FAQs Info Hour 2024 on Software in Legal Metrology

The main purpose of software evaluation is to detect vulnerabilities in the instrument that can be exploited to commit fraud or cause undetected corruption of measurement data. Software requirements help limit such vulnerabilities.

Instruments for the U.S. Market need to comply with NTEP Publication 14 on Software. This Publication is freely available at the NCWM website.

Instruments That Require OIML Certification must comply with the applicable OIML Recommendation. Generally, when revised, OIML Recommendations are updated to reflect the most recent software requirements as published in OIML D 31. All OIML publications are made available free of charge.

EU Non-Automatic Weighing Instruments (NAWI) intended for the EU market must comply with the requirements in EN 45501:2015 (or OIML R 76:2006), although Notified Bodies tend to also apply parts of WELMEC Guide 7.2. OIML R 76 is almost identical to EN45501. However, the OIML recommendation is available free of charge, while EN45501 is not.

EU Automatic Weighing Instruments and Measuring Instruments must comply with the applicable standard (applicable OIML recommendation), as well as the software requirements outlined in WELMEC Guide 7.2. This Guide is available free of charge.

• Identification of the software: Every change must lead to a new version number.
• Traceability: Registration of authorized changes in the software and parameters.
• Integrity: Detection of unauthorized changes, intentional (fraud) or unintentional (corruption), in software, parameters, and measurement data.
• Authenticity: Check authenticity during software updates and communication between components (hardware or software).
• Robustness: Against external influence on the measurement due to lack of resources (e.g., bandwidth), interference, or obstruction (e.g., disconnection).

• Software separation: Separate the software parts that manage the legally relevant functions of the instrument from the remaining software.
• Protective interfaces: Non-defined commands shall be ignored and have no influence. Applicable to user interfaces, communication interfaces, and interfaces to other software or software modules.
• Controlled software updates: Automated download process that checks the authenticity of the new software, checks the integrity of the downloaded file, and registers successful and unsuccessful update attempts. Regular updates are recommended to fix bugs and maintain the instrument's security.
• Priority and resources: The measurement process has top priority, and where applicable, measures are taken against spoofing of the measurement indication, transmission delays, and unavailability of system components (e.g., full data storage or loss of communication).
• Configuration of the operating system: Protected boot process, protected user profiles, proper passwords, and an audit trail over the applicable components of the configuration file.

No. The software security of an instrument should be evaluated during type evaluation, which involves reviewing the manufacturer’s documentation and conducting attack tests with software tools to identify vulnerabilities. In many cases, such evaluation also requires the instrument to be unsealed.

If the software security has been found in order during type evaluation, then the inspection in the field can be limited to a check of:

• the software version
• the condition of the seal(s)
• the hardware for signs of manipulation
• some spot checks of the functionality

No. Performance tests assess the accuracy of the measurements, while software evaluations identify vulnerabilities that can be exploited to commit fraud or cause undetected corruption of measurement data.