OIML E 6 • Guidance on the selection and implementation of performance requirements for utility meters containing additional functionalities

4.2.4 Assessment of risk on violation

To further assess the risk it is necessary to distinguish between accidental and deliberate violation of measurement data, which need to be approached in different manners.

An influencing phenomenon as described below includes human intervention.

Assessment of the risk of accidental violation

Knowledge of the techniques used in a specific device can be a basis for a preliminary estimation of the potential sensitivity of certain influencing phenomena. It can also be a source for establishing the significance of a disturbance in relation to its dwell time.

  1. Observing the device

    Risks of violation of integrity by accidentally influencing the measurement or the measurement result could arise from inadequate design, which in turn could be caused by insufficient knowledge by the designer of the causes of a potential sensitivity of this design to a disturbing phenomenon.

    In principle, a survey on measures taken during the design to prevent such a risk could provide the necessary confidence. This could, for example, be the approach when assessing software measures.

    The risk of accidentally influencing measurement results caused by weaknesses in hardware design, however, often cannot easily be estimated on the basis of only observing the construction or design of the specimen.

    Another risk concerns the possible mutual interaction between different adjacent electronic measuring devices, for example the effect of heat emissions from devices present in the vicinity. Specifically in the case where electromagnetic interference is concerned, it will be difficult to ascertain the number of potential EM leaks (which increases with the number of input and output ports), thus making the assessment of the risk of interference rather complex.

    Moreover, the sensitivity of a measuring device to potential disturbances could also change if additional or alternative cabling and/or other auxiliary devices are connected.

    In most cases it will therefore be necessary to detect weaknesses in hardware design by exposing such instruments or systems to simulated disturbance sources, which implies that some knowledge of potential disturbance phenomena and sources and basic knowledge about the way in which such phenomena may penetrate into a device is required.

    Available sources of information

    OIML D 11 provides an overview of available test methods concerning EM disturbances that are most applicable to measuring devices used for legal purposes.

    Restriction

    To assume that the requirements and tests described in the relevant standards and other guidance documents cover all the necessary needs for prevention of interference, amounts to neglecting the consequences of the rapid innovations in electronics. It is almost impossible to keep up with these fast developments and to ensure that they are taken into account in available standards, as the drafting of standards naturally lags behind such developments.

    Therefore, a general requirement on non-interference shall be the guideline on the approach to take, and the analysis of the measuring device shall not be restricted to only testing against available standards.

  2. Observing the environment

    While in operation, each device is exposed to and more or less “influenced” by its environment. This environment is considered to comprise not only the “usual” physical environmental parameters (such as the rated operating conditions) but also the results of the emissions and/or influences from other instruments or devices located in the neighborhood.

    With this definition of the environment it can be stated that each disturbance of a device in operation originates from the environment in which the disturbed device is located, unless the disturbance is produced by the device itself or the behavior of the measurand.

    Knowledge of the (behavior of) the parameters that make up the environment is therefore essential.

    For some environmental parameters, for example the climatic conditions of the in-service locations, a survey could be sufficient to ascertain their value or range of values. For others - for example those establishing the electromagnetic environment — this information cannot easily be assessed and/or measured since the frequency of occurrence of the EM phenomena could be too low. A better approach would be to use inventories such as those laid down in standards and/or reports.

    Available sources of information

    Much information on the worldwide EM environment is available1); many standards have been written and much legislation is in force based on this information.

    When successively taking into consideration the influences on the environment due to the presence of adjacent instrumentation, the approach could be similar to the above and the information collected on the environment could be combined with the known (maximum) emission of the adjacent instrumentation. On basis of the dimensional and other location parameters the latter could be calculated. For example, the maximum radiated heat emission from such instrumentation could be calculated from its location (and path) in the direction of the measuring device and the power consumption, while the maximum expected exposure to electromagnetic radiation from a device could be calculated from the (limits of) EM emission specified in the relevant EM emission standards and the path properties.

  3. Use of harmonized documents and standards (to reduce risks)

    As indicated, suggestions for requirements and test methods to eliminate the influence of a number of environmental phenomena are presented in OIML D 11. Most of these are based on international (IEC) standards. Although this horizontal document covers many influence factors, the performance requirements needed for protection against mutual interference specifically related to a smart metering concept are not yet completely covered by D 11. The latter in particular concerns the emissions and immunity requirements for data communication signals.

    Moreover, attention should be paid to the fact that the presence of several instruments in close proximity to each other will give rise to mutual interference despite the fact that each instrument may satisfy the requirements in the standards.

    For example, at a distance of a few cm from an antenna used for GPRS, one could expect levels above in the MHz band and at a distance of a few cm from a mains supply adapter one could expect levels of at mains frequency.

    Furthermore, in the near past it was proven that photovoltaic devices used for generating electrical energy can produce LF (kHz) band disturbances on the connected mains circuit which lead to deviations in the measurement results of the connected smart electrical energy meters.

    In principle, the requirements and protocols specified in UTC and ETSI harmonized standards on telecommunications should cover securing and protection of the communication. The focus of these standards, however, is mainly on higher frequencies and on medium to long distances. Prevention of disturbing in-house (near field) and low frequency interactions are less covered.

Assessment of the risk of deliberate violation

  1. Observing the device

    The risk of violating integrity through deliberately influencing the measurement or the measurement result could arise when insufficient measures have been taken in the design so as to protect against such violation.

    Since the measurement principle in most cases will be publicly available knowledge, a method for influencing a measurement will often be within reach, which implies that each design will need some means of protection against potential fraud. In principle a survey on measures taken in the design to prevent such a risk could provide the necessary confidence. Again, this could be the approach when assessing software measures.

    The risk of deliberately influencing measurement results caused by weaknesses in the hardware design depends on the direct or indirect2) accessibility of the parts and circuits involved in the measurement and to what extent measures to detect interventions are implemented. Again, a survey on measures taken at the construction and design stages to prevent such a risk could provide the necessary confidence. Furthermore, the measures taken to prevent an unacceptable and more or less predictable response to the higher level of interference should be assessed, which could be the case for (high level) magnetic or electromagnetic interferences.

  2. Observing the environment

    Concerning the deliberate influencing of measurements, the disturbing source is also part of the environment, such as a human being involved or the software routine in use.

    Since an inventory or a complete listing of all the conceivable ways of influencing is not feasible, the only way in which one could make some discrimination is to distinguish between instruments that can be approached by the public and those that can only be approached by personnel in their line of duty.

Reduction of risks

A rather conventional means of preventing deliberate interference with the measurement result is the use of adequate hardware sealing and securing methods.

Unauthorized approach/amendment of software can be prevented by use of passwords and cryptographic means. The implementation of the principles/requirements as described in OIML D 31 could provide the necessary protective measures.