Meter Pulse Tampering Alert

Similar documents
P2412 Converter. AccuLoad Preset Accessory. Installation. The Most Trusted Name in Measurement. Issue/Rev. 0.0 (10/99) Bulletin MN06117

Electronic Preset Delivery System. AccuLoad II TM. Installation. The Most Trusted Name In Measurement

Smith Meter AccuLoad. Electronic Preset Delivery System. Tank Proving Guide. Bulletin MN Issue/Rev. 0.1 (7/10)

MPU 200 Series B. Ultrasonic Gas Flowmeter. Specifications. Features. Principle of Operation

GP-UF/A. Smith Meter Universal F/A Converter. Specifications. Features. Applications. Specifications

Model S50-D Density Sensor Specifications

Smith Meter AccuLoad III VLR Simulator for AccuLoad III. Installation / Operation Manual. Bulletin MN06116 Issue/Rev 0.3 (10/13)

Smith Meter Electronic Preset Delivery System AccuLoad III-S With ALS1 or ALD1 Firmware Specifications

Meter, PD Series JB10-S6, S7

Proline Promass F 300, 500

Operators Manual (Manual A)

Process Control HPP-25

SCR CONTROLLER SYSTEM

A NOVEL METHOD OF RATIO CONTROL WITHOUT USING FLOWMETERS

+GF+ SIGNET Temperature Transmitter Instructions

Ultrasonic Wall and Concentricity Measurement Systems UltraScan Series

WFS Fork Sensors. Agile and flexible ideal mounting for labeling applications. P r o d u c t I n f o r m at i o n

Smith Meter Electronic Preset Delivery System AccuLoad III- Split Architecture Specifications

LC-10 Chipless TagReader v 2.0 August 2006

NetPA AT Series Setup Guide

Possible installation effects on density meter in a fast loop sampling system.

Digital Soundmodule, Type TBS 5 II

How to operate (folding)

LASER. Analog Laser Displacement Transducer. LAM Series. Key-Features: Content:

Series 70 Servo NXT - Modulating Controller Installation, Operation and Maintenance Manual

Simple Sturdy Economical LABEL. Invest in Confidence. Weatherproof Multi-turn Actuators ET RANGE

INSTALLATION INSTRUCTIONS Y-Connector Accessory (For Multi-Dual Arm Mounting Systems) Model: KSA-1011

Instruction manual. art Installation manual

RMV25 / RMV50 RMU25 / RMU45

Simple Sturdy Economical LABEL. Invest in Confidence. Weatherproof Quarter-turn Actuators EZ RANGE

Proximity-Sensor Counter Installation Instruction Model: MRC-PRO

Model FL8300 SERVICE MANUAL. harman/kardon. 5 Disc Compact Disc Changer CONTENTS

MobileRadio. Owner'sManual

USE OF INDUCTIVE PROXIMITY SENSORS IN VITAL SIGNAL APPLICATIONS

Coriolis Massflowmeter

DC Motor and Servo motor Control with ARM and Arduino. Created by:

Infrared Gun. Perfect For. Easy To Use. Features. Get Professional Results Every Time! Battery Installation. Model: IN1022

COMPACT-LINE. Transmitter for ph-value

Dial-type digital bar graph. LEDs for Open Collector, Relays and Warning Indicator

Please enter the identity code of your device here!

Christie Mystique Install: Comparing features by edition

Features MIC2777 VDD /RST R2 GND. Manual Reset OTHER LOGIC. Typical Application

MTRTH and MTRTLS. MRT and MRS METAL CABLE TIE RETAINED TENSION INSTALLATION TOOLS OPERATION INSTRUCTIONS

Brunata Optuna H Ultrasonic energy meter Type 775 Installation Guide Edition 1.2

ECEN 449: Microprocessor System Design Department of Electrical and Computer Engineering Texas A&M University

NGR. Guided Wave Radar Level Transmitter

Viewing the Ryca Motors CS-1 Build Video series at youtube.com/rycamotors is highly recommended before beginning the following assembly process.

TSE Power Meter. for small laboratory animals. No

TS555. Low power single CMOS timer. Features. Description

Laboratory 2 More Resistor Networks and Potentiometers.

SL300 Snow Depth Sensor USL300 SNOW DEPTH SENSOR. Revision User Manual

PIECAL 820 FIELD CALIBRATION PROCEDURE

200 RTH OFF ON IN OUT ALARM RESET

MIM. Electromagnetic Flowmeter. Compact, All-metal Design

MICROPROCESSORS AND MICROCONTROLLER 1

USER GUIDE. Sensor evaluator. Testing and diagnostics. Error Reporting. Sensor Validation. Training and Technology for Injection Molders

Quick Start Guide LIQ-QSG-226, Rev F June Rosemount 226. Toroidal Conductivity Sensors

AN797 WDS USER S GUIDE FOR EZRADIO DEVICES. 1. Introduction. 2. EZRadio Device Applications Radio Configuration Application

Assembly Instructions

UNIVERSAL MOTOR CONTROL EVALUATION BOARD

AN1610 APPLICATION NOTE POWER LOGIC 8-BIT ADDRESSABLE

Using the G8 TM Game Timer for Timing Advanced Are You A Werewolf? games

SVCam I/O In-Camera Controller and Drivers.

COMPANY PROFILE. Leading manufacturer in the field of surface engineering. Spray Painting Technology I Pumps I Compressors I Systems Engineering

NE556 SA556 - SE556 GENERAL PURPOSE DUAL BIPOLAR TIMERS

TDA7231A 1.6W AUDIO AMPLIFIER OPERATING VOLTAGE 1.8 TO 15 V LOW QUIESCENT CURRENT HIGH POWER CAPABILITY LOW CROSSOVER DISTORTION SOFT CLIPPING

GUIDE TO TROUBLESHOOTING INFRA RED SYSTEMS

INTRODUCTION TO DATA STUDIO

OSBORNE SHOWER DOOR INSTALLATION

905U Wireless. New Products... New Solutions. The wireless alternative to expensive cabling... Simple but Reliable. Easy to Use

Wireless Occupancy Sensor User Guide

INSTALLATION INSTRUCTIONS GRILLE GUARD RAM 1500 PART # 5058/5058-2

MFJ ENTERPRISES, INC.

ET-413 2MP USB PEN MICROSCOPE

BMW X5 OEM RUNNING BOARD PART#SBBW

User s Manual. F2 Calculator. A metering component for thermal energy applications

GPS Evaluation Kit EVA1084-A

LBI-38392C IC DATA MAINTENANCE MANUAL LOGIC BOARD U707 OCTAL DATA LATCH 19D902172G1 & G2 TABLE OF CONTENTS

Leading experiential design and production studio. Large Franchise Network. 250 escape games. 50 locations. 27 countries

CHARACTERIZATION OF FLIP CHIP BUMP FAILURE MODES USING HIGH FREQUENCY ACOUSTIC MICRO IMAGING

Ultrasonic Proximity Sensor/Module for Water Proof Types of Ultrasonic Sensors (HG-P40WP)

SNAPLOC. Vibration and noise-decoupling fastening systems

Description of options, upgrades and accessories for the laser beam stabilization system Compact

Keysight Technologies N1918A Power Analysis Manager and U2000 Series USB Power Sensors. Demo Guide

Digital Multifunctional RC-Soundmodule TBS Mini V2

Debugging SENT Automotive Buses with an Oscilloscope APPLICATION NOTE

Maintenance Information

BL-ER-P Ethernet Radio Unit for Pedestal Installation Guide

Getting Started with the LabVIEW DSP Module

TOYOTA COROLLA EC REARVIEW MIRROR Section I Installation Preparation

The Guitar Chord Learning System

GPS Evaluation Kit EVA1035-H

FLOW SWITCH 600 Series Velocity Flow Sensor. Instruction Manual

AN ARDUINO CONTROLLED CHAOTIC PENDULUM FOR A REMOTE PHYSICS LABORATORY

Evaluation of Package Properties for RF BJTs

TECHNICAL INFORMATION INTEGRATED PASSIVE COMPONENTS WHAT ARE THE REAL BENEFITS?

Measuring Power Supply Switching Loss with an Oscilloscope

LASER. Analog Laser Displacement Transducer. LAM Series. Key-Features: Content:

OPERATING INSTRUCTIONS AND SPECIFICATIONS. NI 9207E 16-Channel, ±20 ma/±10 V, 24-Bit Analog Input Module

Circuit Applications of Multiplying CMOS D to A Converters

Transcription:

Issue/Rev. 0.0 (2/09) Meter Pulse Tampering Alert Alert Bulletin Bulletin SV02002 Rogue Module Engineering Investigation Purpose: Engineering was requested by Field Service to analyze an unknown electronic module that was found at a customer site that mimicked and replaced the normal (passive) terminal block supplied by our factory in our PRIME 4 meters. Background: FMC Technologies Field Service and Product Marketing representatives visited the site after sporadic reports of problems (dome outs) loading tank trucks in 2008. Field Service found electronic modules installed in 14 of the 31 meters. Since these modules were not designed by or ever sanctioned by FMC Technologies (Smith Meter), an analysis to their functionality was requested by Field Service noting that the meters with the unknown module installed also had one of the 4 wires from the transducer clipped (opened) and heat shrunk in a fashion that obfuscated the fact that it was open. Field Service also noted that the junction boxes were absent of any Weights and Measures seals. Analysis Visual Evaluation: The rogue module was manufactured with the same type of terminal block as the factory sanctioned block but with the addition of two electronic printed circuits attached on the rear side, as seen in Figures 1, 2 and 3. Rogue Module Smith Meter Terminal Block Figure 1 - Top View Rogue Module Smith Meter Terminal Block Figure 2 - Side and Bottom View The Most Trusted Name In Measurement

The rogue module s potting was removed to reveal two electronic printed circuit assemblies (See Figure 3). Figure 3 - Electronics and Removal of the Potting Material It was noted that a small scratch was observed on the side-face of all modules. It was later determined that the small scratch is an identifier signifying the field terminal that is circuit ground. (The Smith terminal block does not require any polarity/orientation marking because it is a passive device, whereas the rogue module requires specific connections to specific terminals). There were no markings or visual clues externally or internally signifying the module s manufacture or design origin. The components were identified and a schematic was reverse-engineered for the critical circuitry. Hardware Evaluation: After studying the schematic and evaluating the circuit (schematic has not been included in this report for security reasons) the following was revealed or was evident: 1. All pulses (volumetric data) from the input (meter sensor) are routed through a microprocessor (Silicon Laboratories, Inc. -- SIL C8051F330). 2. The four field terminals are: a. Input Pulses (Relative to the module) b. Output Pulses (Relative to the module) c. Power d. Ground 3. Simplified Block Diagram: Page 2 SV02002 Issue/Rev. 0.0 (2/09)

4. The module is not capable of being programmed after potting. The programming pins were cut prior to potting and were encapsulated under the potting. 5. Signal Flow diagrams (as installed) see Figures 4 & 5. Note: With this arrangement both rogue and normal have four connections from the sensor and both have 3 connections to the AccuLoad making the visual discrimination difficult between the two in the junction box. Figure 4 - Signal Flow WITHOUT Rogue Module Figure 5 - Signal Flow WITH Rogue Module Software Evaluation The C8051D330 processor which contained the program code was de-soldered from the de-potted PC board. The processor was then soldered onto a Silicon Laboratories, Inc. (SiLab) evaluation ToolStick where the SiLab s development system can be attached in order to extract the code. The machine-code was extracted and disassembled into the native assembler pneumonics. (The code listing has not been included in this report for security reasons.) The code revealed the following sequence to set the EnablePulseStripping flag: 1. From a no-flow condition, the module must see between 2 and 200 pulses. If greater than 200 pulses, the module will wait for no-flow, wait an additional 5 seconds, then restart the detection process from the beginning. 2. After the occurrence of the 2-to-200 pulses the module must NOT see any flow for a minimum period of 31 seconds after the 2-to-200 pulse cessation. If flow is detected prior to the 31 second period, the detection system is reset and the sequence has to be started from the beginning. 3. After the 31 second time period and before another 11 seconds has elapsed, flow must be detected. Otherwise the detection system is reset and the sequence has to be started from the beginning. If flow is detected prior to the 11 second window the EnablePulseStripping flag is set and all subsequent pulse outputs are half of the input pulses. After the setting of the EnablePulseStripping flag, the flag will remain set until there is a continuous 37 seconds of no-flow. At the detection of 37 seconds of continuous no-flow, the EnablePulseStripping flag is cleared, the system is reset and the sequence must started from the beginning. Summary The rogue modules found and installed at the site will allow an individual to under-register the loading activity by a maximum of 50%, provided the individual manipulates the Start/Stop buttons in the sequence described above. (Hit the Start then the Stop button quickly just enough to crack the valve. Then wait for 35 Seconds to hit the Start again.) Issue/Rev. 0.0 (2/09) SV02002 Page 3

Engineering Investigation Purpose: Product Marketing requested that Engineering analyze a PA6 module found at a customer site that mimicked and replaced the PA6 units supplied by our factory. Background: FMC Technologies Product Marketing received reports that there have been sporadic reports of problems (dome outs) while loading tank trucks at a Terminal. Upon inspection, it was noticed that the potting compound of the malfunctioned PA6 s was much harder than normal PA6 s. It was also noted that the potting compound was slightly raised. The units were sent to the factory for further analysis. Upon initial examination of the units, FMC Technologies Engineering immediately recognized that the potting compound was not what was specified for manufacture and was in clear violation of our manufacturing documentation. A radiographic x-ray was ordered to help determine the internal construction, which subsequently led Engineering to determine that the unit was not designed by, nor ever sanctioned by, FMC Technologies. Further analysis was performed to try to determine the nature and operation of the unit. This was in light of the finding in the field that the rogue terminal block assembly contained a PC board with an embedded processor (as discussed previously). Analysis: Visual Evaluation: The rogue PA6 was manufactured with the same outward appearance as the Smith Meter PA6, with the exception of a hard potting compound versus the soft rubber-like RTV compound of the factory unit, and the slight doming of the potting material as seen in Figures 6, 7 and 8. Smith Meter PA6 Figure 6 - Top View Smith Meter PA6 Figure 7 - Side View Page 4 SV02002 Issue/Rev. 0.0 (2/09)

Smith Meter PA6 Figure 8 - Bottom View Also of note is that the was masked and painted white to conceal the fact that the potting compound is a dark grey material. From the outward appearance, the construction of the may actually (re)use genuine outside components (red plastic cap-plug with original label). Radiographic X-Ray Evaluation: A radiographic x-ray was ordered from a materials engineering and testing company to examine the internals for a differential comparison to a true Smith Meter PA6. The following is the x-ray depiction. Note: The Smith Meter PA6 contains no processor whereas the Rouge PA6 contains what appears to be a microprocessor, associated crystal and support devices. A Smith Meter PA6 B Figure 9 - Radiographic X-Ray (Terminal Block Side Up) Issue/Rev. 0.0 (2/09) SV02002 Page 5

Operational Evaluation: Due to the difficulty of removing (chemically or otherwise) this type of potting compound with this type of construction, an attempt was made to see if the operated the same way as the Rogue Module discovered in 2008 (we were able to remove the Rogue Module s compound due to the nature of the construction and subsequently remove the processor in order to decode the internal program). A test fixture was made such that a controlled number of pulses under a controlled sequence can be administered to the while monitoring the pulse stream output from the. Note: In a Smith Meter PA6 in this configuration, the number of pulses output should always match the number of pulses input. By applying the same sequence to the that was found to trigger a special mode in the Rogue Module, the can also be put into a special mode where the outputs one-half the number of pulses it receives. The following is the sequence for triggering the one-half rate (see Rogue Module Engineering Report September 2007 for technical details): 1. From a no-flow condition, the must see between 2 and 200 meter pulses. If greater than 200 meter pulses the module will wait for no-flow, wait an additional 5 seconds, and then restart the detection process from the beginning. 2. After the occurrence of the 2-to-200 pulses, the must NOT see any flow for a minimum period of 31 seconds after the 2-to-200 pulse cessation. If flow is detected prior to the 31 second period, the detection system is reset and the sequence must be started from the beginning. 3. After the 31 second time period and before another 11 seconds has elapsed, flow must be detected. Otherwise, the detection system is reset and the sequence must be started from the beginning. If flow is detected prior to the 11 second window, the special mode is entered and all subsequent pulse outputs are half of the input pulses. After this mode has been entered, the mode will remain set until there is a continuous 37 seconds of no-flow. At the detection of 37 seconds of continuous no-flow, the special mode is cleared, the system is reset and the sequence must be started from the beginning. Summary The Rogue PA6, as found and installed at the loading site, facilitates any individual to under-register the loading activity by a maximum of 50%, provided the individual manipulates the flow through the meter by the Start/Stop buttons of the Electronic Preset in the sequence described above. (Hit the Start button, then the Stop button quickly just enough to crack the valve. Then wait for 35 seconds to hit the Start button again.) Note: For requirements to seal terminal junction boxes refer to Meter Pulse Tampering Alert Bulletin Update, SV02002U1 issued on March 4, 2009 The specifications contained herein are subject to change without notice and any user of said specifications should verify from the manufacturer that the specifications are currently in effect. Otherwise, the manufacturer assumes no responsibility for the use of specifications which may have been changed and are no longer in effect. Headquarters: 500 North Sam Houston Parkway West, Suite 100 Houston, TX 77067 USA, Phone: +1 (281) 260-2190, Fax: +1 (281) 260-2191 Gas Measurement Products: Houston, TX USA +1 (281) 260-2190 Thetford, England +44 (1842) 82-2900 Kongsberg, Norway +47 (32) 286-700 Buenos Aires, Argentina +54 (11) 4312-4736 Integrated Measurement Systems: Corpus Christi, TX USA +1 (361) 289-3400 Kongsberg, Norway +47 (32) 286-700 San Juan, Puerto Rico +1809 (787) 274-3760 United Arab Emirates, Dubai +971 (4) 331-3646 Liquid Measurement Products: Erie, PA USA +1 (814) 898-5000 Los Angeles, CA USA +1 (310) 328-1236 Slough, England +44 (1753) 57-1515 Ellerbek, Germany +49 (4101) 304-0 Barcelona, Spain +34 (93) 201-0989 Moscow, Russia +7 (495) 564-8705 Melbourne, Australia +61(3) 9807-2818 Visit our website at www.fmctechnologies.com/measurementsolutions Printed in U.S.A. 2/09 FMC Technologies Measurement Solutions, Inc. All rights reserved. SV02002 Issue/Rev. 0.0 (2/09) Beijing, China +86 (10) 6500-2251 Singapore +65 6861-3011 Chennai, India +91 (44) 450-4400

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback