has a unique current identification number which may contain the time when the e Each data set contains information about the origin of the measurement data i e serial number or identity of the measuring instrument that generated the value e In a network with unknown participants authenticity is guaran
84. er any features to view or edit these data Note A technical solution with a standard personal computer would not be sufficient to ensure high protection level if there were no appropriate hardware protection means for the key and other secret data see basic guide for universal computers U6 1 Public Key Infrastructure The public key of the storage subject to legal control has been certified by an accredited Trust Centre Direct Trust It is not necessary to involve a trust centre if by prior agreement both parties are able to read the public key of the measuring instrument directly at a device subject to legal control that is displaying the relevant data set 2 48 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Additions for Risk Class E Required Documeniation in addition to the documentation required for risk classes B and C Source code that realises key management Validation Guidance in addition to the guidance for risk classes B and C Checks based on the source code e Check whether measures taken for key management are appropriate Risk Class B Risk Class C Risk Class D T6 Handling of corrupted data Data that are detected as having been corrupted must not be used Specifying Notes 1 Though communication protocols normally repeat transmission until it succeeds it nevertheless is possible that a corrupted data set is received Required Documentation Required
85. er than Water we csi cotocteses lt 0 canceled aesehee Rene cela dt so es weet 87 10 6 Weighing Instruments ccc csoceecceres faenzel cieutt decd een viacieresend beaiees cemnpmagiecenneeaneniemea tes 88 10 TaKimMetet Sir e e eS patil ea cine oleracea aakte alan i age aaa 94 10 8 Material Measures 3 442 4 eh cdan asda aanWs docs mean eaehenauceanine 97 10 9 Dimensional Measuring Instruments cc eeeeecteeee cece eeeteeeeaeeeeeeeeeeeeneneeeeeaaaees 98 10 10 Exhaust Gas Analysers sigs sictcccciees cgay tecase shiges etek teekaa shite tives denen deeeed eeeiwes ekeect ence 99 Definition of Risk ClASSOS site ie eet he i A he aA ee ted n 100 11 1 General principle Rapa en ee ar rmeR emanate rere ni Para PEER eC MEE Pn tore ray an SER ere Prey on ereres 100 11 2 Description of levels for protection examination and conformity 000 100 11 3 Derivation of risk ClaSSeS is scccseiiueeibccied aed adseheneeh aaeeetinene as 101 11 4 Interpretation of risk ClASSOS eeecceceeeeeeeeeeeeeeeceeeeee eee eeeeeeaaaaeeeeeseeeeeeeeeeesaaaaes 101 Pattern for Test Report Including Checklists ccceeeeeeeeeeeeeeeeeeeeeeeeeeeeees 103 12 1 Pattern for the general part of the test report cceeeeeeeeeeeeeeeteeeeeeeeeeeteeeeetaaees 104 12 2 Annex 1 of the test report Checklists to support the selection of the appropriate reg irement SOUS areare iae a E REE E eave hoteneioneteee eerie 107 12 3 Annex 2 of the
86. es while in use transfer or storage IT configuration Design of the measuring instrument with respect to IT functions and features that are as regards the requirements independent from the measurement function There are four IT configurations considered in this guide long term storage of measurement data transmission of measurement data software download and WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 software separation see also Basic configuration The terms are accordingly applicable to sub assemblies Legally relevant parameter Parameter of a measuring instrument or a sub assembly subject to legal control The following types of legally relevant parameters can be distinguished type specific parameters and device specific parameters Legally relevant software Programs Data and type specific parameters that belong to the measuring instrument or sub assembly and define or fulfil functions which are subject to legal control Long term storage of measurement data Storage used for keeping measurement data ready after completion of the measurement for later legally relevant purposes e g the conclusion of a commercial transaction Measuring instrument Any device or system with a measurement function The adjective measuring is omitted if confusions can be excluded MID Article 4 Measuring instruments using a universal computer type U Measuring instrument that comprises a general purpose computer usually
87. evel Pompi of an Acceptable Solution Example of an Acceptable Solution Integrity may be demonstrated by performing a e Generate a hash value of the software to be checksum over the legally relevant software downloaded algorithms e g SHA 1 and comparing it against the checksum RipeMD 160 and encrypt it RSA Elliptic attached to the software see also U2 for Curves with an appropriate key length example of an acceptable solution e The key for decrypting is stored in the fixed e Acceptable algorithm CRC secret initial vector software part length 32 bit The initial vector is stored in the fixed software part Additions for Risk Class E Required Documeniation in addition to the documentation required for risk classes B and C Source code of the fixed software part responsible for checking the integrity of the downloaded software Validation Guidance in addition to the guidance for risk classes B and C Checks based on the source code e Check whether measures taken for checking the integrity are appropriate 59 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Risk Class B Risk Class C Risk Class D D4 Traceability of legally relevant software download It shall be guaranteed by appropriate technical means that downloads of legally relevant software are Specifying Notes 1 This requirement enables inspection authorities which are responsible for the metrological surveillan
88. extension for each question answered with YES 107 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 12 3 Annex 2 of the test report Specific checklists for the respective technical parts 1 Checklist of basic requirements for type P instrument Se e amp e S mms procedures Checklist for Type P Requirements Does the required manufacturer documentation fulfil the requirement P1 a f Are commands entered via the user interface prevented from inadmissibly influencing the legally relevant software and measurement data Are commands input via non sealed communication interfaces of the instrument prevented from inadmissibly influencing the relevant software and measurement data Are legally relevant software and measurement data protected against accidental or unintentional changes Are legally relevant software secured against the inadmissible modification loading or swapping of hardware memory Are parameters that fix legally relevant characteristics of the measuring instrument secured against unauthorised modification Checklist for Type U Requirements Does the required manufacturers documentation fulfil the requirement U1 a g Are commands entered via the user interface prevented from inadmissibly influencing the legally relevant software and measurement data Is it prevented that commands inputted via non sealed communication interfaces of the instrument inadmissibly influence the legally relevant so
89. fc MI 003 7 No specific software relevance MI 004 1 to Re MI 004 4 1 No specific software relevance Permissible influences Fault detection MI 004 4 2 of electromagnetic dis Back up facilities 14 1 to 14 3 turbances Wake up facilities and restoring MI 004 4 3 to i MI 004 7 No specific software relevance Annex MI 005 Annex MI 006 MI 006 IV Discontinuous and con Fault detection 16 1 to 16 2 MI 006 V __ tinuous Totalisers Back up facilities Annex MI 007 Annex MI 008 Annex MI 009 Annex MI 010 117 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 14 References and Literature 1 2 3 15 Directive 2004 22 EC of the European Parliament and of the Council of 31 March 2004 on measuring instruments Official Journal of the European Union L 135 1 30 4 2004 Software Requirements and Validation Guide Version 1 00 29 October 2004 European Growth Network M D Software contract number G7RT CT 2001 05064 2004 Software Requirements on the Basis of the Measuring Instruments Directive WEMEC 7 1 Issue 2 2005 Revision History Issue Date Significant Changes 1 May 2005 Guide first issued 2 April 2007 Addition and enhancement of terms in Section 2 Editorial changes in Sections 4 1 and 5 1 Amendment of a clarification for software identification in Section 4 2 Requirement P2 and Section 5 2 Requirement U2
90. ftware and measurement data Are legally relevant software and measurement data protected against accidental or unintentional changes Are legally relevant software secured against inadmissible modification Are legally relevant parameters secured against unauthorised modification 108 Not Applicable WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Are means employed to ensure the authenticity of the legally relevant software and are the authenticity of the results that are presented guaranteed Is the legally relevant software designed in such a way that other software does not inadmissibly influence it Explanations are needed if there are deviations from software requirements 3 Checklist for specific requirements extension L Checklist for Requirements of Extension L Requirement procedures Not Applicable Do the stored measurement data contain all relevant information necessary to reconstruct an earlier measurement CR dation changes Are the stored measurement data protected against intentional changes carried out by simple common software tools for risk classes B amp C or by special sophisticated software tools for risk classes D amp E L4 Are the stored measurement data capable of being authentically traced back to the measurement that generated them B amp C Are keys treated as legally relevant data and kept secret and Ree against compromise by simple software tools D amp E Are keys and accompanyi
91. further process the Specifying Notes 1 The metrological part of a transmitted data set comprises one or more measurement values with correct resolution the legally correct unit of measure and depending on the application the unit price or the price to pay and the place of the measurement Required Documentation Document all fields of the data set Validation Guidance Checks based on documentation e Check whether all information for further processing the measurement values at the receiving unit are contained in the data set Example of an Acceptable Solution The data set comprises the following fields e Measurement value s with correct resolution the legally correct unit of measure the unit price or the price to pay if applicable the time and date of the measurement if applicable identification of the instrument if applicable data transmission the place of the measurement if applicable Additions for Risk Class E Required Documeniation in addition to the documentation required for risk classes B C and D Source code that generates the data sets for transmission Validation Guidance in addition to the guidance for risk classes B C and D Checks based on the source code e Check whether data sets are built correctly 44 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Risk Class B Risk Class C Risk Class D T2 Protection against accidental or uninten
92. gal control to one which is and vice versa d Storage may be fixed e g hard disk or removable e g diskettes CD RW Software Configuration e Any operating system may be used as far as the following requirements can be met In addition to the measuring instrument application other software applications may also reside on the system at the same time Parts of the software e g measuring instrument application are subject to legal control and may not be inadmissibly modified after approval Parts not subject to legal control may be modified f The operating system and low level drivers e g video drivers printer drivers disk drivers etc are not legally relevant unless they are specially programmed for a specific measuring task 23 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 5 2 Specific Software Requirements for Type U Risk Classes B to E U1 Documentation In addition to the specific documentation required in each requirement below the documentation shall basically include a A description of the legally relevant software functions meaning of the data etc b A description of the accuracy of the measuring algorithms e g price calculation and rounding algorithms A description of the user interface menus and dialogues d A legal software identification e An overview of the system hardware e g topology block diagram type of computer s type of network etc if not described in the operating manual
93. hat could occur through incorrect program design or programming errors e g plausibility checks Required Documentation The documentation should show the measures that have been taken to protect the software and data against unintentional changes Validation Guidance Checks based on documentation e Check that a checksum of the program code and the relevant parameters is generated and verified automatically e Check that overwriting of data cannot occur before the end of the data storage period that is foreseen and documented by the manufacturer e Check that a warning is issued to the user if he is about to delete measurement data files Functional checks e Check by practical spot checks that before deleting measurement data a warning is given if deleting is possible at all Example of an Acceptable Solution e The accidental modification of software and measurement data may be checked by calculating a checksum over the relevant parts comparing it with the nominal value and stopping if anything has been modified e Measurement data are not deleted without prior authorisation e g a dialogue statement or window asking for confirmation of deletion For fault detection see also Extension l Additions for Risk Class E Required Documentation in addition to the documentation required for risk classes B C and D Source code of the instrument Validation Guidance in addition to the guidance for ri
94. he installation all protective means should be restored to their original state unless the downloaded software has NB authorisation in the TEC to amend them 5 During download and the subsequent installation of downloaded software measurement by the instrument shall be inhibited or correct measurement shall be guaranteed 6 The fault handling requirements described in Extension may be implemented if faults occur during downloading The number of re installation attempts shall be limited 7 If the requirements D2 to D4 cannot be fulfilled it is still possible to download the legally non relevant software part In this case the following requirements shall be met There is a distinct separation between the legally relevant and non relevant software according to Extension S e The whole legally relevant software part is fixed i e it cannot be downloaded or changed without breaking a seal e tis stated in the TEC downloading of the legally non relevant part is acceptable 8 It shall be possible to disable the software download mechanism by means of a sealable setting switch secured parameter for member states where software download for instruments in use is not allowed In this case it must not be possible to download legally relevant software without breaking the seal Required Documentation Required Documentation in The documentation should briefly describe the automatic nature of addition to the documentation the download
95. hich comprises the interactions and data flow Specifying Notes 1 All interactions and data flows shall not inadmissibly influence the legally relevant software including the dynamic behaviour of a measuring process 2 There shall be an unambiguous assignment of each command sent via the software interface to the initiated function or data change in the legally relevant software 3 Codes and data that are not declared and documented as commands must not have any effect on the legally relevant software 4 The interface shall be completely documented and any other non documented interaction or data flow circumvention of the interface must not be realised neither by the programmer of the legally relevant software nor by the programmers of the legally non relevant software Note The programmers are responsible for observing these constraints Technical means to prevent them from circumventing the software interface are not possible The programmer of the protective interface should be instructed about this requirement Required Documentation Required Documentation in Description of the software interface especially which data addition to the documentation domains realise the interface required for risk classes B and e A complete list of all commands together with a declaration of C completeness The realisation of the software A brief description of their meaning and their effect on the interface shall be shown
96. ific requirements of embedded software for built for purpose measuring instrument type P requirements and of software for measuring instruments using a universal computer type U requirements It describes the re quirements for the storage of measurement data from when a measurement is physi cally completed to the point in time when all processes to be done by the egally rele vant software are finished It may also be applied to long term storage of the data thereafter 6 1 Technical description The set of requirements of this extension only apply if long term storage of measurement data is included It concerns only those measurement date that are legally relevant Three different technical configurations for long term storage are listed in the following table For a built for purpose device the variant of an integrated storage is typical here the storage is part of the metrologically necessary hardware and software For instruments using a universal computer another variant is typical the use of resources already existing e g hard disks The third variant is the removable storage here the storage can be removed from the device which could be either a built for purpose device or a universal computer and be taken elsewhere When data is retrieved from removable storage for legal purposes e g visualisation ticket printing etc the retrieving device shall be subject to legal control Integrated storage Simple instrument buil
97. ifying notes Provide documentation as required Acceptable solutions are examples that comply with the requirement There is no obligation to follow them The validation guidance has an informative character Notes for notified bodies Observe the main statement and the additional specifying notes Follow the validation guidance Confirm the completeness of the documentation provided 3 4 How to work with the checklists Checklists are a means of ensuring that all the requirements within a chapter have been covered by the manufacturer or examiner They are part of the pattern test WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 report Be aware the checklists are only of a summarising nature and they do not distinguish between risk classes Checklists do not replace the requirement definitions Refer to the requirement blocks for complete descriptions Procedure Gather the checklists which are necessary according to the selection described in steps 1 2 and 3 in section 3 2 Go through the checklists and prove whether all requirements have been met Fill in the checklists as required WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 4 Basic Requirements for Embedded Software in a Built for purpose Measuring Instrument Type P The set of requirements of this chapter are valid for a built for purpose instrument or for an instrument s sub assembly that is of the built for purpose type The validity f
98. in The documentation shall provide assurance that legally relevant addition to the documentation software cannot be inadmissibly modified required for risk classes B and C The protection measures taken to protect from intentional changes shall be shown Validation Guidance Validation Guidance in addition Checks based on documentation to the guidance for risk classes B and C e Examine whether the documented means of securing against unauthorised exchange of the memory that contains the software Checks based on documentation are sufficient e Check whether the measures e If the memory can be programmed in circuit without taken are appropriate with dismounting check whether the programming mode can be respect to the required state of disabled electrically and the means for disabling can be the art for a high protection secured sealed For checking download facilities see extension level D Functional checks e Test practically the programming mode and check whether disabling works Example of an Acceptable Solution The instrument is sealed and the interfaces comply with the requirements P3 and P4 Additions for Risk Class E Required Documentation in addition to the documentation required for risk classes B and C Source code of the instrument Validation Guidance in addition to the guidance for risk classes B and C Checks based on the source code e Check in the source code whether measu
99. ing 3 4 March 2005 the following risk class is considered appropriate and should be applied if software examinations based on this guide are carried out for software controlled water meters Risk class C for instruments of type P A final decision has however not yet been taken and WG 11 will reconsider this item in connection with the discussion of appropriate risk class es for type U instruments 68 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 10 2 Gas Meters and Volume Conversion Devices 10 2 1 Specific regulations standards and other normative documents Member states may in accordance with MID Article 2 prescribe Gas meters and volume conversion devices in residential commercial and light industrial use to be subject to regulations in MID The specific requirements of this chapter are based on Annex MI 002 only OIML recommendations and standards have not been taken into consideration 10 2 2 Technical description 10 2 2 1 Hardware Configuration Gas meters and volume conversion devices are typically realised as built for purpose devices Type P in this document They may have one or more inputs for external sensor units and meter and conversion devices may be different hardware units 10 2 2 2 Software Configuration This is specific to each manufacturer but would normally be expected to follow the recommendations given in the main body of this guide 10 2 2 3 Measuring Principle Gas meters continu
100. instruments of type P A final decision has however not yet been taken and WG 11 will reconsider this item in connection with the discussion of appropriate risk class es for type U instruments 86 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 10 5 Measuring Systems for the Continuous and Dynamic Measurement of Quantities of Liquids Other than Water Measuring Systems for the Continuous and Dynamic Measurement of Quantities of Liquids Other than Water are subject to regulations in MID The specific requirements are in Annex MI 005 Neither these specific requirements nor any normative documents have yet been taken into consideration 10 5 1 10 5 2 will be filled in if considered necessary in the future 10 5 3 Specific software requirements Measuring System for Liquids other than Water Risk Class B Risk Class C Risk Class D 15 1 Imprinted Software Identification The software identification is usually presented on a display As an exception for cempoenents ota measuring systems for liquids other than water an imprint of the software identification on the type plate of the compenent shall be an acceptable solution if the following conditions A B and C are fulfilled A The user interface does not have any control capability to activate the indication of the software identification on the display or the display does not allow technically showing the identification of the software or there is no display on the instrument
101. ired 77 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Risk Class B Risk Class C Risk Class D 13 3 MI 003 5 2 indication suitability The display of the total energy shall have a sufficient number of digits to ensure that when the meter is operated for 4000 hours at full load I Imax U U and PF 1 the indication does not return to its initial value Specifying Notes Required Documentation Documentation of the internal representation of the electrical energy register and auxiliary quantities variable types Validation Guidance Checks based on documentation Check whether storage capacity is sufficient Example of an Acceptable Solution Typical values for three phase electricity meters are Pmax 4000h 3 60 A 230 V 4000h 165600 kWh This requires an internal representation of 4 bytes Risk Class B Risk Class C Risk Class D 13 4 MID Annex I 8 5 Inhibit resetting of cumulative measurement values For utility measuring instruments the display of the total quantity supplied or the displays from which the total quantity supplied can be derived whole or partial reference to which is the basis for pay ment shall not be able to be reset during use Specifying Notes Cumulative registers of a measuring instrument may be reset prior to being put into use Required Documentation Documentation of protection means against resetting the energy registers Validation Guida
102. is class the corresponding possibility is held open Risk class B In comparison to risk class A the protection of software is required on the middle level Correspondingly the examination level is up rated to the middle level The conformity remains unchanged in comparison to risk class A Risk class C In comparison to risk class B the conformity level is raised to middle This means parts of the software may be declared as fixed at type examination The rest of the software is required to be conform on the functional level The levels of protection and examination remain unchanged in comparison to risk class B 101 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Risk class D The significant difference in comparison to risk class C is the upgrade of the protection level to high Since the examination level remains unaffected at middle sufficiently informative documentation must be provided to show that the protection measures taken are appropriate The conformity level remains unchanged in comparison to risk class C Risk class E In comparison to risk class D the examination level is upgraded to high The levels of protection and conformity remain unchanged Risk class F The levels with respect to all aspects protection examination and conformity are set to high Like risk class A it is not expected that any instrument is classified as a risk F instrument However by introducing this class th
103. is constructed for the measuring purpose For a more detailed definition refer to Chapter 4 1 Closed network A network of a fixed number of participants with a known identity functionality and location see also Open network Communication interface An electronic optical radio or other technical interface that enables information to be automatically passed between parts of measuring instruments sub assemblies or external devices Device specific parameter Legally relevant parameter with a value that depends on the individual instrument Device specific parameters comprise calibration parameters e g span adjustment or other adjustments or corrections and configuration parameters e g maximum value minimum value units of measurement etc They are adjustable or selectable only in a special operational mode of the instrument Device specific parameters may be classified as those that should be secured unalterable and those that may be accessed settable parameters by an authorised person e g instrument owner or product vendor Fixed software Part of the software defined as fixed at type examination i e alterable only with NB approval The fixed part is identical in every individual instrument Integrated storage non removable storage that is part of the measuring instrument e g RAM EEPROM hard disk Integrity of data and software Assurance that the data and software have not been subjected to any unauthorised chang
104. is continually measured as the product passes over the load receptor Measurements are made in discrete units of time that depend on the belt speed and the force on the load receptor There is no deliberate subdivision of the product or interruption of the conveyor belt as with a discontinuous totaliser The total mass is an integration of the discrete samples It should be noted that the load receptor could use strain gauge load cells or other technologies such as vibrating wire 10 6 2 4 Defects Joints in the belt may generate shock effects which can lead to erroneous events when zeroing In the case of discontinuous totalisers single or all weighing results of discrete loads may get lost before being summed up 10 6 3 Specific software requirements Discontinuous and Continuous Totalisers MID Annex MI 006 Chapter IV Section 8 and Chapter V Section 6 deal with electromagnetic disturbances There is a need to interpret these requirements for software controlled instruments because the detection of a disturbance fault and subsequent recovery are only possible through the co operation of specific hardware parts and specific software From the software point of view it makes no difference what the reason of a disturbance was electromagnetic electrical mechanical etc the recovery procedures are all the same 89 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Risk Class B Risk Class C Risk Class D 16 1 Fault Detection The s
105. is guide are differentiated according to risk classes Six risk classes numbered from A to F with increasing risk assumptions are introduced The lowest risk class A and the highest risk class F are not used for the present They are placeholders for the eventual case that they will become necessary in future The remaining risk classes B to E cover all of the instru ment classes falling under the regulation of MID Moreover they provide a sufficient window of opportunity for the case of changing risk evaluations The classes are de fined in Chapter 11 of this guide which is only of an informative character Each measuring instrument must be assigned to a risk class because the particular software requirements to be applied are governed by the risk class the instrument belongs to 3 2 How to select the appropriate parts of the guide This comprehensive software guide is applicable to a large variety of instruments The guide is modular in form The appropriate requirement sets can be easily selected by observing the following procedure Step 1 Selection of the basic configuration P or U Only one of the two requirement sets for basic configurations needs to be applied Decide which basic configuration the instrument conforms to a built for purpose instrument with imbedded software type P see Chapter 4 1 or an instrument using a universal computer type U see Chapter Napaka Vira sklicevanja ni bilo mogo e najti If not the whole i
106. isk Class D S2 Mixed indication Additional information generated by the software which is not legally relevant may only be shown ona display or printout if it cannot be confused with the information that originates from the legally relevant Specifying Notes As the programmer of the legally non relevant software may not know about the admissibility of indications it is the responsibility of the manufacturer to guarantee that all indicated information fulfil the requirement Required Documentation Required Documentation in addition Description of the software that realises the indication to the documentation required for risk Description how the indication of legally relevant information is classes B and C protected against misleading indication generated by legally The realisation of mixed indication shall non relevant software be shown by the documentation Validation Guidance Validation Guidance in addition to the Functional checks guidance for risk classes B and C e Judge through visual check that additional information Checks based on documentation generated by legally non relevant software and presented e Check whether the realised on display or printout can not be confused with the implementation of mixed indication information originating from legally relevant software is correct Example of an Acceptable Solution The information to be displayed by the legally non relevant softw
107. ission protocols e g HTTPS 46 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Additions for Risk Class E Required Documeniation in addition to the documentation required for risk classes B and C Source code that realises the integrity of transmitted data Validation Guidance in addition to the guidance for risk classes B and C Checks based on the source code e Check whether measures taken for guaranteeing integrity of transmitted data are appropriate Risk Class B Risk Class C Risk Class D T4 Authenticity of transmitted data assignment of measurement values to a certain measurement Specifying Notes la the network address 1b For the receiving program of transmitted relevant data it shall be possible to verify the authenticity and the In a network with unknown participants it is necessary to identify the origin of measurement data transmitted without ambiguity The authenticity relies on the identification number of the data set and In a closed network all participants are known No additional IT means are necessary but the topology of the network the number of participants shall be fixed by sealing 2 Unforeseen delays are possible during transmission For a correct assignment of a received measurement value to a certain measurement the time of measurement must be registered 3 To ensure the authenticity an encryption of measurement data is not necessarily r
108. isturbances happen accidentally and cannot be excluded The sending device must be able to handle this situation 3 The reaction of the instrument if transmission services become unavailable depends on the measuring rinciple see Part Required Documentation Description of protection measures against transmission interruption or other failures Validation Guidance Checks based on documentation e Check by what measures are implemented to protect from data loss e Check which measures are foreseen for the case of transmission failure Functional checks Spot checks shall show that no relevant data get lost due to a transmission interruption Example of an Acceptable Solution 1 For interruptible measurements that can be stopped easily and rapidly e g weighing fuel measurement etc the measurement may be completed even though the transmission is down However the measuring instrument or the device that is transmitting the legally relevant data must have a buffer that is large enough to store the current transaction After this no new transaction may be started and the buffered values are kept for later transmission For other examples see part I 2 Measurements that are not interruptible e g the measurement of energy volume etc do not need a special intermediate buffer because these measurements always are cumulative The cumulative register can be read out and transmitted at a later time when the connecti
109. ks having the same hash code Signature algorithm A cryptographic algorithm that encrypts encodes plaintext to ciphertext scrambled or secret text using a signature key and that allows decoding of the ciphertext if the corresponding decryption signature key is available Signature key Any number or sequence of characters used encode and decode information There are two different classes of signature keys symmetric key systems and asymmetric key systems Symmetric key means the sender and receiver of information use the same key The key system is called asymmetric if the keys for sender and receiver are different but compatible Usually the key of the sender is known to the sender and the key of the receiver is public in defined environment Public Key System PKS A pair of two different signature keys one called the secret key and the other the public key To verify integrity and authenticity of information the hash value of the information generated by a hash algorithm is encrypted with the secret key of the sender to create the signature which is decrypted later by the receiver using the sender s public key PKI Infrastructure Organisation to guarantee the trustworthiness of a public key system This includes granting and distributing digital certificates to all members that take part in the information exchange Certification of keys The process of binding a public key value to an individual organisation or other entity
110. lass D P4 Influence via communication interface Commands inputted via communication interfaces of the instrument shall not inadmissibly influence the ee Notes This implies that there is an unambiguous assignment of each command to an initiated function or data change 2 This implies that signals or codes that are not declared and documented as commands have no effect on the instrument s functions and data 3 Commands may be a sequence of electrical optical electromagnetic etc signals on input channels or codes in data transmission protocols 4 The restrictions of this requirement are suspended when a software download according to Extension D is carried out 5 This requirement applies only on interfaces which are not sealed Required Documentation If the instrument has an interface the documentation shall include e A complete list of all commands together with a declaration of completeness A brief description of their meaning and their effect on the functions and data of the measuring instrument Required Documentation in addition to the documentation required for risk classes B and C e The documentation shall show the measures taken to validate the completeness of the documentation of commands e The documentation shall contain a protocol that shows the tests of the commands or alternatively any other appropriate measure to prove the correctness Validation Guidance
111. lculating it is given by manufacturer e Check that overwriting of data cannot occur before the end of the data storage period that is foreseen and documented by the manufacturer Functional checks e Check that a warning is issued to the user if he is about to delete measurement data files if deleting is possible at all e Check that a warning is given if the storage is full or removed Example of an Acceptable Solution e For interruptible measurements that can be stopped easily and rapidly e g weighing fuel measurement etc the measurement may be completed even if the storage becomes unavailable The measuring instrument or the device should have a buffer that is large enough to store the current transaction After this no new transaction may be started and the buffered values are kept for later transmission to a fresh storage e Measurements that are not interruptible e g the measurement of energy volume etc do not need a special intermediate buffer because these measurements always are cumulative The cumulative register can be read out and transmitted to the storage at a later time when the storage is available again e Measurement data may be automatically overwritten by a utility that checks if the measurement data is out of date refer to national regulations for the relevant time period or that the invoice has been paid The utility shall prompt the user for permission to delete and data shall be deleted in the order oldest
112. legally relevant software generates the presented measurement results e Check whether all measures taken are appropriate and correct to guarantee the authenticity of the software e g that legally relevant tasks can only be performed by the approved legally relevant software Risk Classes B to E U9 Influence of other software The legally relevant software shall be designed in such a way that other software does not inadmissibly influence it a a oaaao Specifying Notes 1 This requirement implies software separation between the legally relevant and legally non relevant software under consideration of the state of the art of software engineering for modularisation or object oriented concepts Extension S shall be observed This is the standard case for universal computers 2 Modern operating systems allow to bulkhead one software part off others with a high performance The operating system shall be configured as restrictive as possible for the intended measuring purpose Functions not needed shall be disabled or uninstalled The configuration files and scripts of the operating system that set up this separation shall be protected against changes Required Documentation See Extension S Validation Guidance See Extension S Example of an Acceptable Solution See Extension S 33 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 6 Extension L Long term Storage of Measurement Data This is an extension to the spec
113. lly relevant data T ment of sub assemblies Basic Guides applicable to sub assemblies P U 5 to 9 No specific software relevance 114 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Software ME Guide Article Annex No Denotation Comment bac aaa Al Annex Q Documentation of design manufacture and operation Enable assessment of confor mity General description of the instrument Technical documenta Description of electronic devices with 10 i P1 U1 tion drawings flow diagrams of the logic gen eral software information Location of seals and markings Conditions for compatibility with interfaces and sub assemblies 11 to 27 No specific software relevance Annex Al 1 to Al 5 No specific software relevance 11 1 to 11 3 12 1 to 12 3 Al 6 Reliability Fault detection back up restoring restart 13 1 to I8 3 14 1 to 14 3 I6 1 to 16 2 P3 P7 No features to facilitate fraudulent use U3 U8 Al 7 Suitability minimal possibilities for unintentional mis L1 L5 L7 L8 use T1 T8 S2 D3 D4 Al 8 Protection against cor ruption Al 8 1 No influences by the connection of other P4 U4 devices Al 8 2 Securing evidence of intervention D iy U6 U7 Al 8 3 loathe of software evidence of in i te ca U8 D2 D4 P5 P7 U5 U7 Al 8 4 Protection of stored or transmitted data L1 L5 T1 T8 D1 D3 Al 8
114. low analysis simulation of input signals Page 2 3 105 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Result Following requirements of the WELMEC Software Guide 7 2 have been validated without finding faults P1 P2 P3 P5 P6 P7 Requirement P4 is considered to be non applicable L4 L2 L3 L4 L5 L6 L7 Checklists for the P requirements are found in annex 2 1 of this report Checklists for the L requirements are found in annex 2 2 of this report Two commands which were not initially described in the operator s manual were found The two commands have been included in the operator s manual dated 10 December 2003 A software fault which limited the month of February to 28 days also in leap year was found in software package V1 2b This has been corrected in V1 2c The software of the Dynaflow DF100 V1 2c fulfils the essential requirements of the Measuring Instruments Directive The result applies to the tested item only National Testing amp Measurement Lab Software Department Dr K E I N Fehler M S A N S Probl me Technical manager Technical Officer Date 23 December 2003 Page 3 3 106 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 12 2 Annex 1 of the test report Checklists to support the selection of the appropriate requirement Sets The first checklist supports the user to decide which of basic configuration P or U applies for the instrument under test Decision on Instrument Type
115. mber or time stamp printed on the delivery note with that in the stored data set Additions for Risk Class E Required Documeniation in addition to the documentation required for risk classes B and C Source code that generates the data sets for storing and realises the authentication Validation Guidance in addition to the guidance for risk classes B and C Checks based on the source code e Check whether the data sets are correctly built and reliably authenticated 38 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Risk Class B Risk Class C Risk Class D L5 Confidentiality of keys Keys and accompanying data must be treated as legally relevant data and must be kept secret and be sae Dg Notes This requirement only applies if a secret key is used 5 This requirement applies to measurement data storage which are external from the measuring instrument or realised on universal computers 3 The protection must apply against intentional changes carried out by common simple software tools 4 If the access to the secret keys is prevented e g by sealing the housing of a built for purpose device no additional software protection means are necessary Specifying Notes 1 This requirement applies to storage in universal computers and to external storage The protection must apply against intentional changes carried out by special sophisticated software tools Appropriate methods equivale
116. ment or single independent measurement repeatable or non repeatable measurement static or dynamic measurement and the fault detection and reaction two cases are possible a the presence of a defect is obvious or can simply be checked or there are hardware means for fault detection b the presence of a defect is not obvious and cannot be easily checked and there are no hardware means for fault detection In the latter case b fault detection and reaction requires appropriate software means and hence appropriate software requirements the hardware configuration at least the following issues should be addressed a ls there a modular general purpose computer based system or a dedicated instrument with an embedded system subject to legal control b Does the computer system stand alone or is it part of a closed network e g Ethernet token ring LAN or part of an open network e g Internet c Is the sensor separated separate housing and separate power supply from the Type U system or is it partly or completely integrated into it d Is the user interface always under legal control both for Type P and Type U instruments or can it be switched to an operating mode which is not under legal control e Is long term data storage foreseen If yes then is the storage local e g hard disk or remote e g file server f Is the storage medium fixed e g internal ROM or removable e g floppy disc CD RW smart media ca
117. mination to confirm correct functioning in the presence of defined influencing quantities Example of an Acceptable Solution A hardware watchdog is reset by a cyclically processed microprocessor subroutine in order to inhibit the firing of the watchdog If any function has not been processed or in the worst case the micro processor hangs in an arbitrary endless loop the reset of the watchdog doesn t happen and it fires after a certain time span which resets the microprocessor Risk Class B Risk Class C Risk Class D 13 2 Back up Facilities There shall be a facility that provides for the periodic back up of legally relevant data such as meas urement values and the current status of the process in case of a disturbance This data shall be stored in non volatile storage Specifying Notes If the back up facility is used for fault recovery the minimum interval has to be calculated to ensure the critical change value is not exceeded Required Documentation A brief description of which data is backed up and when this occurs Validation Guidance Checks based on documentation e Check whether all legally relevant data are saved to non volatile storage and can be recovered Functional checks e None additional to those completed during type examination to confirm correct functioning in the presence of defined influencing quantities Example of an Acceptable Solution Legally relevant data is backed up as requ
118. n e Check that cumulative legally relevant measurement values cannot be reset without leaving a trace Functional checks e None additional to those completed during type examination to confirm correct functioning in the presence of defined influencing quantities Example of an Acceptable Solution The registers for volume are protected against changes and resetting by the same means as parame ters see P7 71 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Risk Class B Risk Class C Risk Class D 12 5 MI 002 5 2 Power source lifetime A dedicated power source shall have a lifetime of at least five years After 90 of its lifetime an ap propriate warning shall be shown Specifying Notes Lifetime is used here in the sense of available energy capacity If the power source can be changed in the field parameters and legally relevant data shall not be corrupted during the changeover Required Documentation Documentation of the power source capacity maximum lifetime independent of energy consump tion measures to determine the consumed or available energy description of the means for the warning of low available energy Validation Guidance Checks based on documentation e Check whether the measures taken are appropriate for the surveillance of the energy available Example of an Acceptable Solution The operating hours or the wake up events of the device are counted stored in a non volatile memory and compar
119. n or category or other aspects if these exist 63 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 10 1 Water Meters 10 1 1 Specific regulations standards and other normative documents Member states may in accordance with MID Article 2 prescribe Water meters in residential commercial and light industrial use to be subject to regulations in MID The specific requirements of this chapter are based on Annex MI 001 only OIML recommendations and standards have not been taken into consideration 10 1 2 Technical description 10 1 2 1 Hardware Configuration Water meters are typically realised as built for purpose devices Type P in this document 10 1 2 2 Software Configuration This is specific to each manufacturer but would normally be expected to follow the recommendations given in the main body of this guide 10 1 2 3 Measuring Principle Water meters continually cumulate the volume consumed The cumulative volume is displayed at the instrument Various principles are employed The volume measurement may not be repeated 10 1 2 4 Fault Detection and Reaction The requirement MI 001 7 1 2 deals with electromagnetic disturbances There is a need to interpret this requirement for software controlled instruments because detection of a disturbance and recovery is only possible by co operation of specific hardware parts and specific software From the software point of view it makes no difference what the reason for a dis
120. n case of a disturbance This data shall be stored in a non volatile storage Specifying Notes The storage intervals must be sufficiently small so that the discrepancy between the current and saved cumulative values is small Required Documentation A brief description of which data is backed up and when this occurs Calculation of the maximum error that can occur for cumulative values Validation Guidance Checks based on documentation e Check whether all legally relevant data are saved to non volatile storage and can be recovered Functional checks e None additional to those completed during type examination to confirm correct functioning in the presence of defined influencing quantities Example of an Acceptable Solution Legally relevant data is backed up as required e g every 60 minutes 65 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Risk Class B Risk Class C Risk Class D 11 3 MID Annex I 8 5 Inhibit resetting of cumulative measurement values For utility measuring instruments the display of the total quantity supplied or the displays from which the total quantity supplied can be derived whole or partial reference to which is the basis for pay ment shall not be able to be reset during use Specifying Notes Cumulative registers of a measuring instrument may be reset prior to being put into use Required Documentation Documentation of protection means against resetting th
121. n shall show the measures e A brief description of their meaning and their taken to validate the completeness of the effect on the functions and data of the measuring documentation of commands instrument The documentation shall contain a protocol e Description how a secure configuration of the that shows the tests of the commands or operating system is achieved Assignment of roles alternatively any other appropriate measure accounts in the operating system e g to prove the correctness administrator and user Assignment of permissions granted to these roles e Documentation of remote control of the functions of the operating system e g started services and means for protection e g configuration of a firewall 27 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Validation Guidance Validation Guidance in addition to the Checks based on documentation guidance for risk classes B and C e Judge whether all documented commands are Checks based on documentation admissible i e whether they have an allowed Check whether the measures taken and test impact on the legally relevant software and protocols are appropriate for the high relevant measurement data or none at all protection level e Check whether the manufacturer has given an explicit declaration of completeness of the command documentation e Check the measures to secure the operating system Functional checks e Carry out
122. nation to confirm correct functioning in the presence of defined influencing quantities Example of an Acceptable Solution A hardware watchdog is reset by a cyclically processed microprocessor subroutine in order to inhibit the firing of the watchdog If any function has not been processed or in the worst case the micro processor hangs in an arbitrary endless loop the reset of the watchdog doesn t happen and it fires after a certain time span Risk Class B Risk Class C Risk Class D 2 2 Back up Facilities There shall be a facility that provides for periodic back up of legally relevant data such as measure ment values and the current status of the process in case of a disturbance This data shall be stored in a non volatile storage Specifying Notes The storage intervals must be sufficiently small so that the discrepancy between the current and saved cumulative values is small Required Documentation A brief description of which data is backed up and when this occurs Calculation of the maximum error that can occur for cumulative values Validation Guidance Checks based on documentation e Check whether all legally relevant data are saved to non volatile storage and can be recovered Functional checks e None additional to those completed during type examination to confirm correct functioning in the presence of defined influencing quantities Example of an Acceptable Solution Legally releva
123. nce Checks based on documentation e Check that cumulative legally relevant measurement values cannot be reset without evidence of intervention Functional checks e None additional to those completed during type examination to confirm correct functioning Refer to P3 and P4 Example of an Acceptable Solution The registers for energy are protected against changes and resetting by the same means as parame ters see P7 78 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Risk Class B Risk Class C Risk Class D 13 5 Dynamic behaviour The legally non relevant software shall not adversely influence the dynamic behaviour of a measur ing process Specifying notes e This requirement applies in addition to S 1 S 2 and S 3 if software separation has been realised in accordance with extension S The additional requirement ensures that for real time applications of meters the dynamic behaviour of the legally relevant software is not inadmissibly influenced by legally non relevant software i e the resources of the legally relevant software are not inadmissibly reduced by the non legal part Required Documentation Description of the interrupt hierarchy e Timing diagram of the software tasks Limits of proportionate runtime for legally non relevant tasks Validation Guidance Checks based on documentation e Documentation of the limits of the proportionate runtime for legally non releva
124. nction has not been processed or in the worst case the microprocessor hangs in an arbitrary endless loop the reset of the watchdog doesn t happen and it fires after a certain time span 90 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Risk Class B Risk Class C Risk Class D 16 2 Back up Facilities There shall be a facility that provides for the back up of legally relevant data such as measurement values and the current status of the process in case of a disturbance Specifying Notes a The state characteristics and important data shall be stored in a non volatile storage b This requirement normally implies a controlled storage facility providing automatic back up in case of a disturbance Periodic backing up is acceptable only if a controlled storage facility is not available due to hardware or functional constraints In that exceptional case the storage intervals must be sufficiently small i e the maximum possible discrepancy between the current and saved values must be within a defined fraction of the maximum permissible error see Required Documentation c The back up facilities should normally include appropriate wake up facilities in order that the weighing system including its software does not get into an indefinite state by a disturbance Required Documentation A brief description of the back up mechanism and the data that are backed up and when this occurs Specification or cal
125. nd D 3 instrument specific requirements called extensions I 1 1 2 The first type of requirements is applicable to all instruments The second type of re quirements concerns the following IT functions long term storage of measurement data L transmission of measurement data T software download D and software separation S Each set of these requirements is only applicable if the corresponding function exists The last type is a collection of further instrument specific require ments The numbering follows the numbering of instrument specific annexes in the MID The set of requirement blocks that may be applied to a given measuring instru ment is schematically shown in Figure 3 1 Requirements for one of Requirements for those i ifi the basic configurations gt IT configurations that geen cae He of measuring instruments apply A a neater ape Figure 3 1 Type of requirement sets that should be applied to an instrument The schemes in the following Figure 3 2 show what sets of requirements exist WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Software requirements for basic configurations of measuring instruments Requirements for measuring instruments using universal computers Type U Requirements for built for purpose measuring instruments Type P Requirement block P1 Requirement block U1
126. ng data treated as legally relevant data and kept secret and protected against compromise by sophisticated software tools Are Appropriate methods equivalent to electronic payment used Is user able to verify the authenticity of the public key Does the software used for verifying stored measurement data L6 sets display or print the data check the data for changes and warn if a change has occurred Are there means to prevent data detected as having been corrupted to be used L7 Are the measurement data stored automatically when the measurement is concluded Does the long term storage have a capacity which is sufficient L8 for the intended purpose Explanations are needed if there are deviations from software requirements 109 WELMEC WG7 Software Guide 4 Checklist for specific requirements extension T Checklist for Requirements of Extension T Do transmitted data contain all relevant information necessary to present or further process the measurement result in the receiving module Are transmitted data protected against accidental and unintentional changes Are legally relevant transmitted data protected against intentional changes carried out by simple common software tools for risk classes B amp C or by special sophisticated software tools for risk classes D amp E Is it possible for the program that receives transmitted relevant data to verify their authenticity and to assign the measurement values to a particula
127. nstrument but only a sub assembly of the instrument is the matter of concern then decide accordingly for the sub assembly Apply the complete set of requirements that belongs to the respective basic configuration Step 2 Selection of applicable IT configurations extensions L T S and D The IT configurations comprise long term storage of legally relevant data L transmission of legally relevant data T software separation S and download of legally relevant software D The corresponding requirement sets called modular extensions are independent of each other The sets selected depend only on the IT configuration If an extension set is selected then it must be applied in full Decide which if any of the modular extensions are applicable and apply them accordingly Figure 3 2 Step 3 Selection of instrument specific requirements extension l Select using the respective instrument specific extension I x which if any instrument specific requirements are applicable and apply them accordingly Figure 3 2 Step 4 Selection of the applicable risk class extension l Select the risk class as defined in the respective instrument specific extension 1 x sub chapter I x 6 There the risk class may be defined uniformly for a class of measuring instruments or further differentiated for categories fields of application etc Once the WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 applicable risk class has been selected onl
128. nt data is backed up as required e g every 60 minutes 70 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Risk Class B Risk Class C Risk Class D 12 3 MI 002 5 2 indication suitability The display of the total uncorrected volume shall have a sufficient number of digits to ensure that when the meter is operated for 8000 hours at Qmax the indication does not return to its initial value Specifying Notes Required Documentation Documentation of the internal representation of the volume register Validation Guidance Checks based on documentation e Check whether storage capacity is sufficient Example of an Acceptable Solution Typical values for domestic gas meter are Qmax 6 m h The required range is 48000 m currently electronic gas meters display up to 99999m Risk Class B Risk Class C Risk Class D 12 4 MID Annex I 8 5 Inhibit resetting of cumulative measurement values For utility measuring instruments the display of the total quantity supplied or the displays from which the total quantity supplied can be derived whole or partial reference to which is the basis for pay ment shall not be able to be reset during use Specifying Notes Cumulative registers of a measuring instrument may be reset prior to being put into use Required Documentation Documentation of protection means against resetting the volume registers Validation Guidance Checks based on documentatio
129. nt tasks is available for the programmer of the legally non relevant software part Functional checks e None additional to those completed during type examination to confirm correct functioning in the presence of defined influencing quantities Example of an acceptable solution The interrupt hierarchy is designed in a way that avoids adverse influences 79 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Risk Class B Risk Class C Risk Class D 13 6 Imprinted Software Identification The software identification is usually presented on a display As an exception for active electrical energy meters an imprint of the software identification on the name plate of an instrument shall be an acceptable solution if the following conditions A B and C are fulfilled A The user interface does not have any control capability to activate the indication of the software identification on the display or the display does not allow technically showing the identification of the software mechanical counter B The instrument does not have any interface to communicate the software identification C After production of a meter a change of the software is not possible or only possible if also the hardware or a hardware part is changed Specifying notes The manufacturer of the hardware or the concerned hardware compenentis responsible that the software identification is correctly marked on the concerned hardware e All other Spe
130. nt to electronic payment shall be used The user must be able to verify the authenticity of the public key Required Documentation Description of the key management and means for keeping keys and associated information secret Required Documentation in addition to the documentation required for risk classes B and C The protection measures taken shall shown be Validation Guidance Checks based on documentation e Check that the secret information compromised cannot be Validation Guidance in addition to the guidance for risk classes B and C Checks based on documentation e Check whether the measures taken are appropriate with respect to the required state of the art for a high protection level Example of an Acceptable Solution The secret key and accompanying data are stored in binary format in the executable code of the legally relevant software It is then not obvious at which address these data are stored The system software doesn t offer any features to view or edit these data If the CRC algorithm is used as a signature the initial vector or generator polynomial play the role of a key Example of an Acceptable Solution The secret key is stored in a hardware part that can be physically sealed The software doesn t offer any features to view or edit these data Note A technical solution with a standard personal computer would not be sufficient to ensure high protection lev
131. nts Weighing instruments are divided into two main categories 1 Non automatic weighing instruments NAWIs and 2 Automatic weighing instruments AWIs While most AWIs are governed by the MID NAWIs are not they are still governed by the European Directive 90 384 EEC Therefore the software guide WELMEC 2 3 applies to NAWIs whereas this software guide applies to AWls The specific requirements of this chapter are based on Annex MI 006 and the normative documents mentioned in 10 6 1 as far as they support the interpretation of MID requirements 10 6 1 Specific regulations standards and other normative documents 5 categories of automatic weighing instruments AWIs are subject to regulations in MID Annex MI 006 Automatic catchweighers R51 Automatic gravimetric filling instruments R61 Discontinuous totalisers R107 Continuous totalisers belt weighers R50 Automatic rail weighbridges R106 The numbers in brackets refer to the respective OIML recommendations that are normative documents in the sense of the MID In addition WELMEC has issued the WELMEC Guide 2 6 that supports the testing of automatic catchweighers There is one category of AWls that is not governed by the MID Automatic instruments for weighing road vehicles in motion R134 AWls of all categories may be realised as type P or type U and all extensions could be relevant for each category However of these 6 categories only discontinuous
132. of software separation is correct Example of an Acceptable Solution As described by the requirement itself Additions for Risk Class E Required Documentation in addition to the documentation required for risk classes B and C Source code of the legally relevant software Validation Guidance in addition to the guidance for risk classes B and C Checks based on the source code e Check the software design whether data flow concerning legally relevant data is unambiguously defined in the legally relevant software and can be verified e Check e g by data flow analysis with tools or manually that all program units programs or libraries that are involved in processing the measurement values are registered to the legally relevant software Search inadmissible data flow from parts not subject to legal control to domains to be protected Note Low level separation Merging software units on the level of the programming language or merging parts of a programme i e subroutines procedures functions classes to form the le gally relevant part of the programme The rest of the programme is the legally non relevant part High level separation Merge all parts of the software to one object that is identifiable by the operating system a programme a DLL etc The rest of the software is the legally non relevant part 52 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Risk Class B Risk Class C R
133. of Measurement Data via Communication Networks 43 7 1 Technical description ssssssssenreeeesseeeserrnretssertttrnntttstrtrttttnrrnnntnserrrnnnnnnneseennee 43 7 2 Specific software Requirements for Data TranSMiSSiONn eeeeeeeeeeeeeeeeeee 44 8 Extension S Software SCPaaliO Mac esi isee te ecedieds inde a ccieddtals lide tans tadenadesuds cecetyee teu 51 8 1 PECHMICAlASSCH DUNG ieis aia tages eaea Ea aE ae EA EAEE EEEE E 51 8 2 Specific software requirements for software S ParatiONn ccccceccceeeeeeeeeeeeeeeeeeees 52 9 Extension D Download of Legally Relevant Software cccccceeeeesseteeeeeeeees 55 9 1 Technical Descriplon tan kuxsda waGikaanescunseauieaanwe de esa 55 9 2 Specific Software Requirement cccccceeeesssseceeeeeeeeeesesaeeeeeeeseeeeeeeeenenaaaes 56 10 Extension Instrument Specific Software Requirements ccceceeeeeeeeeees 61 10 1 Water Metot Siini eree A E AE TE repr Beane N Aaa 64 10 2 Gas Meters and Volume Conversion Devices sssssssresesssssrrrrrrnresssrrrrrrrrrresee 69 10 3 Active Electrical Energy MeterS ccccceeeesssseeeceeeeeeeeeeseseaeeeeeaeeeeeeeeesenenaaaaes 76 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 11 12 13 14 15 16 10 4 Heat Meters 2208 ene Eos 2 a ie A ene aaden be Steeeday deabes ecncctepteeanes Meencice 82 10 5 Measuring Systems for the Continuous and Dynamic Measurement of Quantities of Liquids Oth
134. of the measuring instruments e Overview of the software environment which is necessary to operate the software e Overview of SW modules under legal control including SW separation if implemented e Overview and identification of hardware and software if relevant interfaces that are important for software IT functions of the measuring instruments including infrared Bluetooth Wireless LAN e Identification and description of locations of software parts in the measuring instrument i e EPROM processor hard disk that need to be sealed or secured e Instructions of how to check the identification of software for metrological supervision e Incase of electronic sealing instruction for the inspection of audit trails 111 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 13 Cross Reference for MID Software Requirements to MID Articles and Annexes Related MID Version Directive 2004 22 EC 31 March 2004 13 1 Given software requirement reference to MID Requirement MID No Denotation Article Annex No Denotation Al Annex Basic Guide P P1 Manufacturers Documenta Al 9 3 Information to be borne by and to tion accompany the instrument Al 12 Conformity Evaluation Article 10 Technical Documentation P2 Software Identification Al 7 6 Suitability Al 8 3 Protection against corruption P3 _ Influence via User Interface _ Al 7 1 Suitability P4
135. oftware shall detect that normal processing is disturbed Specifying Notes On detection of a fault a The cumulative measurement and other relevant legal data shall be automatically saved to non volatile storage see Requirement 16 2 and b the hopper weigher or belt weigher shall be stopped automatically or a visible or audible alarm signal shall be given see Required Documentation Required Documentation A brief description of what is checked what is required to trigger the fault detection process what action is taken on the detection of a fault If on detection of a fault it is not possible to stop the transportation system automatically without delay e g due to safety reasons the documentation shall include a description of how the non measured material is treated or properly taken into account Validation Guidance Checks based on documentation e Check whether the realisation of fault detection is appropriate Functional checks e If possible simulate certain hardware faults and check whether they are detected and reacted upon by the software as described in the documentation Example of an Acceptable Solution A hardware watchdog is reset by a cyclically processed microprocessor subroutine in order to inhibit the firing of the watchdog Before resetting the subroutine checks the health of the system e g whether all metrologically relevant subroutines have been processed during the last interval If any fu
136. om 10 11 There are different instrument specific software aspects that might need consideration for a certain type x of measuring instrument These aspects should be treated in a systematic manner as follows Each sub chapter 10 x should be subdivided into sections 10 x y where y covers the following aspects 10 x 1 Specific regulations standards and other normative documents Here instrument or category specific regulations standards and other normative documents e g OIML recommendations or WELMEC guidelines should be mentioned that may help to develop instrument or category specific software requirements as an interpretation of the requirements of the MID Annex and the specific annexes MI x Normally the specific software requirements apply in addition to the general ones in the previous chapters Otherwise it should be clearly stated whether a specific software requirement replaces one or more of the general software requirements or whether one or more general software requirements is are not applicable and the reason why 61 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 10 x 2 Technical description Here examples of most common specific technical configurations the application of parts P U and extensions to these examples and useful instrument specific checklists for both the manufacturer and the examiner may be given The description should mention the measuring principle cumulative measure
137. on is up again Additions for Risk Class E Required Documeniation in addition to the documentation required for risk classes B C and D Source code that realises data transmission Validation Guidance in addition to the guidance for risk classes B C and D Checks based on the source code e Check whether measures taken for reacting on interrupted transmission service are appropriate 50 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 8 Extension S Software Separation Software separation is an optional design methodology that allows the manufacturer to easily modify legally non relevant software If software separation is implemented then this extension shall be considered in addition to the basic requirements for types P and U 8 1 Technical description Software controlled measuring instruments or systems in general have complex functionality and contain modules that are legally relevant and modules that are not It is advantageous for the manufacturer and examiner though it is not prescribed to separate these software modules of the measuring system In the following table two variants of software separation are described Both variants are covered by the set of requirements Description Software separation is realised independently from the operating system within an application domain i e at the programming language level Low level software separation Note This feature is
138. on protocols 4 The restrictions of this requirement are suspended when a software download according to Extension Loia D is carried ta ace ae ee ee oaoa 5 The respective parts of the software that interpret 5 Instead of 5B C All programs and program legally relevant commands shall be considered to parts involved in the transmission and be legally relevant software reception of legally relevant commands or 6 Other software parts may use the interface data shall be supervised by the legally provided they do not disturb or falsify the reception relevant software or transmission of legally relevant commands or 6 Instead of 6B C The interface that receives data or transmits legally relevant commands or data shall be dedicated to that role and may be used only by legally relevant software Standard interfaces are not excluded however if software protection means are implemented according to extension T 7 If the operating system allows remote control or remote access the requirements U3 apply to the communication interface and the connected remote terminal respectively Additionally Part T shall be taken into consideration for the transmission between computer and terminal Required Documentation Required Documentation in addition to the The documentation shall include documentation required for risk classes B and A complete list of all commands together with a C declaration of completeness e The documentatio
139. ons and parameters are likely to occur on the various types of weighing instruments If one of them is present it has then to be treated as legally relevant The table is however not meant as an obligatory list indicating that any function or parameter mentioned has to be realised in each instrument 10 6 5 Other aspects None 10 6 6 Assignment of risk class For the present according to the decision of the responsible WELMEC Working Group 24 WG2 meeting 22 23 January 2004 risk class B shall be generally applied to all categories of AWIs regardless of the type P or U However as a result of the WG7 questionnaire 2004 the following differentiation with regard to type P and U instruments and to discontinuous and continuous totalising instruments totalisers seems appropriate and will be discussed again in WELMEC WG2 decision of 25 WG2 meeting 14 15 October 2004 Risk class B for type P instruments except totalisers Risk class C for type U instruments and totalisers type P and U 93 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 10 7 Taximeters Taximeters are subject to regulations in MID The specific requirements are in Annex MI 007 Neither these specific requirements nor any normative documents have yet been taken into consideration 10 7 1 Specific regulations standards and normative documents The European Standard EN50148 which could become a normative documents in the sense of the MID has n
140. ops whenever this window is closed or not completely visible The operating manual and TEC should contain a copy of the window for reference purposes 2a The sensor unit encrypts the measuring values with a key known to the approved software running on the universal computer e g its version number Only the approved software can decrypt and use the measurement values non approved programs on the universal computer cannot as they don t know the key For key treatment see Extension T 2b Before sending measurement values the sensor initiates a handshake sequence with the legally relevant software on the universal computer based on secret keys Only if the program on the universal computer communicates correctly the sensor unit sends its measurement values For key treatment see Extension T 3 The key used in 2a 2b may be 3 The key used in 2a 2b is the hash code of the program chosen and entered to the sensor on the universal computer Each time the software on the unit and software on the universal universal computer is changed the new key has to be computer without destroying a seal entered into the sensor unit and sealed Additions for Risk Class E Required Documeniation in addition to the documentation required for risk classes B and C Source code of the legally relevant software Validation Guidance in addition to the guidance for risk classes B and C Checks based on the source code e Check that
141. or sub assemblies is included even if it is not explicitly mentioned in the text If the measuring instrument uses a universal computer general purpose PC the set of requirements in the next chapter must be referred to Type U instrument The requirements of the type U instrument must also be used if the subsequent technical description of built for purpose instruments is not matched 4 1 Technical Description A type P instrument is a measuring instrument with an embedded IT system in general it is a microprocessor or microcontroller based system It is characterised by the following features e The entire application software has been constructed for the measuring purpose This includes both functions subject to legal control and other functions e The user interface is dedicated to the measuring purpose i e it is normally in an operating mode subject to legal control Switching to an operating mode not subject to legal control is possible e f there is an operating system it has no user shell that is accessible to the user to load or change programs send commands to the OS change the environment of the application etc The P type instrument may have additional properties and features that are covered by the following requirement extensions e The software is designed and treated as a whole unless software separation according to Extension S has been observed e The software is invariable and there are no means for progr
142. or ticket it must be possible to identify the measurement data stored to the disputed measurement without ambiguity refer also L1 L3 L4 and 2 The identification number see L1 must be printed out on the delivery note ticket for the customer along with an explanation and a reference to the storage subject to legal control 3 Verification means checking the integrity authenticity and correct assignment of the measurement data 4 The verification software used for displaying or printing the data stored shall be subject to legal control 5 _For instrument specific requirements refer to Extension Required Documentation Description of the functions of the retrieval program Description of detection of corruption e Operating manual for this program Required Documentation in addition to the documentation required for risk classes B and C The protection measures taken shall be shown Validation Guidance Checks based on documentation e Check that retrieval software calculated and the nominal values e Check that retrieval software is part of the legally relevant software Functional checks e Check whether the program detects corrupted data sets e Perform spot checks verifying that retrieval provides all necessary information really compares the Validation Guidance in addition to the guidance for risk classes B and C Checks based on documentation e Check whether the measures taken ar
143. ored data Al 7 1 Suitability Al 8 4 Protection against corruption Al 10 2 Indication of result L2 Protection against accidental Al 7 1 Al 7 2 Suitability or unintentional changes Al 8 4 Protection against corruption L3 Integrity of data Al 7 1 Suitability Al 8 4 Protection against corruption 2 against corruption Paragraph 8 Note As regards contents paragraph 7 1 of MID Annex is not an 112 issue of Suitability but of Protection WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Requirement MID No Denotation Article Annex No Denotation Al Annex L4 Authenticity of stored data Al 7 1 Suitability Al 8 4 Protection against corruption Al 10 2 Indication of result L5 Confidentiality of keys Al 7 1 Suitability Al 8 4 Protection against corruption L6 Retrieval of stored data Al 7 2 Suitability Al 10 1 Al 10 2 Al 10 3 Indication of result Al 10 4 L7 Automatic storing Al 7 1 Suitability Al 8 4 Protection against corruption L8 Storage capacity and conti Al 7 1 Suitability nuit Lx All of Extension L Al 11 1 Further processing of data to conclude the trading transaction Extension T T1 Completeness of transmitted Al 7 1 Suitability data Al 8 4 Protection against corruption T2 Protection against accidental Al 7 1 Al 7 2 Suitability changes Al 8 4 Protection against corruption T3 Integrity of data Al 7
144. orrupted data are appropriate Risk Class B Risk Class C Risk Class D T7 Transmission delay The measurement must not be inadmissibly influenced by a transmission delay Specifying Notes The manufacturer shall investigate the timing of the data transmission and shall guarantee that under worst case conditions the measurement is not inadmissibly influenced Required Documentation Description of the concept how measurement is protected against transmission delay Validation Guidance Check the concept that the measurement is not influenced by transmission delay Example of an Acceptable Solution Implementation of transmission protocols for field buses 49 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Additions for Risk Class E Required Documentation in addition to the documentation required for risk classes B C and D Source code that realises the data transmission Validation Guidance in addition to the guidance for risk classes B C and D Checks based on the source code e Check whether measures taken for handling transmission delay are appropriate Risk Class B Risk Class C Risk Class D T8 Availability of transmission services lf network services become unavailable no measurement data must get lost Specifying Notes 1 The user of the measuring system must not be able to corrupt measurement data by suppressing transmission 2 Transmission d
145. ot been yet considered There is a publication of a guid ance document about taximeters as a result of the MID Procedures project In future this document will be the basis of a WELMEC Guide Also there is a very first draft of an OIML Recommendation on taximeters The OIML document is however not in a stage where it could be used as a normative document situation of October 2004 10 7 2 Technical description A taximeter as defined in MID measures the time the distance using the output of a distance signal generator not covered by MID and calculates the fare for a trip based on the applicable tariffs Current taximeters use an embedded architecture which means taximeters are built for purpose instruments type P in the sense of this guide In future it is expected that taximeters will also be manufactured using universal computers type U 10 7 3 Specific software requirements MID Annex MI 007 9 In case of a reduction of the voltage supply to a value below the lower op erating limit as specified by the manufacturer the taximeter shall continue to work correctly or resume its correct functioning without loss of data available before the voltage drop if the voltage drop is temporary i e due to restarting the engine abort an existing measurement and return to the position For Hire if the voltage drop is for a longer period The taximeter also needs to have a long term storage the data has to be available in the ta
146. other simply available and manageable tools 2 Presented results can be accepted as authentic if the presentation is issued from within the legally relevant software Specifying Notes Restriction to 1BC 2BC Means are required to protect against intentional misuse including simulation based on additional hardware 3 Presented measurement values shall be comprehensibly and accompanied by any information necessary to avoid confusion with other legally non relevant information 4 Under consideration of the capabilities of the operating system it shall be ensured by technical means that on the universal computer only the software approved for the legally relevant purpose can perform the legally relevant functions e g a sensor shall only work together with the approved program 5 It shall be ensured by technical means that legally relevant software authenticity on a regular basis time intervals during its execution check its integrity and Required Documentation The documentation should describe how authenticity of the software is guaranteed Required Documentation in addition to the documentation required for risk classes B and C The protection measures taken shall be shown Validation Guidance Checks based on documentation The examination needs to determine that presentations are generated by legally relevant software and how spoofing by legally non relevant programs ma
147. parameters secured settable at the display of the instrument if a suitable menu item is provided The TEC should list those parameters that are settable and how they may be located Example of an Acceptable Solution e Device specific parameters are stored on a plugged in storage which is sealed against removing or directly on the sensor unit Writing of parameters is inhibited by sealing a write enable switch in the disabled state Audit trails are possible in combination with securing hardware see P7 31 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 e Settable parameters are stored on a standard storage of the universal computer Additions for Risk Class E Required Documeniation in addition to the documentation required for risk classes B and C Source code of the instrument Validation Guidance in addition to the guidance for risk classes B and C Checks based on the source code e Check whether measures taken for protecting parameters are appropriate Risk Class B Risk Class C Risk Class D U8 Software authenticity and presentation of results Means shall be employed to ensure the authenticity of the legally relevant software The authenticity of the results that are presented shall be guaranteed ee Notes It shall not be possible to fraudulently simulate Spoof approved legally relevant software using the capabilities of the operating system or
148. pply Required Documentation e According to P2 U2 Validation Guidance Checks based on documentation e According to P2 U2 Functional checks e According to P2 U2 Example of an acceptable solution Imprint of the software identification on the name plate of the instrument 10 1 4 Examples of legally relevant parameters Water meters have parameters like constants for calculations for configuration etc but also for setting up the functionality of the device Concerning identification and protection of parameters and parameter sets refer to requirements P2 and P7 guide P In the following some typical parameters of water meters are given This table will be updated when WELMEC Working Group 11 has decided on the final contents Parameter Protected Settable Comment Calibration factor x Linearisation factor x 10 1 5 Other aspects For domestic applications it is expected that download of software Extension D Chapter 9 will not be very important The cumulating energy or volume register of domestic instruments is not a long term storage in the sense of Extension L Chapter 6 For an instrument that only measures cumulated energy volume the application of the extension L is not necessary 67 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 10 1 6 Assignment of risk class For the present according to the decisions of the responsible WELMEC Working Group 11 2 meet
149. r measurement B amp C Are keys treated as legally relevant data and kept secret and protected against compromise by simple software tools D amp E Are keys and accompanying data treated as legally relevant data and kept secret and protected against compromise by sophisticated software tools Are Appropriate methods equivalent to electronic payment used Is user able to verify the authenticity of the public key prevented from being used by a transmission delay Is it ensured that no measurement data get lost if network services become unavailable Explanations are needed if there are deviations from software requirements T6 T o g E a o oa ol 5 Checklist for specific requirements extension S Checklist for Requirements of Extension T Does the software that is subject to legal control contain all legally relevant software and parameters Requirement procedures cannot be confused with the information that originates from the legally relevant part Is the data exchange between the legally relevant and legally non relevant software performed via a protective software interface that comprises controls the interactions and data flow Explanations are needed if there are deviations from software requirements Is it ensured that additional information generated by the legally non relevant software part shown on a display or printout 110 WELMEC 7 2 Issue 5 Not Applicable WELMEC WG7 Software
150. r the present according to the decisions of the responsible WELMEC Working Group 11 2 meeting 3 4 March 2005 the following risk class is considered appropriate and should be applied if software examinations based on this guide are carried out for software controlled active electrical energy meters Risk class C for instruments of type P A final decision has however not yet been taken and WG 11 will reconsider this item in connection with the discussion of appropriate risk class es for type U instruments WG11 considers prepayment and interval metering functionality to be additional to those essential measurement functions specified by MID Annex MI 003 therefore no greater risk category is allocated to these variants than to the basic meter types already covered by this software guide However the basic measurement function should be assessed as with all other type P instruments along with any other assessment deemed necessary to demonstrate that the associated software providing these functions has no inadmissible influence on the basic measurement 81 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 10 4 Heat Meters 10 4 1 Specific regulations standards and other normative documents Member states may in accordance with MID Article 2 prescribe Heat meters in residential commercial and light industrial use to be subject to regulations in MID The specific requirements of this chapter are based on Annex MI 004 only
151. rated and checked automatically Checks based on documentation e Check that overwriting of data cannot occur before the end of e Check whether the measures the data storage period that is foreseen and documented by the taken are appropriate for the manufacturer high protection level e Check that a warning is issued to the user if he is about to delete measurement data files Functional checks e Check by practical spot checks that before deleting measurement data a warning is given if deleting is possible at all Example of an Acceptable Solution e Prevention from incorrect program design this is beyond the scope of these risk classes e Misuse of the operating system overwriting or deletion of stored data and programs the manufacturer should make full use of the protection or privacy rights provided by the operating system or programming language The accidental modification of programs amp data files may be checked by calculating a checksum over the relevant code comparing it with the nominal value and stopping if the code has been modified or suitably reacting if parameters or data are concerned Where the operating system allows it it is recommended that all user rights for the deletion moving or amendment of legally relevant software should be removed and access should be controlled via utility programs Access control to programs and data through the use of passwords is recommended as is the use of read only me
152. rd memory stick the software configuration and environment at least the following issues should be addressed a Which operating system is used or can be used b Do other software applications reside on the system besides the legally relevant software c Is there software not subject to legal control that is intended to be freely modified after approval 10 x 3 Specific software requirements Here the specific software requirements should be listed and commented using a similar form as in the previous chapters 62 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 10 x 4 Examples of legally relevant functions and data Here examples of device specific parameters e g individual configuration and calibration parameters of a specific measuring instrument type specific parameters e g specific parameters that are fixed at type examination or legally relevant specific functions may be given 10 x 5 Other aspects Here other aspects e g specific documentation required for type software examination specific descriptions and instructions to be supplied in type examination certificates or other aspects e g requirements concerning the testability may be mentioned 10 x 6 Assignment of risk class Here the appropriate risk class for instruments of type x should be defined This can be done either generally for all categories within the respective type or depending on the field of applicatio
153. realisable in both built for purpose devices and universal computers The software modules to be separated are realised as independent objects in terms of the operating system High level software separation Note This type of separation is normally possible only with universal computers Example solutions are independently executable programs dynamically linked libraries etc Table 8 1 Technical description of software separation The protection against inadmissible changes of measurement values and parameters is only addressed indirectly as the programmer of software parts that are not subject to legal control must not give the user of the measuring system the opportunity of corruption But this has in any case to be considered by the programmer with or without separation and the appropriate requirements are given in the basic parts P and U Chapter 4 and 5 of the guide 51 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 8 2 Specific software requirements for software separation Risk Class B Risk Class C Risk Class D S1 Realisation of software separation There shall be a part of the software that contains all legally relevant software and parameters that is clearly separated from other parts of software Specifying Notes 1 Inthe case of low level separation all program units subroutines procedures functions classes etc and in case of high level separation all programs and libraries that contribu
154. res taken for the detection of intentional changes are appropriate 21 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Risk Class B Risk Class C Risk Class D P7 Parameter protection Parameters that fix legally relevant characteristics of the measuring instrument shall be secured against unauthorised modification Specifying Notes 1 Type specific parameters are identical for each specimen of the type and are in general part of the program code Therefore requirement P6 applies to them 2 Device specific secured parameters may be changed using an on board keypad or switches or via interfaces but only before they have been secured 3 __Settable device specific parameters may be changed after securing Required Documentation Required Documentation in The documentation should describe all of the legally relevant ddition to the documentation parameters their ranges and nominal values where they are equired for risk classes B and C stored how they may be viewed how they are secured and when The protection measures taken for i e before or after verification parameters shall be shown Validation Guidance Validation Guidance in addition to Checks based on documentation the guidance for risk classes B and e Check that changing or adjusting secured device specific C 31 parameters is impossible after securing Checks based on documentation e Check whether all relevant parameters according to the list
155. rks or other means to a distant device where they are further processed and or used for legally regulated purposes TEC Type examination certificate Type specific parameter Legally relevant parameter with a value that depends on the type of instrument only Type specific parameters are part of the legally relevant software They are fixed at type examination of the instrument User interface An interface forming the part of the instrument or measuring system that enables information to be passed between a human user and the measuring instrument or its hardware or software parts as e g switch keyboard mouse display monitor printer touch screen WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Validation Confirmation by examination and provision of objective evidence i e information that can be proved true based on facts obtained from observations measurement test etc that the particular requirements for the intended use are fulfilled In the present case the related requirements are those of the MID The following definitions are rather specific They are only used in some extensions and for risk classes D or higher Hash algorithm Algorithm that compresses the contents of a data block to a number of defined length hash code so that the change of any bit of the data block leads in practice to another hash code Hash algorithms are selected such that there is theoretically a very low probability of two different data bloc
156. rument shall be an acceptable solution if the following conditions A B and C are tulfilled A The user interface does not have any control capability to activate the indication of the software identification on the display or the display does not allow technically showing the identification of the software mechanical counter B The instrument does not have any interface to communicate the software identification C After production of a meter a change of the software is not possible or only possible if also the hardware or a hardware part is changed Specifying notes The manufacturer of the hardware or the concerned hardware compenentis responsible that the software identification is correctly marked on the concerned hardware e All other Specifying Notes of P2 U2 apply Required Documentation e According to P2 U2 Validation Guidance Checks based on documentation e According to P2 U2 Functional checks e According to P2 U2 Example of an acceptable solution Imprint of the software identification on the name plate of the instrument 10 2 4 Examples of legally relevant parameters Gas meters and volume converters often have a lot of parameters They are used as constants for calculations as configuration parameters etc but also for setting up the functionality of the device Concerning identification and protection of parameters and parameter sets refer to requirements P2 and P7 guide P In th
157. s Check whether the measures given in Extension if any have been classified as secured taken are appropriate with Functionakcheeke respect to the required state of the art for a high protection e Test the adjusting configuration mode and check whether lavel disabling after securing works e Examine the classification and state of parameters secured settable at the display of the instrument if a suitable menu item is provided Example of an Acceptable Solution a Parameters are secured by sealing the instrument or memory housing and disabling the write enable disable input of the memory circuit by an associated jumper or switch which is sealed Audit trails b An event counter registers each change of a parameter value The current count can be displayed and can be compared with the initial value of the counter that was registered at the last official verification and is indelibly labelled on the instrument c Changes of parameters are registered in an event logger It is an information record stored in a non volatile memory Each entry is generated automatically by the legally relevant software and contains e the identification of the parameter e g the name e the parameter value the current or the value before the time stamp of the change The event logger cannot be deleted or be changed without destroying a seal Risk Class E Required Documentation in addition to the document
158. s B and C e Check that there is a correct linking between each Checks based on documentation measurement value and the corresponding measurement Check whether the measures taken e If a checksum or signature is used check that the are appropriate with respect to the checksum or signature is generated over the entire data required state of the art for a high set protection level e Check that secret data e g key initial value if used are kept secret against spying out with simple tools Functional checks e Check whether corresponding stored data and data printed on the ticket or invoice are identical Example of an Acceptable Solution A stored data set contains the following data fields additional to the fields defined in L3 e A unique current identification number The identification number is also copied to the delivery note e Time when the measurement has been performed time stamp The time stamp is also copied to the delivery note An identification of the measuring instrument that has generated the value e A signature that is used for ensuring the integrity of data can simultaneously be used for ensuring the authenticity The signature covers all of the fields of the data set Refer to requirement L2 L3 e The ticket may state that the measurement values can be compared with the reference data on a means of storage subject to legal control Assignment is demonstrated by comparing the identification nu
159. s is available for the programmer of the legally non relevant software part Functional checks None additional to those completed during type examination to confirm correct functioning in the presence of defined influencing quantities Example of an acceptable solution The interrupt hierarchy is designed in a way that avoids adverse influences 66 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Risk Class B Risk Class C Risk Class D 11 5 Imprinted Software Identification The software identification is usually presented on a display As an exception for water meters an imprint of the software identification on the name plate of an instrument shall be an acceptable solution if the following conditions A B and C are fulfilled A The user interface does not have any control capability to activate the indication of the software identification on the display or the display does not allow technically showing the identification of the software mechanical counter B The instrument does not have any interface to communicate the software identification C After production of a meter a change of the software is not possible or only possible if also the hardware or a hardware part is changed Specifying notes The manufacturer of the hardware or the concerned hardware compenent is responsible that the software identification is correctly marked on the concerned hardware e All other Specifying Notes of P2 U2 a
160. s only required if the software changes lead to changes of the approved Sone functions or characteristics aaa 3 Ifthe legally relevant functions and the account of the measuring task are protected by a specific configuration of the operating system the relevant configuration files shall have an additional identification 4 The software identification has to be easily shown for verification and inspection purposes easily means by standard user interface without additional tools 5 The software identification shall have a structure that clearly identifies versions that require type examination and those that do not 6 Identifications may be applied to different levels e g to complete programs modules functions etc 7 If functions of the software can be switched by parameters each function or variant may be identified separately or the complete package may be identified as a whole Required Documentation Required Documentation in The documentation shall list the software identifications and describe addition to the documentation how the software identification is created how it is inextricably linked required for risk classes B and C to the software itself how it may be accessed for viewing and how it The documentation shall show the is structured in order to differentiate between version changes with measures taken to protect the and without requiring a type examination software identification from falsification
161. sibly influence the legally relevant software and measurement data Specifying Notes 1 Commands may be one single or a sequence of switch or key actuations carried out manually 2 This implies that there is an unambiguous assignment of each command to an initiated function or data change 3 This implies that switch or key actuations that are not declared and documented as commands have no effect on the instrument s functions and measurement data Required Documentation If the instrument has the ability to receive commands the documentation shall include A complete list of all commands e g menu items together with a declaration of completeness A brief description of their meaning and their effect on the functions and data of the measuring instrument Required Documentation in addition to the documentation required for risk classes B and C e The documentation shall show the measures taken to validate the completeness of the documentation of commands e The documentation shall contain a protocol that shows the tests of all commands Validation Guidance Validation Guidance in Checks based on documentation e Judge whether all documented commands are admissible i e whether they have an allowed impact on the measuring functions and relevant data or none at all e Check whether the manufacturer has supplied an explicit declaration of completeness of the command documentation Fun
162. sk classes B C and D Checks based on the source code e Check whether measures taken for detection of changes faults are appropriate e Ifa checksum is realised check whether all parts of the legally relevant software are covered by it 20 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Risk Class B Risk Class C Risk Class D P6 Protection against intentional changes Legally relevant software shall be secured against the inadmissible modification loading or swapping of hardware memory Specifying Notes 1 Instrument without interface Manipulation of program code could be possible by manipulating the physical memory i e the memory is physically removed and substituted by one containing fraudulent software or data To prevent this happening either the housing of the instrument should be secured or the physical memory itself is secured against unauthorised removal 2 Instrument with interface The interface shall include only functions which are subject to examination All functions in the interface shall be subject to examination see P4 Where the interface is to be used for software download extension D must be complied with 3 Data are considered to be sufficiently protected if only legally relevant software processes them If legally non relevant Software is intended to be changed after approval requirements of extension S have to be followed Required Documentation Required Documentation
163. sue 5 Additions for Risk Class E Required Documentation in addition to the documentation required for risk classes B and C Source code of the instrument Validation Guidance in addition to the guidance for risk classes B and C Checks based on the source code e Check the software design whether data flow concerning commands is unambiguously defined in the legally relevant software and can be verified Search inadmissible data flow from the interface to domains to be protected e Check with tools or manually that commands are decoded correctly and no undocumented commands exist Risk Class B Risk Class C Risk Class D P5 Protection against accidental or unintentional changes Legally relevant software and measurement data shall be protected against accidental or unintentional changes Specifying Notes Possible reasons for accidental changes and faults are unpredictable physical influences effects caused by user functions and residual defects of the software even though state of the art of development techniques have been applied This requirement includes a Physical influences Stored measurement data shall be protected against corruption or deletion when a fault occurs or alternatively the fault shall be detectable b User functions Confirmation shall be demanded before deleting or changing data c Software defects Appropriate measures shall be taken to protect data from unintentional changes t
164. sws WELMEC European cooperation in legal metrology Software Guide Measuring Instruments Directive 2004 22 EC Changes in comparison to issue 4 are marked in blue colour March 2012 WELMEC WG7 Software Guide WELMEC European cooperation in legal metrology WELMEC is a co operation between the legal metrology authorities of the Member States of the European Union EFTA This document is one of a number of Guides published by WELMEC to provide guidance to manufacturers of measuring instruments and to Notified Bodies responsible for conformity assessment of their products The Guides are purely advisory and do not themselves impose any restrictions or additional technical requirements beyond those contained in relevant EC Directives Alternative approaches may be acceptable but the guidance provided in this document represents the considered view of WELMEC as to the best practice to be followed Published by WELMEC Secretariat Thijsseweg 11 NL 2629 JA Delft The Netherlands e mail secretary welmec org tel 31 15 269 17 09 fax 31 15 285 05 07 Website www welmec org WELMEC 7 2 Issue 5 and WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Software Guide Measuring Instruments Directive 2004 22 EC Contents Foreword ORC eRe CRE RP CRE TMP CRE RP UCEE RECEDED EERERE SP EPICED PEEUPER OP EPICED PEEIEER OPTED PEPIEER PERT RE TE Ory 5 1 WAR O CUT TOM ites gea E EE E EE E E E E EO ERS 6 2 RG RM
165. t for purpose no externally usable tools or means available for editing or changing data integrated storage for measurement data or parameters e g RAM flash memory hard disk Storage for universal computer Universal computer graphical user interface multitasking operating system tasks subject to legal control and not subject to legal control exist in parallel storage can be removed from the device or contents can be copied anywhere inside or outside the computer Removable or remote external storage Arbitrary basic instrument built for purpose instrument or instrument using universal computer storage can be taken from the instrument These can be for example floppy disks flash cards or remote databases connected via network Table 6 1 Technical description of long term storages 34 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 6 2 Specific software requirements for Long term Storage The requirements given in this section are to apply in addition to one set of requirements either for the basic built for purpose instruments or for instruments using universal computer Risk Class B Risk Class C Risk Class D L1 Completeness of measurement data stored The measurement data stored must contain all relevant information necessary to reconstruct an earlier measurement Specifying Notes 1 The stored measurement data may be needed for reference at a later date e g for checking invoices All d
166. t legally relevant software from modifications by using the operating system or other simply available and manageable tools see also U3 4 The parts and features of the operating system that implement the protection of the measuring system shall be considered as legally relevant software and be protected as such Legally relevant software and measurement data shall be secured against inadmissible modification Specifying Notes 1 The level of protection should be equivalent to that of electronic payments In general a universal computer is only suitable for this risk class with additional hardware for securing Required Documentation The documentation should provide assurance that software and stored measurement data cannot be inadmissibly modified Required Documentation in addition to the documentation required for risk classes B and C The protection measures taken shall be shown Validation Guidance Case 1 Closed shell of the software subject to legal control Checks based on documentation e Software modules boot automatically User has no access to the operating system of the PC e User has no access to other software than the approved one e A written declaration is given that there are no hidden functions to circumvent the closed shell Case 2 User accessible operating system and or software Checks based on documentation e Checksum over machine code of the software modules is generated
167. te to the calculation of measurement values or have an impact on it that contribute to auxiliary functions such as displaying data data security data storage software identification performing software download data transmission or storing verifying received or stored data etc belong to the legally relevant software 3 2 All variables temporary files and parameters that have an impact on measurement value or on legally relevant functions or data belong to the legally relevant software 3 The protective software interface itself see S3 is part of the legally relevant software 4 Legally non relevant software comprises the remaining program units data or parameters not covered above Modifications to this part are allowed without informing the NB provided the subsequent requirements of software separation are observed Required Documentation Required Documentation in Description of the protective interface described in the addition to the documentation specifying notes above required for risk classes B and C The correct implementation of software separation shall be shown by the documentation Validation Guidance Validation Guidance in addition to the guidance for risk classes B and Checks based on documentation e Check that all legally relevant parts mentioned in specifying C notes 1 through 3 are included in legally relevant software Checks based on documentation e Check whether the realisation
168. teed if the data set carries an unambiguous signature The signature covers all of these fields of the data set Source code of sending and receiving device Additions for Risk Class E Required Documeniation in addition to the documentation required for risk classes B and C Checks based on the source code 47 Validation Guidance in addition to the guidance for risk classes B and C Check whether measures taken for guaranteeing the authenticity of transmitted data are appropriate WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Risk Class B Risk Class C Risk Class D T5 Confidentiality of keys Keys and accompanying data must be treated as legally relevant data and must be kept secret and be ae Notes This requirement only applies if a secret key exists in the system Normally not in Closed networks 2 The protection must apply against intentional changes carried out by common simple software tools 3 If the access to the secret keys is prevented e g by sealing the housing of a built for purpose device no additional software protection means are necessary ere Notes This requirement only applies if a secret key exists in the system Normally not in Closed networks The protection must apply against intentional changes carried out by special sophisticated software tools The received measurement values are read from the data set and their signature is checked with the
169. tes 1 Accidental changes of data can be caused by physical effects 2 Unintentional changes are caused by the user of the device Data housekeeping duties may require data belonging to paid up or time expired invoices to be deleted from time to time Automatic or semi automatic means should be used to ensure that only specified data is deleted and that the accidental deletion of live data is avoided This is particularly important on networked systems and remote or removable storage where users might not realise the significance of the data 3 A checksum shall be calculated by the receiver and compared with the attached nominal value If the values match the data set is valid and may be used otherwise it must be deleted or marked invalid Required Documentation Required Documentation in Description of protection measures e g the checksum algorithm addition to the documentation including the length of the generator polynomial required for risk classes B and C The documentation shall show the measures taken to validate the effectiveness of the protection means Validation Guidance Validation Guidance in addition Checks based on documentation to the guidance for risk classes B and C e Check that a checksum over data is generated e Check that legally relevant software which reads the data and Checks based on documentation calculate a checksum really compares the calculated and the Check
170. tes e This requirement applies in addition to S 1 S 2 and S 3 if software separation has been realised in accordance with extension S The additional requirement ensures that for real time applications of meters the dynamic behaviour of the legally relevant software is not inadmissibly influenced by legally non relevant software i e the resources of the legally relevant software are not inadmissibly reduced by the non legal part Required Documentation e Description of the interrupt hierarchy e Timing diagram of the software tasks Limits of proportionate runtime for legally non relevant tasks Validation Guidance Checks based on documentation e Documentation of the limits of the proportionate runtime for legally non relevant tasks is available for the programmer of the legally non relevant software part Functional checks e None additional to those completed during type examination to confirm correct functioning in the presence of defined influencing quantities Example of an acceptable solution The interrupt hierarchy is designed in a way that avoids adverse influences 73 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Risk Class B Risk Class C Risk Class D 12 9 Imprinted Software Identification The software identification is usually presented on a display As an exception for gas meters and volume converters an imprint of the software identification on the name plate of an inst
171. the data set Check that secret data e g key initial value if used are kept secret against spying out with simple tools Validation Guidance in addition to the guidance for risk classes B and C Checks based on documentation Check whether the measures taken are appropriate with respect to the required state of the art for a high protection level Example of an Acceptable Solution A checksum is generated of the data set to be transmitted Just before the data is reused the value of the checksum is recalculated and compared with the nominal value that is contained in the received data set If the values match the data set is valid and may be used otherwise it must be deleted or marked invalid An acceptable solution is the CRC 16 algorithm Note The algorithm is not secret but in contrast to requirement T2 the initial vector of the CRC register or the generator polynomial i e the divisor in the algorithm are secret The initial vector and generator polynomial are known only to the programs generating and verifying the checksums They must be treated as keys see T5 Example of an Acceptable Solution Instead of the CRC a signature is calculated A suitable signature algorithm would be e g one of the hash algorithms SHA 1 or RipeMD 160 in combination with an encryption algorithm like RSA or Elliptic Curves The minimum key length is 768 bits RSA or 128 160 bits EC Protection is provided by some transm
172. tional changes Transmitted data shall be protected against accidental and unintentional changes Specifying Notes 1 Accidental changes of data can be caused by physical effects 2 Unintentional changes are caused by the user of the device 3 Means shall be provided to detect transmission errors Required Documentation Required Documentation in Description of the checksum algorithm if used including the length addition to the documentation of the generator polynomial required for risk classes B and C Description of an alternative method if used The documentation shall show the measures taken to validate the effectiveness of the protection means Validation Guidance Validation Guidance in addition to Checks based on documentation the guidance for risk classes B and C e Check that a checksum over data is generated f e Check that legally relevant software that receives the data re Checks based on documentation calculates the checksum and compares it with the nominal value e Check whether the measures contained in the data set taken are appropriate for the high protection level Example of an Acceptable Solution 1 To detect data changes a checksum with the CRC 16 algorithm is calculated over all bytes of a data set and inserted into the data set to be transmitted Just before the data is reused the value of the checksum is recalculated by the receiver and compared with the attached nominal value
173. totalisers and continuous totalisers belt weighers have been identified as requiring instrument specific software requirements see 10 6 3 The reason is that the measurement is cumulative over a relatively long period of time and cannot be repeated if a significant fault occurs 10 6 2 Technical description 10 6 2 1 Hardware Configuration A discontinuous totaliser is a totalising hopper weigher that determines the mass of a bulk product e g grain by dividing it into discrete loads The system usually comprises of one or more hoppers supported on load cells power supply electronic controls and indicating device A continuous totaliser is a belt weigher that measures the mass of a product as the belt passes over a load cell The system usually comprises of a conveyor belt rollers 88 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 load receptor supported on load cells power supply electronic controls and indicating device There will be a means for adjusting the tension of the belt 10 6 2 2 Software Configuration This is specific to each manufacturer but would normally expect to follow the recommendations given in the main body of this guide 10 6 2 3 Measuring Principle In the case of a discontinuous totaliser the bulk product is fed into a hopper and weighed The mass of each discrete load is determined in sequence and summed Each discrete load is then delivered to bulk In the case of a continuous totaliser the mass
174. troduced for each of these categories 11 2 Description of levels for protection examination and conformity The following definitions are used for the corresponding levels Software protection levels Low No particular protection measures against intentional changes are required Middle The software is protected against intentional changes made by using easily available and simple common software tools e g text editors High The software is protected against intentional changes made by using sophisticated software tools debuggers and hard disc editors software development tools etc Software examination levels Low Standard type examination functional testing of the instrument is performed No extra software testing is required Middle In addition to the low level the software is examined on the basis of its documentation The documentation includes the description of the software functions parameter description etc Practical tests of the software supported functions spot checks may be carried out to check the plausibility of documentation and the effectiveness of protection measures High In addition to the middle level an in depth test of the software is carried out usually based on the source code Software conformity levels Low The functionality of the software implemented for each individual instrument is in conformity with the documentation approved 100 WELMEC WG7 Software Guide WELMEC 7 2 Iss
175. turbance was electromagnetic electrical mechanical etc the recovery procedures are all the same 64 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 10 1 3 Specific software requirements Water meters Risk Class B Risk Class C Risk Class D 11 1 Fault Recovery The software shall recover from a disturbance to normal processing Specifying Notes Date stamped flags should be raised to help log periods of faulty operation Required Documentation A brief description of the fault recovery mechanism and when it is invoked Validation Guidance Checks based on documentation e Check whether the realisation of fault recovery is appropriate Functional checks e None additional to those completed during type examination to confirm correct functioning in the presence of defined influencing quantities Example of an Acceptable Solution A hardware watchdog is reset by a cyclically processed microprocessor subroutine in order to inhibit the firing of the watchdog If any function has not been processed or in the worst case the micro processor hangs in an arbitrary endless loop the reset of the watchdog doesn t happen and it fires after a certain time span Risk Class B Risk Class C Risk Class D 11 2 Back up Facilities There shall be a facility that provides for periodic back up of legally relevant data such as measure ment values and the current status of the process i
176. ue 5 Middle In addition to the conformity level low depending on the technical features parts of the software shall be defined as fixed at type examination i e alterable only with NB approval The fixed part shall be identical in every individual instrument High The software implemented in the individual instruments is completely identical to the approved one 11 3 Derivation of risk classes Out of the 27 theoretically possible level permutations only 4 or at the utmost 5 are of practical interest risk classes B C D and E eventually F They cover all of the instrument classes falling under the regulation of MID Moreover they provide a sufficient window of opportunity for the case of changing risk evaluations The classes are defined in the table below Degree of Risk Class protection Examination Software A low low low B middle middle low C midde midde midde D high middle middle cE J high Thigh midde F high high high Table 11 1 Definition of risk classes 11 4 Interpretation of risk classes Risk class A It is the lowest risk class at all No particular measures are required against intentional changes of software Examination of software is part of the functional testing of the device Conformity is required on the level of documentation It is not expected that any instrument is Classified as a risk class A instrument However by introducing th
177. ut the inadmissible commands For using the measuring system only an account with restricted permissions is set up Access to the Additions for Risk Class E Required Documeniation in addition to the documentation required for risk classes B and C Source code of the legally relevant software 26 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Validation Guidance in addition to the guidance for risk classes B and C Checks based on the source code e Check the software design whether data flow concerning commands is unambiguously defined in the legally relevant software and can be verified Search inadmissible data flow from the user interface to domains to be protected e Check with tools or manually that commands are decoded correctly and no undocumented commands exist Risk Class B Risk Class C Risk Class D U4 Influence via communication interface Commands input via non sealed communication interfaces of the device shall not inadmissibly influence the legally relevant software and measurement data oe Notes This implies that there is an unambiguous assignment of each command to an initiated function or data change 2 This implies that signals or codes that are not declared and documented as commands have no effect on the instrument s functions and data 3 Commands may be a sequence of electrical optical electromagnetic etc signals on input channels or codes in data transmissi
178. ution Imprint of the software identification on the name plate of the instrument 10 4 4 Examples of legally relevant parameters Heat meters have parameters like constants for calculations for configuration etc but also for setting up the functionality of the device Concerning identification and protection of parameters and parameter sets refer to requirements P2 and P7 guide P In the following some typical parameters of heat meters are given This table will be updated when WELMEC Working Group 11 has decided on the final contents Parameter Protected Settable Comment Calibration factor x Linearisation factor x 10 4 5 Other aspects For domestic applications it is expected that download of software extension D Chapter 9 will not be very important The cumulating energy or volume register of domestic instruments is not a long term storage in the sense of extension L Chapter 6 For an instrument that only meas ures cumulated energy volume the application of the extension L is not necessary 85 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 10 4 6 Assignment of risk class For the present according to the decisions of the responsible WELMEC Working Group 11 2 meeting 3 4 March 2005 the following risk class is considered ap propriate and should be applied if software examinations based on this guide are carried out for software controlled heat meters Risk class C for
179. ved cumulative values is small Required Documentation A brief description of which data is backed up and when this occurs Calculation of the maximum error that can occur for cumulative values Validation Guidance Checks based on documentation e Check whether all legally relevant data are saved to non volatile storage and can be recovered Functional checks e None additional to those completed during type examination to confirm correct functioning in the presence of defined influencing quantities Example of an Acceptable Solution Legally relevant data is backed up as required e g every 60 minutes 83 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Risk Class B Risk Class C Risk Class D 14 3 MID Annex I 8 5 Inhibit resetting of cumulative measurement values For utility measuring instruments the display of the total quantity supplied or the displays from which the total quantity supplied can be derived whole or partial reference to which is the basis for pay ment shall not be able to be reset during use Specifying Notes Cumulative registers of a measuring instrument may be reset prior to being put into use Required Documentation Documentation of protection means against resetting the volume registers Validation Guidance Checks based on documentation e Check that cumulative legally relevant measurement values cannot be reset without leaving a trace Functional checks e None
180. whether the measures nominal values taken are appropriate for the e Check that overwriting of data cannot occur before the end of the high protection level data storage period that is foreseen and documented by the manufacturer e Check that a warning is issued to the user if he is about to delete measurement data files Functional checks e Check by practical spot checks that before deleting measurement data a warning is given if deleting is possible at all Example of an Acceptable Solution e To detect data changes due to physical effects a checksum with the CRC 16 algorithm is calculated over the entire data set and inserted into the data set to be stored Note The algorithm is not secret and in contrast to requirement L3 neither is the initial vector of the CRC register nor the generator polynomial i e the devisor in the algorithm The initial vector and generator polynomial are known to both of the programs that create and verify the checksums Measurement data invoice files could be protected by attaching an automatic date stamp on creation and a flag or label stating whether invoices were paid unpaid A utility program would only delete move files if invoices had been paid or were out of date Measurement data are not deleted without prior authorisation e g a dialogue statement or window asking for confirmation of deletion e Automatic overwriting of measurement data can be performed if there is adequate protection of the
181. ximeter for at least 1 year see MI 007 15 2 94 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Risk Class B Risk Class C Risk Class D 17 1 Back up Facilities There shall be a facility that automatically backs up essential data e g measurement values and the current status of the process if the voltage drops for a longer period Specifying Notes 1 This data should normally be stored in non volatile storage 2 A voltage level detector to detect when to store measurement values is necessary 3 The back up facilities shall include appropriate wake up facilities in order that the taximeter including its software does not get into an indefinite state Required Documentation A brief description of which data is backed up and when this occurs Validation Guidance Checks based on documentation e Check whether the realisation of fault recovery is appropriate Functional checks e None additional to those completed during type examination to confirm correct functioning in the presence of defined influencing quantities Example of an Acceptable Solution The voltage level detector fires an interrupt when the voltage level drops for a time of 15 s The assigned interrupt routine collects measurement values state values and other relevant data and stores them in a non volatile storage e g EEPROM After the voltage level rises again the data is restored and the functioning continues or is stopped see MI 007 9
182. y be prevented e Check that the legally relevant tasks can only be performed by the approved legally relevant software Functional checks e Check through visual control if the presentation of results is easily distinguishable from other information that may also be presented e Check according to the documentation if the presented information is complete Validation Guidance in addition to the guidance for risk classes B and C Checks based on documentation e Check whether the measures taken are appropriate with respect to the required state of the art for a high protection level 32 WELMEC WG7 Software Guide WELMEC 7 2 Issue 5 Example of an Acceptable Solution Formal means 1 The software identification part B checksum version number or TEC number see U2 indicated by the software is compared with the desired value in the TEC Technical means 1 A measurement application window is generated by the legally relevant software The technical measures required of the window are e No access to measurement values shall be given to legally non relevant programs until the measurement values have been indicated e The window is refreshed periodically The associated program checks that it is on top of the stack of windows and the user shall not be enabled to close the window or shift it outside the visible area as long as the measurement is not concluded e Processing of measurement values st
183. y before the action of securing Because device specific parameters could be manipulated using simple tools on universal computers they shall not be stored in standard storages of a universal computer Storing of these parameters is acceptable only in additional hardware Settable device specific parameters may be changed after securing Required Documentation Required Documentation in The documentation shall describe all of the legally relevant addition to the documentation parameters their ranges and nominal values where they are required for risk classes B and C stored how they may be viewed how they are secured and The protection measures taken for when i e before or after verification parameters shall be shown Validation Guidance Validation Guidance in addition to Checks based on documentation the guidance for risk classes B and e Check that the method for protection of the type specific o gt parameters is appropriate Checks based on documentation e Check that device specific parameters are not stored on the Check whether the measures standard storages of the universal computer but in separate taken are appropriate with respect hardware that can be sealed and write disabled to the required state of the art for Functional chacks a high protection level e Test the adjusting configuration mode and check whether disabling after securing works e Examine the classification and state of
184. y the respective requirements and validation guidance need to be considered 3 3 How to work with a requirement block Each requirement block contains a well defined requirement It consists of a defining text explanatory specifying notes the documentation to be provided the validation guidance and examples of acceptable solutions if available The content within a re quirement block may be subdivided according to risk classes This leads to the sche matic presentation of a requirement block shown in Figure 3 3 Title of the requirement Main statement of the requirement eventually differentiated between risk classes Specifying notes scope of application additional explanations exceptional cases etc Documentation to be provided eventually differentiated between risk classes Validation guidance for Validation guidance for one risk class another risk class Example of an acceptable Example of an acceptable solution for one risk class solution for another risk class Figure 3 3 Structure of a requirement block The requirement block represents the technical content of the requirement including the validation guidance It addresses both the manufacturer and the notified body in two directions 1 to consider the requirement as a minimal condition and 2 not to put demands beyond this requirement Notes for the manufacturer Observe the main statement and the additional spec
Download Pdf Manuals
Related Search