Chapter 4: Voting Equipment User Documentation (manufacturer)

In the system overview, the manufacturer SHALL provide information that enables the user to identify the functional and physical components of the system, how the components are structured, and the interfaces between them.

The system overview SHALL include a high-level functional diagram of the voting system that includes all of its components. The diagram SHALL portray how the various components relate and interact.

The system description SHALL include written descriptions, drawings and diagrams that present:

1. A description of the functional components (or subsystems) as defined by the manufacturer (e.g., environment, election management and control, vote recording, vote conversion, reporting, and their logical relationships);
2. A description of the operational environment of the system that provides an overview of the hardware, firmware, software, and communications structure;
   
3. A concept of operations that explains each system function and how the function is achieved in the design;
   
4. Descriptions of the functional and physical interfaces between subsystems and components;
   
5. Identification of all COTS products (both hardware and software) included in the system and/or used as part of the system's operation, identifying the name, manufacturer, and version used for each such component;
   
6. Communications (dial-up, network) software;
   
7. Interfaces among internal components and interfaces with external systems.  For components that interface with other components for which multiple products may be used, the manufacturer SHALL identify file specifications, data objects, or other means used for information exchange, and the public standard used for such file specifications, data objects, or other means; and
   
8. Benchmark directory listings for all software and firmware and associated documentation included in the manufacturer's release in the order in which each piece of software or firmware would normally be installed upon system setup and installation.

The system description SHALL include the identification of all software and firmware items, indicating items that were:

1. Written in-house;
2. Written by a subcontractor;
   
3. Procured as COTS; and
   
4. Procured and modified, including descriptions of the modifications to the software or firmware and to the default configuration options.

The system description SHALL include a declaration that procured software items were obtained directly from the manufacturer or a licensed dealer or distributor.

The manufacturer SHALL provide system performance information including:

1. Device capacities and limits that were stated in the implementation statement (see Part 1: 2.4 “Software Independence”);
2. If not already covered in the implementation statement, performance characteristics of each operating mode and function in terms of expected and maximum speed, throughput capacity, maximum volume (maximum number of voting positions and maximum number of ballot styles supported), and processing frequency;
   
3. Quality attributes such as reliability, maintainability, availability, usability, and portability;
   
4. Provisions for safety, security, privacy, and continuity of operation; and
   
5. Design constraints, applicable standards, and compatibility requirements.

The maximum tabulation rate for a central tabulator SHALL be documented by the manufacturer.  This documentation SHALL include the maximum tabulation rate for individual components that impact the overall maximum tabulation rate.

For an optical scanner, the manufacturer SHALL document what constitutes a reliably detectable mark versus a marginal mark.

The manufacturer SHALL provide a listing of the system's functional processing capabilities, encompassing capabilities required by the VVSG, and any additional capabilities provided by the system, with a description of each capability.

1. The manufacturer SHALL explain, in a manner that is understandable to users, the capabilities of the system that were declared in the implementation statement;
2. Additional capabilities (extensions) SHALL be clearly indicated;
   
3. Required capabilities that may be bypassed or deactivated during installation or operation by the user SHALL be clearly indicated;
   
4. Additional capabilities that function only when activated during installation or operation by the user SHALL be clearly indicated; and
   
5. Additional capabilities that normally are active but may be bypassed or deactivated during installation or operation by the user SHALL be clearly indicated.

Manufacturers SHALL provide user documentation containing guidelines and usage instructions on implementing, configuring, and managing access control capabilities.

Manufacturers SHALL provide, within the user documentation, an access control policy template or instructions to facilitate the implementation of the access control policy and associated access controls on the voting system.

Manufacturers SHALL provide, within the user documentation, a model access control policy under which the voting system was designed to operate and a description of the hazards of deviating from this policy.

The manufacturer SHALL disclose and document information on all privileged accounts included on the voting system.

Manufacturers SHALL provide user documentation that describes system event logging capabilities and usage.

Manufacturers SHALL publicly publish fully documented log format information.

The manufacturer SHALL provide a list of all software to be installed on the programmed devices of the voting system and installation software used to install the software in the user documentation.

The manufacturer SHALL provide at a minimum in the user documentation the following information for each piece of software to be installed or used to install software on programmed devices of the voting system: software product name, software version number, software manufacturer name, software manufacturer contact information, type of software (application logic, border logic, third party logic, COTS software, or installation software), list of software documentation, component identifier(s) (such filename(s)) of the software, type of software component (executable code, source code, or data).

The manufacturer SHALL provide in the user documentation the location (such as full path name or memory address) and storage device (such as type and part number of storage device) where each piece of software is installed on programmed devices of the voting system.

The manufacturer SHALL identify election specific software in the user documentation.

The manufacturer SHALL provide a list of software and hardware required to install software on programmed devices of the voting system in the user documentation.

The manufacturer SHALL document the software installation procedures used to install software on programmed devices of the voting system in user documentation.

The software installation procedures used to install software on programmed devices of the voting system SHALL result in no compilers being installed on the programmed device.

To replicate programmed device configurations, the software installation procedures SHALL create a baseline binary image of the initial programmed device configuration on an unalterable storage media with a digital signature.

The software installation procedures SHALL use the baseline binary image of the initial programmed device configuration on an unalterable storage media to replicate the configuration on to other programmed devices.

The software installation procedures SHALL specify the creation of a software installation record that includes at a minimum: a unique identifier (such as a serial number) for the record; a list of unique identifiers of unalterable storage media associated with the record; the time, date, and location of the software installation; names, affiliations, and signatures of all people present; copies of the procedures used to install the software on the programmed devices of the voting system; the certification number of the voting system; list of the software installed on programmed devices of the voting system; and a unique identifier (such as a serial number) of the vote-capture device or EMS which the software is installed.

The software installation procedures SHALL specify that voting system software be obtained from test labs or distribution repositories.

The software installation procedures SHALL specify that COTS software be obtained from the open market.

The software installation procedures SHALL specify how previously stored information on erasable storage media is removed before installing software on the media.

The software installation procedures SHALL specify that unalterable storage media be used to install software on programmed devices of the voting system.

Manufacturer SHALL provide user documentation explaining the implementation of all physical security controls for the voting device, including model procedures necessary for effective use of countermeasures.

The manufacturer SHALL provide a model setup inspection process that the voting device was designed to support and description of the risks of deviating from the process in the user documentation.

A model setup inspection process SHALL at a minimum include the inspection of voting system software, storage locations that hold election information that changes during an election, other voting device properties, and execution of logic and accuracy testing related to readiness of use in an election.

The model setup inspection process SHALL describe the records that result from performing the setup inspection process.

The manufacturer SHALL provide the procedures to identify all software installed on programmed devices of the voting system in the user documentation.

The manufacturer SHALL describe the procedures to verify the integrity of software installed on programmed devices of voting system in the user documentation.

The manufacturer SHALL provide the values of voting device storage locations that hold election information that changes during the election, except for the values set to conduct a specific election in the user documentation.

The manufacturer SHALL provide the maximum and minimum values voting device storage locations that hold election information changes during an election can store in the user documentation.

The manufacturer SHALL provide the procedures to inspect the values of voting device storage locations that hold election information that changes for an election in the user documentation.

The manufacturers SHALL provide the nominal operational range for the backup power sources of the voting device in the user documentation.

The manufacturer SHALL provide the procedures to inspect the remaining charge of the backup power sources of the voting device in the user documentation.

The manufacturer SHALL provide the procedures to inspect the connectivity of the cabling attached to the voting device in the user documentation.

The manufacturer SHALL provide the procedures to inspect the operational status of the communications capabilities of the voting device in the user documentation.

The manufacturer SHALL provide the procedures to inspect the on/off status of the communications capabilities of the voting device in the user documentation.

The manufacturer SHALL provide a list of consumables associated with the voting device, including estimated number of usages per quantity of consumable in the user documentation.

The manufacturer SHALL provide the procedures to inspect the remaining amount of each consumable of the voting device in the user documentation.

The manufacturer SHALL provide a list of components associated with the voting device that require calibration and the nominal operating ranges for each component in the user documentation.

The manufacturer SHALL provide the procedures to inspect the calibration of each component in the user documentation.

The manufacturer SHALL provide the procedures to adjust the calibration of each component in the user documentation.

The manufacturer SHALL provide a model checklist of other properties of the voting device to be inspected, including a description of the risks on not performing a given inspection in the user documentation.

The model checklist of other properties of the voting device to be inspected SHALL at a minimum include: the inspection of backup power sources, cabling, communications capabilities, consumables, calibration of voting device components, general physical features of the voting device, and securing external interfaces of the voting device not being used.

The voting system’s user documentation SHALL fully specify a secure, transparent, workable and accurate process for producing all records necessary from the devices and carrying out the pollbook audit.

The voting system’s user documentation SHALL fully specify a secure, transparent, workable and accurate process for producing all records necessary from the devices and carrying out the hand audit.

The voting system’s user documentation SHALL fully specify a secure, transparent, workable and accurate process for producing all records necessary from the devices and carrying out the final election tally.

The voting system’s user documentation SHALL fully specify a secure, transparent, workable and accurate process for observational testing.

The manufacturer SHALL provide documentation for a procedure to scan VVPAT VVPR by optical character recognition.

The system operations manual SHALL provide all information necessary for system use by all personnel who support pre-election and election preparation, polling place activities, and central counting activities, as applicable, with regard to all system functions and operations identified in Part 2: 4.2 “System Functionality Description”.

The system operations manual SHALL contain all information that is required for the preparation of detailed system operating procedures and for the training of administrators, central election officials, election judges, and poll workers.

The manufacturer SHALL provide a summary of system operating functions and modes to permit understanding of the system's capabilities and constraints.

The roles of operating personnel SHALL be identified and related to the operating modes of the system.

Decision criteria and conditional operator functions (such as error and failure recovery actions) SHALL be described.

The manufacturer SHALL also list all reference and supporting documents pertaining to the use of the system during election operations.

The manufacturer SHALL describe the system environment and the interface between the election official or voter and the system.

The manufacturer SHALL identify all facilities, furnishings, fixtures, and utilities that will be required for equipment operations, including equipment that operates at the:

1. Polling place;
2. Central count facility; and
   
3. Other locations.

The user documentation supplied by the manufacturer SHALL include a statement of all requirements and restrictions regarding environmental protection, electrical service, recommended auxiliary power, telecommunications service, and any other facility or resource required for the proper installation and operation of the system.

The manufacturer SHALL provide specifications for testing of system installation and readiness.

These specifications SHALL cover testing of all components of the system and all locations of installation (e.g., polling place, central count facility), and SHALL address all elements of system functionality and operations identified in Part 2: 4.2 “System Functionality Description” above, including general capabilities and functions specific to particular voting activities.

The manufacturer SHALL provide documentation of system operating features that includes:

1. Detailed descriptions of all input, output, control, and display features accessible to the operator or voter;
2. Examples of simulated interactions to facilitate understanding of the system and its capabilities;
   
3. Sample data formats and output reports; and
   
4. Illustration and description of all status indicators and information messages.

For systems that support straight party voting, the manufacturer SHALL document the available algorithms for counting straight party overrides.

For systems that support write-in voting, the manufacturer SHALL document the available algorithms for reconciling write-in double votes.

The manufacturer SHALL provide documentation of system operating procedures that:

1. Provides a detailed description of procedures required to initiate, control, and verify proper system operation;
2. Provides procedures that clearly enable the operator to assess the correct flow of system functions (as evidenced by system-generated status and information messages);
   
3. Provides procedures that clearly enable the administrator to intervene in system operations to recover from an abnormal system state;
   
4. Defines and illustrates the procedures and system prompts for situations where operator intervention is required to load, initialize, and start the system;
   
5. Defines and illustrates procedures to enable and control the external interface to the system operating environment if supporting hardware and software are involved.  Such information also SHALL be provided for the interaction of the system with other data processing systems or data interchange protocols;
   
6. Provides administrative procedures and off-line operator duties (if any) if they relate to the initiation or termination of system operations, to the assessment of system status, or to the development of an audit trail;
   
7. Supports successful ballot and program installation and control by central election officials;
   
8. Provides a schedule and steps for the software and ballot installation, including a table outlining the key dates, events and deliverables; and
   
9. Specifies diagnostic tests that may be employed to identify problems in the system, verify the correction of problems, and isolate and diagnose faults from various system states.

Manufacturers of VVPATs SHALL provide documentation for procedures to recover from VVPAT printer errors and faults including procedures for how to cancel a vote suspended during an error.

Manufacturers of paper-roll VVPATs SHALL provide documentation describing necessary procedures for handling the paper roll in a way that preserves voter privacy. 

The manufacturer SHALL provide documentation of system operating procedures that:

1. Defines the procedures required to support system acquisition, installation, and readiness testing; and
2. Describes procedures for providing technical support, system maintenance and correction of defects and for incorporating hardware upgrades and new software releases.

The manufacturer SHALL include any special instructions for preparing voting devices for shipment.

The manufacturer SHALL include any special storage instructions for voting devices.

The manufacturer SHALL detail the care and handling precautions necessary for removable media and records to satisfy Requirement Part 1: 6.5.1-A.

The system maintenance manual SHALL provide information to support election workers, information systems personnel, or maintenance personnel in the adjustment or removal and replacement of components or modules in the field.

The manufacturer SHALL describe service actions recommended to correct malfunctions or problems; personnel and expertise required to repair and maintain the system, equipment, and materials; and facilities needed for proper maintenance.

The manufacturer SHALL describe the structure and function of the hardware, firmware and software for election preparation, programming, vote recording, tabulation, and reporting in sufficient detail to provide an overview of the system for maintenance and for identification of faulty hardware or software.

The description SHALL include a concept of operations that fully describes such items as:

1. Electrical and mechanical functions of the equipment;
2. How the processes of ballot handling and reading are performed (paper-based systems);
   
3. For electronic vote-capture devices, how vote selection and casting of the ballot are performed;
   
4. How transmission of data over a network is performed (if applicable);
   
5. How data are handled in the processor and memory units;
   
6. How data output is initiated and controlled;
   
7. How power is converted or conditioned; and
   
8. How test and diagnostic information is acquired and used.

The manufacturer SHALL describe preventive and corrective maintenance procedures for hardware, firmware and software.

The manufacturer SHALL identify and describe:

1. All required and recommended preventive maintenance tasks, including software and data backup, database performance analysis, and database tuning;
2. Number and skill levels of personnel required for each task;
   
3. Parts, supplies, special maintenance equipment, software tools, or other resources needed for maintenance; and
   
4. Any maintenance tasks that must be coordinated with the manufacturer or a third party (such as coordination that may be needed for COTS used in the system).

The manufacturer SHALL provide fault detection, fault isolation, correction procedures, and logic diagrams for all operational abnormalities identified by design analysis and operating experience.

The manufacturer SHALL identify specific procedures to be used in diagnosing and correcting problems in the system hardware, firmware and software.  Descriptions shall include:

1. Steps to replace failed or deficient equipment;
2. Steps to correct deficiencies or faulty operations in software or firmware;
   
3. Modifications that are necessary to coordinate any modified or upgraded software or firmware with other modules;
   
4. Number and skill levels of personnel needed to accomplish each procedure;
   
5. Special maintenance equipment, parts, supplies, or other resources needed to accomplish each procedure; and
   
6. Any coordination required with the manufacturer, or other party, for COTS.

The manufacturer SHALL identify and describe any special purpose test or maintenance equipment recommended for fault isolation and diagnostic purposes.

Manufacturers SHALL provide detailed documentation of parts and materials needed to operate and maintain the system.

The manufacturer SHALL provide a complete list of approved parts and materials needed for maintenance.  This list SHALL contain sufficient descriptive information to identify all parts by:

1. Type;
2. Size;
   
3. Value or range;
   
4. Manufacturer's designation;
   
5. Individual quantities needed; and
   
6. Sources from which they may be obtained.

The manufacturer SHALL identify specific marking devices that, if used to make the prescribed form of mark, produce readable marked ballots so that the system meets the performance requirements for accuracy.

For marking devices manufactured by multiple external sources, the manufacturer SHALL specify a listing of sources and model numbers that satisfy these requirements.

The manufacturer SHALL specify the required paper stock, weight, size, shape, opacity, color, watermarks, field layout, orientation, size and style of printing, size and location of vote response fields and to identify unique ballot styles, placement of alignment marks, ink for printing, and folding and bleed-through limitations for preparation of ballots that are compatible with the system.

User documentation for optical scanners SHALL include specifications for ballot materials to ensure that votes are read from only a single ballot at a time, without bleed-through or transferal of marks from one ballot to another.

User documentation for voting systems that include printers SHALL include specifications of the paper necessary to ensure correct operation, minimize jamming, and satisfy Requirement Part 1: 6.4.4-B and Requirement Part 1: 6.5.1-A.

The manufacturer SHALL identify all facilities, furnishings, fixtures, and utilities that will be required for equipment maintenance.

Manufacturers SHALL specify:

1. Recommended number and locations of spare devices or components to be kept on hand for repair purposes during periods of system operation;
2. Recommended number and locations of qualified maintenance personnel who need to be available to support repair calls during system operation; and
   
3. Organizational affiliation (e.g., jurisdiction, manufacturer) of qualified maintenance personnel.

The manufacturer SHALL describe the personnel resources and training required for a jurisdiction to operate and maintain the system.

The manufacturer SHALL specify the number of personnel and skill levels required to perform each of the following functions:

1. Pre-election or election preparation functions (e.g., entering an election, contest and candidate information; designing a ballot; generating pre-election reports);
2. System operations for voting system functions performed at the polling place;
   
3. System operations for voting system functions performed at the central count facility;
   
4. Preventive maintenance tasks;
   
5. Diagnosis of faulty hardware, firmware, or software;
   
6. Corrective maintenance tasks; and
   
7. Testing to verify the correction of problems.

The manufacturer SHALL distinguish which functions may be carried out by user personnel and which must be performed by manufacturer personnel.

The manufacturer SHALL specify requirements for the orientation and training of administrators, central election officials, election judges, and poll workers.