**Article 12**

### System Event Logging Architecture and Scope

The Guardian Signal Controller incorporates an automated logging mechanism designed to record system events continuously throughout its operational lifetime. This mechanism captures timestamped summary indicators of anomalous traffic conditions, denoted as risk flags, which correspond to scenarios requiring heightened attention or intervention by downstream traffic control systems. The logged data structure is deliberately limited to include only aggregated risk classifications and associated temporal markers; it excludes raw video frames, granular sensor measurements, or any internal decision-making artifacts generated by the CNN and Random Forest classifiers. This design choice aligns with data minimization principles and mitigates the potential exposure of sensitive information while still providing traceability of risk-related events.

The log entries contain standardized risk flag identifiers reflecting categories such as “Red-light violation risk,” “Pedestrian conflict risk,” or “Unusual traffic flow pattern,” along with precise Coordinated Universal Time (UTC) timestamps synchronized via Network Time Protocol (NTP). This schema enables reconstructing event sequences without revealing underlying sensor signal minutiae or model inference details. The use of summary-level data ensures a consistent audit trail supporting system oversight while preserving operational privacy and protecting proprietary model internals.

### Enabling Identification of Risk Situations and System Modifications

The recorded summary risk flags directly correspond to conditions defined in the system’s risk model, which is derived from extensive training on a curated dataset of over 50,000 intersection scenarios collected from five European cities between 2020-2023. CNN models extract spatial features such as vehicle positioning and pedestrian presence from video frames at 15 frames per second, feeding these features into Random Forest classifiers to produce discrete risk assessments. By logging only the final flagged risk states and their occurrence times, the system facilitates clear identification of instances when the Guardian Signal Controller predicts hazardous events or potential need for traffic signal timing adjustments.

No logs contain explicit reasoning paths or intermediate model outputs, as these would be voluminous and sensitive. Instead, the summarized risk event records suffice to trace the manifestation and timing of conditions that may require intervention or further review. Additionally, the system logs version numbers of deployed AI models and configuration parameters upon updates or retraining cycles. This supports recognizing any substantial modifications that affect system behavior, enabling correlation of logged risk events with specific model instances or parameter sets.

### Supporting Post-Market Monitoring and Operational Oversight

The logging implementation is designed to underpin post-market monitoring by external assessors or municipal authorities. Each logged risk event permits quantitative analysis of system performance over time, including frequency and temporal distribution of detected risks at given intersections. This enables detection of emerging patterns indicative of model degradation, sensor faults, or environmental changes impacting system reliability. Through secure log export interfaces adhering to established threat models, authorized auditors can obtain anonymized aggregated logs for forensic examination without access to raw sensor streams or internal decision rationale.

For ongoing operational monitoring, system health metrics—including sensor status flags, processing latency statistics, and detection count aggregates—are logged separately but do not contain detailed input data or classifier confidence scores. This bifurcation maintains a clear boundary between privacy-preserving risk flag logging and system operational telemetry. Implementations comply with cybersecurity standards applicable to critical infrastructure (e.g., IEC 62443 and ISO/IEC 27001) to safeguard log integrity and prevent tampering.

By constraining recorded log content to summary risk flags and timestamps with model version metadata, the Guardian Signal Controller strikes a balance between traceability requirements and confidentiality objectives. This logging approach facilitates effective audit trails and supports regulatory oversight while respecting data minimization and intellectual property protection imperative in deployed AI systems for public safety applications.