Your browser does not appear to support Javascript, please update your browser or contact your system administrator to enable Javascript on your Internet browser. Thank you. Chapter 4: Voting Equipment User Documentation — U.S. Election Assistance Commission
Skip to content

U.S. Election Assistance Commission

Personal tools
You are here: Home TGDC Recommended Guidelines Part 2: Documentation Requirements Chapter 4: Voting Equipment User Documentation
TGDC Recommended
Guidelines

VVSG Navigation
 

Chapter 4: Voting Equipment User Documentation (manufacturer)

This section contains requirements on the content of the documentation that manufacturers supply to jurisdictions that use their systems. In this context, "user" refers to election officials. The user documentation is also included in the TDP given to test labs.

It is not the intent of these requirements to prescribe an outline for user documentation. Manufacturers are encouraged to innovate in the quality and clarity of their user documentation. The intent of these requirements is to ensure that certain information that is of interest to end users and test labs alike will be included somewhere in the user documentation. To speed the test lab review, manufacturers should provide test labs with a short index that points out which sections of the user documentation are responsive to which sections of these requirements.

4.1 System Overview

4.1-A User documentation, system overview

In the system overview, the manufacturer SHALL provide information that enables the user to identify the functional and physical components of the system, how the components are structured, and the interfaces between them.

Applies To: Voting system

Source: [VSS2002] II.2.2

4.1-A.1 User documentation, system overview functional diagram

The system overview SHALL include a high-level functional diagram of the voting system that includes all of its components. The diagram SHALL portray how the various components relate and interact.

Applies To: Voting system

Source: [EAC06] 4.3.2.3

4.1.1 System description

4.1.1-A User documentation, system description

The system description SHALL include written descriptions, drawings and diagrams that present:

  1. A description of the functional components (or subsystems) as defined by the manufacturer (e.g., environment, election management and control, vote recording, vote conversion, reporting, and their logical relationships);
  2. A description of the operational environment of the system that provides an overview of the hardware, firmware, software, and communications structure;
  3. A concept of operations that explains each system function and how the function is achieved in the design;
  4. Descriptions of the functional and physical interfaces between subsystems and components;
  5. Identification of all COTS products (both hardware and software) included in the system and/or used as part of the system's operation, identifying the name, manufacturer, and version used for each such component;
  6. Communications (dial-up, network) software;
  7. Interfaces among internal components and interfaces with external systems. For components that interface with other components for which multiple products may be used, the manufacturer SHALL identify file specifications, data objects, or other means used for information exchange, and the public standard used for such file specifications, data objects, or other means; and
  8. Benchmark directory listings for all software and firmware and associated documentation included in the manufacturer's release in the order in which each piece of software or firmware would normally be installed upon system setup and installation.

Applies To: Voting system

Source: [VSS2002] II.2.2.1

4.1.1-B User documentation, identify software and firmware by origin

The system description SHALL include the identification of all software and firmware items, indicating items that were:

  1. Written in-house;
  2. Written by a subcontractor;
  3. Procured as COTS; and
  4. Procured and modified, including descriptions of the modifications to the software or firmware and to the default configuration options.

Applies To: Voting system

Source: [VSS2002] II.2.5.3.c

4.1.1-C User documentation, traceability of procured software

The system description SHALL include a declaration that procured software items were obtained directly from the manufacturer or a licensed dealer or distributor.

Applies To: Voting system

DISCUSSION

For most noncommercial software, this would mean a declaration that the software was downloaded from the canonical site or a trustworthy mirror. It is generally accepted practice for the core contributors to major open-source software packages to digitally sign the distributions. Verifying these signatures provides greater assurance that the package has not been modified.

Source: [VSS2002] II.2.5.3

4.1.2 System performance

4.1.2-A User documentation, system performance

The manufacturer SHALL provide system performance information including:

  1. Device capacities and limits that were stated in the implementation statement (see Part 1: 2.4 “Software Independence”);
  2. If not already covered in the implementation statement, performance characteristics of each operating mode and function in terms of expected and maximum speed, throughput capacity, maximum volume (maximum number of voting positions and maximum number of ballot styles supported), and processing frequency;
  3. Quality attributes such as reliability, maintainability, availability, usability, and portability;
  4. Provisions for safety, security, privacy, and continuity of operation; and
  5. Design constraints, applicable standards, and compatibility requirements.

Applies To: Voting system

Source: [VSS2002] II.2.2.2

4.1.2-A.1 User documentation, central tabulator maximum tabulation rate

The maximum tabulation rate for a central tabulator SHALL be documented by the manufacturer. This documentation SHALL include the maximum tabulation rate for individual components that impact the overall maximum tabulation rate.

Applies To: Central tabulator

DISCUSSION

The capacity to convert the marks on individual ballots into signals is uniquely important to central count systems.

Source: [VSS2002] I.3.2.5.1.1

4.1.2-A.2 User documentation, reliably detectable marks

For an optical scanner, the manufacturer SHALL document what constitutes a reliably detectable mark versus a marginal mark.

Applies To: Optical scanner

DISCUSSION

See Part 1: 7.7.5.1 “Marginal marks”. The specification may be parameterized by configuration values and should state the uncertainty.

Source: New requirement

4.2 System Functionality Description

4.2-A User documentation, system functionality description

The manufacturer SHALL provide a listing of the system's functional processing capabilities, encompassing capabilities required by the VVSG, and any additional capabilities provided by the system, with a description of each capability.

  1. The manufacturer SHALL explain, in a manner that is understandable to users, the capabilities of the system that were declared in the implementation statement;
  2. Additional capabilities (extensions) SHALL be clearly indicated;
  3. Required capabilities that may be bypassed or deactivated during installation or operation by the user SHALL be clearly indicated;
  4. Additional capabilities that function only when activated during installation or operation by the user SHALL be clearly indicated; and
  5. Additional capabilities that normally are active but may be bypassed or deactivated during installation or operation by the user SHALL be clearly indicated.

Applies To: Voting system

Source: [VSS2002] II.2.3

4.3 System Security Specification

4.3.1 Access control

4.3.1-A User documentation, access control implementation, configuration, and management

Manufacturers SHALL provide user documentation containing guidelines and usage instructions on implementing, configuring, and managing access control capabilities.

Applies To: Voting system

Source: [VVSG2005] I.7.2.1.2

4.3.1-B User documentation, access control policy template

Manufacturers SHALL provide, within the user documentation, an access control policy template or instructions to facilitate the implementation of the access control policy and associated access controls on the voting system.

Applies To: Voting system

DISCUSSION

Access control policy requirements include the minimum baseline policy definitions necessary for testing and implementation of the voting system. The policies may be pre-defined within the voting system or provided as guidelines in the documentation.

Source: [VVSG2005] I.7.2.1

4.3.1-C User documentation, model access control policy

Manufacturers SHALL provide, within the user documentation, a model access control policy under which the voting system was designed to operate and a description of the hazards of deviating from this policy.

Applies To: Voting system

DISCUSSION

The model access control policy includes the assumptions that were made when the system was designed, the justification for the policy, and the hazards of deviating from the policy.

Source: [VVSG2005] I.7.2.1

4.3.1-D User documentation, privileged account

The manufacturer SHALL disclose and document information on all privileged accounts included on the voting system.

Applies To: Voting system

DISCUSSION

Information on privileged accounts include the name of the account, purpose, capabilities and permissions, and how to disable the account in the user documentation.

Source: [VVSG2005] I.7.2.1.2

4.3.2 System event logging

4.3.2-A User documentation, system event logging

Manufacturers SHALL provide user documentation that describes system event logging capabilities and usage.

Applies To: Voting system

Source: [VVSG2005] I.5.4

4.3.2-B User documentation, log format

Manufacturers SHALL publicly publish fully documented log format information.

Applies To: Voting system

DISCUSSION

The log format and the meaning of all possible types of log entries must be fully documented in sufficient detail to allow independent manufacturers to implement utilities to parse the log file. This documentation must be publicly available, free of charge, and not just in the TDP. The documentation may be housed by the EAC or the test lab.

Source: [VVSG2005] I.5.4

4.3.3 Software installation

4.3.3-A User documentation, software list

The manufacturer SHALL provide a list of all software to be installed on the programmed devices of the voting system and installation software used to install the software in the user documentation.

Applies To: Programmed device

DISCUSSION

Software to be installed on programmed devices of the voting system includes executable code, configuration files, data files, and election specific software.

4.3.3-B User documentation, software information

The manufacturer SHALL provide at a minimum in the user documentation the following information for each piece of software to be installed or used to install software on programmed devices of the voting system: software product name, software version number, software manufacturer name, software manufacturer contact information, type of software (application logic, border logic, third party logic, COTS software, or installation software), list of software documentation, component identifier(s) (such filename(s)) of the software, type of software component (executable code, source code, or data).

Applies To: Programmed device

4.3.3-C User documentation, software location information

The manufacturer SHALL provide in the user documentation the location (such as full path name or memory address) and storage device (such as type and part number of storage device) where each piece of software is installed on programmed devices of the voting system.

Applies To: Programmed device

DISCUSSION

This requirement applies to software installed on programmed devices of the voting system. The full directory path is the final destination of the software when installed on non-volatile storage with a file system.

4.3.3-D User documentation, election specific software identification

The manufacturer SHALL identify election specific software in the user documentation.

Applies To: Programmed device

4.3.3-E User documentation, installation software and hardware

The manufacturer SHALL provide a list of software and hardware required to install software on programmed devices of the voting system in the user documentation.

Applies To: Programmed device

4.3.3-F User documentation, software installation procedure

The manufacturer SHALL document the software installation procedures used to install software on programmed devices of the voting system in user documentation.

Applies To: Programmed device

Source: [VVSG2005] Volume III, Section 2.2.3(a)

4.3.3-G User documentation, compiler installation prohibited

The software installation procedures used to install software on programmed devices of the voting system SHALL result in no compilers being installed on the programmed device.

Applies To: Programmed device

4.3.3-G.1 User documentation, programmed device configuration baseline binary image creation

To replicate programmed device configurations, the software installation procedures SHALL create a baseline binary image of the initial programmed device configuration on an unalterable storage media with a digital signature.

Applies To: Programmed device

DISCUSSION

Unalterable storage media includes technology such as a CD-R, but not CD-RW.

4.3.3-G.2 User documentation, programmed device configuration replication

The software installation procedures SHALL use the baseline binary image of the initial programmed device configuration on an unalterable storage media to replicate the configuration on to other programmed devices.

Applies To: Programmed device

DISCUSSION

Unalterable storage media includes technology such as a CD-R, but not CD-RW.

4.3.3-H User documentation, software installation record creation

The software installation procedures SHALL specify the creation of a software installation record that includes at a minimum: a unique identifier (such as a serial number) for the record; a list of unique identifiers of unalterable storage media associated with the record; the time, date, and location of the software installation; names, affiliations, and signatures of all people present; copies of the procedures used to install the software on the programmed devices of the voting system; the certification number of the voting system; list of the software installed on programmed devices of the voting system; and a unique identifier (such as a serial number) of the vote-capture device or EMS which the software is installed.

Applies To: Programmed device

4.3.3-I User documentation, procurement of voting system software

The software installation procedures SHALL specify that voting system software be obtained from test labs or distribution repositories.

Applies To: Programmed device

DISCUSSION

Distribution repositories provide software they receive to parties approved by the owner of the software.

4.3.3-J User documentation, open market procurement of COTS software

The software installation procedures SHALL specify that COTS software be obtained from the open market.

Applies To: Programmed device

4.3.3-K User documentation, erasable storage media preparation

The software installation procedures SHALL specify how previously stored information on erasable storage media is removed before installing software on the media.

Applies To: Programmed device

DISCUSSION

The purpose of this requirement is to prepare erasable storage media for use by the programmed devices of the voting system. The requirement does not require the prevention of previously stored information leakage or recovery. Simply deleting files from file systems, flashing memory cards, and removing electrical power from volatile memory satisfies this requirement.

4.3.3-L User documentation, installation media unalterable storage media

The software installation procedures SHALL specify that unalterable storage media be used to install software on programmed devices of the voting system.

Applies To: Programmed device

DISCUSSION

Unalterable storage media includes technology such as a CD-R, but not CD-RW.

4.3.4 Physical security

4.3.4-A User documentation, physical security

Manufacturer SHALL provide user documentation explaining the implementation of all physical security controls for the voting device, including model procedures necessary for effective use of countermeasures.

Applies To: Voting device

4.3.5 Setup inspection

4.3.5-A User documentation, model setup inspection process

The manufacturer SHALL provide a model setup inspection process that the voting device was designed to support and description of the risks of deviating from the process in the user documentation.

Applies To: Voting device

DISCUSSION

The model setup inspection process provides a means to inspect various properties of voting devices as needed during the election process.

4.3.5-A.1 User documentation, minimum properties included in a model setup inspection process

A model setup inspection process SHALL at a minimum include the inspection of voting system software, storage locations that hold election information that changes during an election, other voting device properties, and execution of logic and accuracy testing related to readiness of use in an election.

Applies To: Voting device

DISCUSSION

See requirements in Part 1: 5.2 “Setup Inspection”.

Source: [VVSG2005] I.7.4.6 (a) and (f)

4.3.5-B User documentation, model setup inspection record generation

The model setup inspection process SHALL describe the records that result from performing the setup inspection process.

Applies To: Voting device

Source: [VVSG2005] I.5.4.2

4.3.5-C User documentation, installed software identification procedure

The manufacturer SHALL provide the procedures to identify all software installed on programmed devices of the voting system in the user documentation.

Applies To: Programmed device

DISCUSSION

This requirement provides the ability to identify if the proper software is installed and that no other software is present on programmed devices of the voting system. This requirement covers software stored on storage media with or without a file system.

Source: [VVSG2005] I.7.4.6 (b)(ii)

4.3.5-D User documentation, software integrity verification procedure

The manufacturer SHALL describe the procedures to verify the integrity of software installed on programmed devices of voting system in the user documentation.

Applies To: Programmed device

Source: [VVSG2005] I.7.4.6 (b)(ii)

4.3.5-E User documentation, election information value

The manufacturer SHALL provide the values of voting device storage locations that hold election information that changes during the election, except for the values set to conduct a specific election in the user documentation.

Applies To: Voting device

Source: [VVSG2005] I.7.4.6 (f)(ii)

4.3.5-F User documentation, maximum and minimum values of election information storage locations

The manufacturer SHALL provide the maximum and minimum values voting device storage locations that hold election information changes during an election can store in the user documentation.

Applies To: Voting device

Source: [VVSG2005] I.7.4.6 (f)(ii)

4.3.5-G User documentation, register and variable value inspection procedure

The manufacturer SHALL provide the procedures to inspect the values of voting device storage locations that hold election information that changes for an election in the user documentation.

Applies To: Voting device

Source: [VVSG2005] I.7.4.6 (f)(i)

4.3.5-H User documentation, backup power operational range

The manufacturers SHALL provide the nominal operational range for the backup power sources of the voting device in the user documentation.

Applies To: Voting device

4.3.5-I User documentation, backup power inspection procedure

The manufacturer SHALL provide the procedures to inspect the remaining charge of the backup power sources of the voting device in the user documentation.

Applies To: Voting device

4.3.5-J User documentation, cabling connectivity inspection procedure

The manufacturer SHALL provide the procedures to inspect the connectivity of the cabling attached to the voting device in the user documentation.

Applies To: Voting device

4.3.5-K User documentation, communications operational status inspection procedure

The manufacturer SHALL provide the procedures to inspect the operational status of the communications capabilities of the voting device in the user documentation.

Applies To: Voting device

4.3.5-L User documentation, communications on/off status inspection procedure

The manufacturer SHALL provide the procedures to inspect the on/off status of the communications capabilities of the voting device in the user documentation.

Applies To: Voting device

4.3.5-M User documentation, consumables quantity of voting equipment

The manufacturer SHALL provide a list of consumables associated with the voting device, including estimated number of usages per quantity of consumable in the user documentation.

Applies To: Voting device

4.3.5-N User documentation, consumable inspection procedure

The manufacturer SHALL provide the procedures to inspect the remaining amount of each consumable of the voting device in the user documentation.

Applies To: Voting device

4.3.5-O User documentation, calibration of voting device components nominal range

The manufacturer SHALL provide a list of components associated with the voting device that require calibration and the nominal operating ranges for each component in the user documentation.

Applies To: Voting device

4.3.5-P User documentation, calibration of voting device components inspection procedure

The manufacturer SHALL provide the procedures to inspect the calibration of each component in the user documentation.

Applies To: Voting device

4.3.5-Q User documentation, calibration of voting device components adjustment procedure

The manufacturer SHALL provide the procedures to adjust the calibration of each component in the user documentation.

Applies To: Voting device

4.3.5-R User documentation, model checklist of properties to be inspected

The manufacturer SHALL provide a model checklist of other properties of the voting device to be inspected, including a description of the risks on not performing a given inspection in the user documentation.

Applies To: Voting device

DISCUSSION

Voting devices may have other properties that need to be inspected that are not covered in Part 1: 5.2 “Setup Inspection”. This requirement provides a mechanism for the properties not covered in Part 1 Section 5.2 to be captured.

4.3.5-R.1 User documentation, minimal voting device properties covered by model checklist

The model checklist of other properties of the voting device to be inspected SHALL at a minimum include: the inspection of backup power sources, cabling, communications capabilities, consumables, calibration of voting device components, general physical features of the voting device, and securing external interfaces of the voting device not being used.

Applies To: Voting device

DISCUSSION

Voting device may have other properties that need to be inspected that are not covered in Part 1: 5.2 “Setup Inspection”. This requirement provides a mechanism for the properties not covered in Part 1 Section 5.2 to be captured.

4.3.6 Audit

4.3.6-A User documentation, pollbook audit

The voting system’s user documentation SHALL fully specify a secure, transparent, workable and accurate process for producing all records necessary from the devices and carrying out the pollbook audit.

Applies To: Voting system

DISCUSSION

In order to fully support the pollbook audit, the voting system documentation must provide enough information for election officials to carry out the auditing step. This includes explaining how to generate all needed reports, how to check the reports against one another for agreement, and how to deal with errors and other unusual problems that come up during the audit step.

4.3.6-B User documentation, hand audit

The voting system’s user documentation SHALL fully specify a secure, transparent, workable and accurate process for producing all records necessary from the devices and carrying out the hand audit.

Applies To: Voting system

DISCUSSION

The user documentation must explain how to produce all necessary reports and reconcile the records by hand-auditing.

4.3.6-C User documentation, ballot count and vote total auditing

The voting system’s user documentation SHALL fully specify a secure, transparent, workable and accurate process for producing all records necessary from the devices and carrying out the final election tally.

Applies To: Voting system

DISCUSSION

In order to fully support the audit, the voting system documentation must provide enough information for election officials to carry out the auditing step. This includes explaining how to generate all needed reports, how to check the reports against one another for agreement, and how to deal with errors and other unusual problems that come up during the audit step.

4.3.6-D User documentation, observational testing

The voting system’s user documentation SHALL fully specify a secure, transparent, workable and accurate process for observational testing.

Applies To: Voting system

4.3.6-E User documentation, machine readability of VVPAT VVPR

The manufacturer SHALL provide documentation for a procedure to scan VVPAT VVPR by optical character recognition.

Applies To: VVPAT

Source: [VVSG2005] I.7.9.3-g

4.4 System Operations Manual

4.4-A User documentation, system operations manual

The system operations manual SHALL provide all information necessary for system use by all personnel who support pre-election and election preparation, polling place activities, and central counting activities, as applicable, with regard to all system functions and operations identified in Part 2: 4.2 “System Functionality Description”.

Applies To: Voting system

DISCUSSION

The nature of the instructions for operating personnel will depend upon the overall system design and required skill level of system operations support personnel.

Source: [VSS2002] II.2.8

4.4-B Operations manual, support training

The system operations manual SHALL contain all information that is required for the preparation of detailed system operating procedures and for the training of administrators, central election officials, election judges, and poll workers.

Applies To: Voting system

Source: [VSS2002] II.2.8

4.4.1 Introduction

4.4.1-A Operations manual, functions and modes

The manufacturer SHALL provide a summary of system operating functions and modes to permit understanding of the system's capabilities and constraints.

Applies To: Voting system

Source: [VSS2002] II.2.8.1

4.4.1-B Operations manual, roles

The roles of operating personnel SHALL be identified and related to the operating modes of the system.

Applies To: Voting system

Source: [VSS2002] II.2.8.1

4.4.1-C Operations manual, conditional actions

Decision criteria and conditional operator functions (such as error and failure recovery actions) SHALL be described.

Applies To: Voting system

Source: [VSS2002] II.2.8.1

4.4.1-D Operations manual, references

The manufacturer SHALL also list all reference and supporting documents pertaining to the use of the system during election operations.

Applies To: Voting system

Source: [VSS2002] II.2.8.1

4.4.2 Operational environment

4.4.2-A Operations manual, operational environment

The manufacturer SHALL describe the system environment and the interface between the election official or voter and the system.

Applies To: Voting system

Source: [VSS2002] II.2.8.2

4.4.2-B Operations manual, operational environment details 1

The manufacturer SHALL identify all facilities, furnishings, fixtures, and utilities that will be required for equipment operations, including equipment that operates at the:

  1. Polling place;
  2. Central count facility; and
  3. Other locations.

Applies To: Voting system

Source: [VSS2002] II.2.8.2

4.4.2-C Operations manual, operational environment details 2

The user documentation supplied by the manufacturer SHALL include a statement of all requirements and restrictions regarding environmental protection, electrical service, recommended auxiliary power, telecommunications service, and any other facility or resource required for the proper installation and operation of the system.

Applies To: Voting system

Source: [VSS2002] I.3.2.2

4.4.3 System installation and test specification

4.4.3-A Operations manual, readiness testing

The manufacturer SHALL provide specifications for testing of system installation and readiness.

Applies To: Voting system

DISCUSSION

Readiness testing refers to steps that election officials can take after deploying and configuring equipment to establish that it was correctly deployed and configured. Logic and accuracy testing would be part of this.

Source: [VSS2002] II.2.8.3

4.4.3-A.1 Operations manual, readiness test entire system

These specifications SHALL cover testing of all components of the system and all locations of installation (e.g., polling place, central count facility), and SHALL address all elements of system functionality and operations identified in Part 2: 4.2 “System Functionality Description” above, including general capabilities and functions specific to particular voting activities.

Applies To: Voting system

Source: [VSS2002] II.2.8.3

4.4.4 Operational features

4.4.4-A Operations manual, features

The manufacturer SHALL provide documentation of system operating features that includes:

  1. Detailed descriptions of all input, output, control, and display features accessible to the operator or voter;
  2. Examples of simulated interactions to facilitate understanding of the system and its capabilities;
  3. Sample data formats and output reports; and
  4. Illustration and description of all status indicators and information messages.

Applies To: Voting system

Source: [VSS2002] II.2.8.4

4.4.4-B Operations manual, document straight party override algorithms

For systems that support straight party voting, the manufacturer SHALL document the available algorithms for counting straight party overrides.

Applies To: Straight party voting

DISCUSSION

See Requirement Part 1: 7.7.2-A.12.

Source: New requirement

4.4.4-C Operations manual, document double vote reconciliation algorithms

For systems that support write-in voting, the manufacturer SHALL document the available algorithms for reconciling write-in double votes.

Applies To: Write-ins

DISCUSSION

See Requirement Part 1: 7.7.2-A.9.

Source: New requirement

4.4.5 Operating procedures

4.4.5-A Operations manual, operating procedures

The manufacturer SHALL provide documentation of system operating procedures that:

  1. Provides a detailed description of procedures required to initiate, control, and verify proper system operation;
  2. Provides procedures that clearly enable the operator to assess the correct flow of system functions (as evidenced by system-generated status and information messages);
  3. Provides procedures that clearly enable the administrator to intervene in system operations to recover from an abnormal system state;
  4. Defines and illustrates the procedures and system prompts for situations where operator intervention is required to load, initialize, and start the system;
  5. Defines and illustrates procedures to enable and control the external interface to the system operating environment if supporting hardware and software are involved. Such information also SHALL be provided for the interaction of the system with other data processing systems or data interchange protocols;
  6. Provides administrative procedures and off-line operator duties (if any) if they relate to the initiation or termination of system operations, to the assessment of system status, or to the development of an audit trail;
  7. Supports successful ballot and program installation and control by central election officials;
  8. Provides a schedule and steps for the software and ballot installation, including a table outlining the key dates, events and deliverables; and
  9. Specifies diagnostic tests that may be employed to identify problems in the system, verify the correction of problems, and isolate and diagnose faults from various system states.

Applies To: Voting system

Source: [VSS2002] I.2.3.3.a and II.2.8.5

4.4.5-B Operations manual, VVPAT printer error recovery guidelines

Manufacturers of VVPATs SHALL provide documentation for procedures to recover from VVPAT printer errors and faults including procedures for how to cancel a vote suspended during an error.

Applies To: VVPAT

DISCUSSION

If the printer irrecoverably locks up, the vote needs to be able to be canceled, so the voter can cast a vote on another device. Alternatively, it would be okay to store the vote as is, if the vote is complete. This requirement restates [VVSG2005] I.7.9.4-k by requiring documentation for recovering from printer errors.

Source: [VVSG2005] I.7.9.4-k

4.4.5-C Operations manual, Paper-roll VVPATs privacy-ensuring procedures

Manufacturers of paper-roll VVPATs SHALL provide documentation describing necessary procedures for handling the paper roll in a way that preserves voter privacy.

Applies To: VVPAT

DISCUSSION

Along with a secure, opaque container designed to accommodate tamper-seals and a lock, the voting system needs to document what must be done to protect voter privacy with the paper rolls. The goal of this requirement is to ensure that the election officials are given guidance on exactly what must be done to protect the privacy of voters.

Source: [VVSG2005] I.7.9.5-b

4.4.6 Documentation for poll workers

Documentation for poll workers is covered under Part 1: 3.2.8 “Usability for poll workers” and 3.3.1 “General”.

4.4.7 Operations support

4.4.7-A Operations manual, operations support

The manufacturer SHALL provide documentation of system operating procedures that:

  1. Defines the procedures required to support system acquisition, installation, and readiness testing; and
  2. Describes procedures for providing technical support, system maintenance and correction of defects and for incorporating hardware upgrades and new software releases.

Applies To: Voting system

Source: [VSS2002] II.2.8.6

4.4.8 Transportation and storage

4.4.8-A Operations manual, transportation

The manufacturer SHALL include any special instructions for preparing voting devices for shipment.

Applies To: Voting system

Source: New requirement

4.4.8-B Operations manual, storage

The manufacturer SHALL include any special storage instructions for voting devices.

Applies To: Voting system

Source: [VSS2002] I.3.2.2.1

4.4.8-C Operations manual, procedures to ensure archivalness

The manufacturer SHALL detail the care and handling precautions necessary for removable media and records to satisfy Requirement Part 1: 6.5.1-A.

Applies To: Voting system

Source: New requirement

4.4.9 Appendices

The manufacturer may provide descriptive material and data supplementing the various sections of the body of the system operations manual. The content and arrangement of appendices are at the discretion of the manufacturer. Topics recommended for discussion include:

  • Glossary: A listing and brief definition of all terms that may be unfamiliar to persons not trained in either voting systems or computer operations;
  • References: A list of references to all manufacturer documents and to other sources related to operation of the system;
  • Detailed Examples: Detailed scenarios that outline correct system responses to faulty operator input. Alternative procedures may be specified depending on the system state; and
  • Manufacturer's Recommended Security Procedures: Security procedures that are to be executed by the system operator.

4.5 System Maintenance Manual

4.5-A User documentation, system maintenance manual

The system maintenance manual SHALL provide information to support election workers, information systems personnel, or maintenance personnel in the adjustment or removal and replacement of components or modules in the field.

Applies To: Voting system

DISCUSSION

Technical documentation needed solely to support the repair of defective components or modules ordinarily done by the manufacturer or software developer is not required.

Source: [VSS2002] II.2.9

4.5-B Maintenance manual, general contents

The manufacturer SHALL describe service actions recommended to correct malfunctions or problems; personnel and expertise required to repair and maintain the system, equipment, and materials; and facilities needed for proper maintenance.

Applies To: Voting system

Source: [VSS2002] II.2.9

4.5.1 Introduction

4.5.1-A Maintenance manual, equipment overview, maintenance viewpoint

The manufacturer SHALL describe the structure and function of the hardware, firmware and software for election preparation, programming, vote recording, tabulation, and reporting in sufficient detail to provide an overview of the system for maintenance and for identification of faulty hardware or software.

Applies To: Voting system

Source: [VSS2002] II.2.9.1

4.5.1-A.1 Maintenance manual, equipment overview details

The description SHALL include a concept of operations that fully describes such items as:

  1. Electrical and mechanical functions of the equipment;
  2. How the processes of ballot handling and reading are performed (paper-based systems);
  3. For electronic vote-capture devices, how vote selection and casting of the ballot are performed;
  4. How transmission of data over a network is performed (if applicable);
  5. How data are handled in the processor and memory units;
  6. How data output is initiated and controlled;
  7. How power is converted or conditioned; and
  8. How test and diagnostic information is acquired and used.

Applies To: Voting system

Source: [VSS2002] II.2.9.1

4.5.2 Maintenance procedures

4.5.2-A Maintenance manual, maintenance procedures

The manufacturer SHALL describe preventive and corrective maintenance procedures for hardware, firmware and software.

Applies To: Voting system

Source: [VSS2002] II.2.9.2

4.5.2.1 Preventive maintenance procedures

4.5.2.1-A Maintenance manual, preventive maintenance procedures

The manufacturer SHALL identify and describe:

  1. All required and recommended preventive maintenance tasks, including software and data backup, database performance analysis, and database tuning;
  2. Number and skill levels of personnel required for each task;
  3. Parts, supplies, special maintenance equipment, software tools, or other resources needed for maintenance; and
  4. Any maintenance tasks that must be coordinated with the manufacturer or a third party (such as coordination that may be needed for COTS used in the system).

Applies To: Voting system

Source: [VSS2002] II.2.9.2.1

4.5.2.2 Corrective maintenance procedures

4.5.2.2-A Maintenance manual, troubleshooting procedures

The manufacturer SHALL provide fault detection, fault isolation, correction procedures, and logic diagrams for all operational abnormalities identified by design analysis and operating experience.

Applies To: Voting system

Source: [VSS2002] II.2.9.2.2

4.5.2.2-B Maintenance manual, troubleshooting procedures details

The manufacturer SHALL identify specific procedures to be used in diagnosing and correcting problems in the system hardware, firmware and software. Descriptions shall include:

  1. Steps to replace failed or deficient equipment;
  2. Steps to correct deficiencies or faulty operations in software or firmware;
  3. Modifications that are necessary to coordinate any modified or upgraded software or firmware with other modules;
  4. Number and skill levels of personnel needed to accomplish each procedure;
  5. Special maintenance equipment, parts, supplies, or other resources needed to accomplish each procedure; and
  6. Any coordination required with the manufacturer, or other party, for COTS.

Applies To: Voting system

Source: [VSS2002] II.2.9.2.2

4.5.3 Maintenance equipment

4.5.3-A Maintenance manual, special equipment

The manufacturer SHALL identify and describe any special purpose test or maintenance equipment recommended for fault isolation and diagnostic purposes.

Applies To: Voting system

Source: [VSS2002] II.2.9.3

4.5.4 Parts and materials

4.5.4-A Maintenance manual, parts and materials

Manufacturers SHALL provide detailed documentation of parts and materials needed to operate and maintain the system.

Applies To: Voting system

Source: [VSS2002] II.2.9.4

4.5.4.1 Common standards

4.5.4.1-A Maintenance manual, approved parts list

The manufacturer SHALL provide a complete list of approved parts and materials needed for maintenance. This list SHALL contain sufficient descriptive information to identify all parts by:

  1. Type;
  2. Size;
  3. Value or range;
  4. Manufacturer's designation;
  5. Individual quantities needed; and
  6. Sources from which they may be obtained.

Applies To: Voting system

Source: [VSS2002] I.3.4.1.b, II.2.9.4.1

4.5.4.2 Paper-based systems

4.5.4.2-A Maintenance manual, parts and materials, marking devices

The manufacturer SHALL identify specific marking devices that, if used to make the prescribed form of mark, produce readable marked ballots so that the system meets the performance requirements for accuracy.

Applies To: Optical scanner

DISCUSSION

Includes pens and pencils for MCOS or the appropriate EBM for ECOS.

Source: Simplified from [VSS2002] I.3.2.4.2.3

4.5.4.2-A.1 Maintenance manual, marking devices, approved manufacturers

For marking devices manufactured by multiple external sources, the manufacturer SHALL specify a listing of sources and model numbers that satisfy these requirements.

Applies To: Voting system

Source: [VSS2002] I.3.2.4.2.3.c and II.2.9.4.2

4.5.4.2-B Maintenance manual, ballot stock specification

The manufacturer SHALL specify the required paper stock, weight, size, shape, opacity, color, watermarks, field layout, orientation, size and style of printing, size and location of vote response fields and to identify unique ballot styles, placement of alignment marks, ink for printing, and folding and bleed-through limitations for preparation of ballots that are compatible with the system.

Applies To: Paper-based device

Source: [VSS2002] I.2.3.1.3.1.c, I.3.2.4.2.1.c, II.2.9.4.2

4.5.4.2-C Maintenance manual, ballot stock specification criteria

User documentation for optical scanners SHALL include specifications for ballot materials to ensure that votes are read from only a single ballot at a time, without bleed-through or transferal of marks from one ballot to another.

Applies To: Optical scanner

Source: [VSS2002] I.2.3.1.3.2, revised

4.5.4.2-D Maintenance manual, printer paper specification

User documentation for voting systems that include printers SHALL include specifications of the paper necessary to ensure correct operation, minimize jamming, and satisfy Requirement Part 1: 6.4.4-B and Requirement Part 1: 6.5.1-A.

Applies To: Voting system

DISCUSSION

This requirement covers all printers, either stand-alone or integrated with another device, regardless whether they are used for reporting, for logging, for VVPR, etc.

Source: New requirement

4.5.5 Maintenance facilities and support

4.5.5-A Maintenance manual, maintenance environment

The manufacturer SHALL identify all facilities, furnishings, fixtures, and utilities that will be required for equipment maintenance.

Applies To: Voting system

Source: [VSS2002] II.2.9.5

4.5.5-B Maintenance manual, maintenance support and spares

Manufacturers SHALL specify:

  1. Recommended number and locations of spare devices or components to be kept on hand for repair purposes during periods of system operation;
  2. Recommended number and locations of qualified maintenance personnel who need to be available to support repair calls during system operation; and
  3. Organizational affiliation (e.g., jurisdiction, manufacturer) of qualified maintenance personnel.

Applies To: Voting system

Source: [VSS2002] I.3.4.5, II.2.9.5

4.5.6 Appendices

The manufacturer may provide descriptive material and data supplementing the various sections of the body of the system maintenance manual. The content and arrangement of appendices are at the discretion of the manufacturer. Topics recommended for amplification or treatment in appendix include:

  • Glossary: A listing and brief definition of all terms that may be unfamiliar to persons not trained in either voting systems or computer maintenance;
  • References: A list of references to all manufacturer documents and other sources related to maintenance of the system;
  • Detailed Examples: Detailed scenarios that outline correct system responses to every conceivable faulty operator input; alternative procedures may be specified depending on the system state; and
  • Maintenance and Security Procedures: Technical illustrations and schematic representations of electronic circuits unique to the system.

4.6 Personnel Deployment and Training Requirements

4.6-A User documentation, training manual

The manufacturer SHALL describe the personnel resources and training required for a jurisdiction to operate and maintain the system.

Applies To: Voting system

Source: [VSS2002] II.2.10

4.6.1 Personnel

4.6.1-A Training manual, personnel

The manufacturer SHALL specify the number of personnel and skill levels required to perform each of the following functions:

  1. Pre-election or election preparation functions (e.g., entering an election, contest and candidate information; designing a ballot; generating pre-election reports);
  2. System operations for voting system functions performed at the polling place;
  3. System operations for voting system functions performed at the central count facility;
  4. Preventive maintenance tasks;
  5. Diagnosis of faulty hardware, firmware, or software;
  6. Corrective maintenance tasks; and
  7. Testing to verify the correction of problems.

Applies To: Voting system

Source: [VSS2002] II.2.10.1

4.6.1-B Training manual, user functions versus manufacturer functions

The manufacturer SHALL distinguish which functions may be carried out by user personnel and which must be performed by manufacturer personnel.

Applies To: Voting system

Source: [VSS2002] II.2.10.1

4.6.2 Training

4.6.2-A Training manual, training requirements

The manufacturer SHALL specify requirements for the orientation and training of administrators, central election officials, election judges, and poll workers.

Applies To: Voting system

Source: [VSS2002] II.2.10.2