Laboratory manual for the evaluation of non-automatic weighing devices
Part 2, section 2—Sealing
Table of contents
- 2.0 Sealing – Generalities
- 2.1 Philosophy for sealing
- 2.2 Sealable parameters on non automatic weighing devices
- 2.3 Other mechanisms requiring sealing
- 2.4 Physical seals
- 2.5 Sealing electronic devices
- 2.6 Notices of approval
- Section 48 of the Specifications Relating to Non Automatic Weighing Devices (1998)
- Terms and Conditions for the Approval of Metrological Audit Trails
2.0 Sealing – Generalities
Electronic weighing devices must have provisions to the effect that a security seal must be broken, or an audit trail provided, before any adjustment affecting the performance of the device can be made. Only the metrological parameters: that can affect the measurement features, that have a significant potential for fraud, whose range extends beyond that appropriate for device compliance or the suitability of the equipment, shall be sealed.
2.1 Philosophy for sealing
The judgment as to whether or not a method of access represents a "significant potential for fraud" and thus requires sealing, will be based upon the following philosophies.
2.1.1 The need to seal specific features depends upon:
- The ease with which the feature or the selection of the feature can be used to facilitate fraud; and
- The likelihood that the use of the feature will result in fraud not being detected.
2.1.2 Features or functions that are routinely used by the operator as part of device operation, such as the setting and maintaining of unit prices in price look-up codes, are not sealable parameters.
2.1.3 If the selection of a parameter (or a set of parameters) would result in performance that would obviously be in error, such as the selection of parameters for different countries, then it is not necessary to seal the selection of these features.
2.1.4 If individual device characteristics are selectable from a "menu" or a series of programming steps, then access to the "programming mode" must be sealable.
2.1.5 If a device must undergo a physical act, such as the cutting of a wire and physically repairing the cut to reactivate the parameter, it would be considered an acceptable way to select parameters without requiring a physical seal or an audit trail.
2.2 Sealable parameters on non automatic weighing devices
The following examples of adjustments, parameters and features to be sealed are to be considered "typical" or "normal". The list is not intended to be all inclusive and any other parameters that may affect the metrological functions of a device must be sealed.
If listed parameters or other parameters which may affect the metrological function of a device are not to be sealed, the manufacturer must demonstrate that the parameter will not affect the metrological performance of the device.
Typical sealable parameters
- Coarse zero
- Linearity correction points
- Motion detection (on/off, bandwidth)
- Scale interval "d"(or location of the decimal point)
- Number of scale intervals
- Range of overcapacity
- Manual weight entries (on/off)
- AZSM (on/off and range of a single step)
- Zero and AZSM total range (if the range can be set for more than 4% and if this increases the weighing capacity)
- Filter (number of samples averaged for weight readings)
- Filter (averaging time for weight indications)
- Units of measurement (if not displayed or printed on the primary register),
Typical features or parameters that are not required to be sealed
- Product codes
- Commodity unit prices
- Zero and AZSM total range (if the range can be set for more than 4% but this does not increase the weighing capacity)
- Display update rate
- Selection of tare feature operation (keyboard, push button or automatic tare (on/off))
- Weigh-in/weigh-out operation (on/off)
2.3 Other mechanisms requiring sealing
2.3.1 Junction boxes that have adjustment parameters (potentiometers, rheostats, resistors or software configuration, etc.) must have provisions for applying security seals.
2.3.2 In the case of a complete scale consisting of an electronic indicator and a load receiving element incorporating a junction box or load cells that have built-in calibration/configuration capabilities, and for which the parameters can be changed "remotely" through the indicator keyboard, there must be provisions to seal load cell cables to the indicator and junction box.
2.3.3 If the device is equipped with an automatic or semi-automatic calibration mechanism, the mechanism must be inside the device and there must be provisions to apply security seals so that neither the mechanism nor the calibration process can be altered.
Note: Automatic and semi-automatic calibration mechanism
An automatic or semi-automatic calibration mechanisms are allowed provided it is within the device and the method or process can not be tampered with. Using the calibration mechanism, try to calibrate the device: when off level, when there is a load on the platform, and when the display device is in motion. Also try to put a small load on the set when the internal mechanism calibrates. These interventions should give rise to any erroneous calibration.
2.4 Physical seals
Physical seals comprise "lead"and wire seals, pressure sensitive seals, etc. They may be used to seal certain device categories, features and mechanisms (see sections 2.3 and 2.5).
2.4.1 Seals must be readily accessible and observable. Devices must be sealable in a manner that does not require disassembly or moving of the device to gain access to the adjustments. However, removing a protective cover plate to access a junction box is acceptable. The removal of a cover plate must be simple and not require excessive effort or the use of special tools.
2.4.2 On small devices (portable) the means of sealing may be under the platter, if the platter can be lifted easily, under the scale or at the back of the scale if the scale is designed so that it can be turned upside down without damage to remove or apply security seals. When a "lead"and wire seal is located under the platform, there must be ample clearance to eliminate the possibility of interference between the seal and the platform.
2.4.3 When two bolts are used for a Alead and wire seal@, it must be impossible to remove either bolt without breaking the wire seal. A free standing bolt (a bolt which passes through a panel and is fixed in place with a nut on the opposite side of the panel) is not acceptable.
2.4.4 Pressure sensitive seals are acceptable under certain conditions. If they cover a hole (e.g., through which a "calibration enable" switch would be activated) the hole must be covered with a suitable rigid plug. The seal must not bridge so as to leave cavities or air pockets under the seal. Cavities and air pockets are weak points that could cause the seal to be easily damaged (see the illustration below).
- Pressure sensitive (paper) seal
- Air pocket (void space)
2.4.5 A pressure sensitive security seal is not suitable in an adverse environment (rain, cold, wash-down, etc.).
2.5 Sealing electronic devices
Electronic devices must be "sealed" in accordance with the minimum requirements contained in the Specifications Relating to the Design, Composition, Performance and Use of Metrological Audit Trails.
Note : A Category 1 or Category 2 device may be sealed using an event logger instead of a physical seal. An event logger exceeds the minimum requirements for Category 1 and Category 2 devices.
The terms used in the Notice of Approval are defined in the Terms and Conditions for the Approval of Metrological Audit Trails; these Terms and Conditions can be found on the Measurement Canada's website.
Note : Numbers in parentheses refer to section numbers in the Terms and Conditions.
2.5.1 Category 1 device
A device that does not have remote configuration capability. Usually a device of this category has internal, physical means of adjustment such as dip switches, or configuration and adjustments can only be made through the device keypad when it is in a "calibration" mode. Such device may be sealed by means of a physical seal or two event counters: one for calibration parameters and one for configuration parameters.
188.8.131.52 (3.1) Access to sealable parameters is protected by:
- a physical seal; or
- an audit trail with two event counters (one for calibration, the second for configuration).
2.5.2 Category 2 device
A device offering remote configuration capability for its sealable parameters and providing sealable enabling/disabling hardware to control remote configuration use. Usually, a device of this category can be adjusted through the device keypad, remotely through the ports using an external apparatus such as a computer or using an external device such as an infrared handheld transmitter.
184.108.40.206 (3.2) Enabling/Disabling hardware access for remote communication is located at the device.
220.127.116.11 (4.1) Access to sealable parameters is protected by:
- a physical seal; or
- an audit trail with two event counters (one for calibration and one for configuration).
18.104.22.168 When the device is in the remote configuration mode,
- (7.1, i) it does not indicate nor record values; or
- (7.1, ii) it provides a clear and continuous indication that the device is in remote configuration mode.
2.5.3 Category 3 device
A device that provides unrestricted access to its sealable parameters. These are complex devices that are often part of sophisticated systems.
22.214.171.124 (3.3) Access to sealable parameters is protected by an event logger.
2.5.4 Event counters
If the device is "sealed" by means of event counters, the following requirements must be met:
- 126.96.36.199 (4.1) Two event counters: one for calibration parameters and one for configuration parameters.
- 188.8.131.52 (4.2) Event counters are non-resettable and have a capacity of at least 1000 values (ex. 0 to 999).
- 184.108.40.206 (4.3) Event counters increment appropriately.
Clarification: counters may increment once per menu access, even if multiple parameters are changed
- 220.127.116.11.1 (8.1, i) Information stored in non-volatile memory and retained for at least 30 days while the device is without power.
- 18.104.22.168.2 (8.1, ii) protected against erasure or modification.
- 22.214.171.124 (9.1) Audit trail information must be readily accessible and easily readable.
- 126.96.36.199 (9.2) Accessing the audit trail information for review shall be separate from the calibration mode.
- 188.8.131.52 (9.3) Accessing the audit trail information for review must not affect normal operation of the device.
- 184.108.40.206 (9.4) Accessing the audit trail information shall not require removal of any parts other than normal requirements to inspect the integrity of a physical security seal. (e.g., a key to open a locked panel may be required).
2.5.5 Event loggers
If the device is "sealed" by means of an event logger, the following requirements must be met:
- 220.127.116.11 (5.1) Event loggers contain as a minimum: a count of the events, date and time, parameter identification, and new value.
- 18.104.22.168 (5.1.1) Information is automatically entered in the event logger each time a sealable parameter is changed.
- 22.214.171.124 (5.1.2) Irrelevant information is excluded when event loggers contents are displayed or printed.
Note: Relevant information is only the parameter that is changed. Irrelevant information includes non-metrological parameters and metrological parameters that have not been modified.
- 126.96.36.199 (5.1.3) Event counter increments once for each change.
- 188.8.131.52 (5.1.4) The date includes the year, month and day; the time includes the hour and minutes; information is presented in recognizable format.
- 184.108.40.206 (5.2) A hard-copy printout of the contents is available upon demand as required.
- 220.127.116.11 (5.3) Event logger has the capacity of at least ten times the number of sealable parameters.
- 18.104.22.168 (5.3.1) The event logger drops the oldest event when the memory capacity is full and a new entry is saved.
- 22.214.171.124 (5.3.2) Event counter continues to increment to capacity (1000 values).
- 126.96.36.199 (8.1, i) Information stored in non-volatile memory and retained for at least 30 days while the device is without power.
- 188.8.131.52 (8.1, ii) protected against erasure or modification.
- 184.108.40.206 (9.1) Audit trail information must be readily accessible and easily readable.
- 220.127.116.11 (9.2) Accessing the audit trail information for review shall be separate from the calibration mode.
- 18.104.22.168 (9.3) Accessing the audit trail information for review must not affect normal operation of the device.
- 22.214.171.124 (9.4) Accessing the audit trail information shall not require removal of any parts other than normal requirements to inspect the integrity of a physical security seal. (e.g., a key to open a locked panel may be required).
- 126.96.36.199 (10.1) Displayed and/or printed information is readily interpretable by an inspector.
- 188.8.131.52 (10.2) Information is displayed or printed in order from the most recent to the oldest event; and it is displayed on one line in understandable block of information.
2.6 Notices of approval
Provisions for sealing some devices or features may be complex and extensive. Certain devices may incorporate audit trails and, in addition, some of their features or mechanisms may be secured using two or more physical seals. Audit trails are also configured differently for different devices.
In order to ensure adequate sealing and proper use of audit trail information, Notices of Approval should provide sealing plans and detailed audit trail operating instructions, including how to enter and exit the audit trail, for each approved model of device.
- Date modified: