**Article 12**

**Technical Design of Event Logging**

The Pipeline Safety Guardian system incorporates event logging functionality focused explicitly on outcomes relevant to operational safety and risk detection. Throughout its operational lifetime, the system automatically records discrete anomaly detection events as identified by the combined CNN and Random Forest classification outputs. In addition, final alert states—such as confirmed hazard warnings issued to pipeline operators—are logged with timestamps and associated metadata including sensor identifiers and alert categories. This selective logging strategy concentrates on documented events with direct relevance to pipeline safety, deliberately excluding granular intermediate data such as raw sensor snapshots, transient CNN confidence scores, or internal Random Forest decision paths. The intended rationale is twofold: (i) to reduce data storage demands thereby enabling real-time deployment in low-latency pipeline control environments; and (ii) to limit the volume of sensitive operational data retained, consistent with data minimization principles.

The system’s logging infrastructure relies on a dedicated secure storage module embedded within the edge processing units deployed at field sites. These units maintain a rolling buffer of logged events, which synchronizes with central operational servers under stable network connectivity conditions. However, the logging mechanism does not preserve logs continuously across system restarts or brief network outages. Upon a restart event or network loss exceeding a threshold (nominally 60 seconds), buffered log entries not yet transmitted to central servers are discarded to prioritize system responsiveness, leading to discontinuities in the logged event stream. This design decision balances critical system uptime and alert delivery requirements against the unavoidable transient loss of event traceability during such interruptions.

**Scope and Content of Logged Data for Traceability**

Pipeline Safety Guardian's event logging specifically captures data elements that enable the identification and reconstruction of key hazard incidents detected by the system. Each logged anomaly event record includes:

- Event timestamp with millisecond precision to preserve event sequencing.
- Sensor subset identifiers involved in triggering the event.
- Anomaly classification labels output by the Random Forest classifier (e.g., “pressure drop,” “structural crack”).
- Final alert states issued to operators, including escalation levels and relevant safety protocol references.

Importantly, the system’s logs do not record detailed inference rationale such as intermediate CNN layer activations, probability/confidence vectors, or branch decisions in the Random Forest model. This means that the detailed decision-making pathways leading to an alert are not preserved. Instead, the logging focuses on outcome-level traceability sufficient to determine what hazardous condition was detected and when, without capturing the entire internal model state or raw input data.

Such an approach reflects a compliance-oriented balance: it supports identifying situations potentially imposing a risk—consistent with Article 12(2)(a)—through clear event markers denoting detected anomalies while avoiding burdensome data retention that could complicate post-event analysis or risk data privacy concerns.

**Support for Post-Market Monitoring and Operational Oversight**

The event logs generated by Pipeline Safety Guardian serve as the primary record to facilitate post-market monitoring as per Article 12(2)(b). The logged anomaly events and final alerts provide traces that can be retrospectively reviewed to evaluate system performance, incident frequencies, and detection accuracy after deployment. The temporal and categorical nature of these logs enables statistical analysis correlating system alerts with actual pipeline maintenance records or detected failures to support continuous safety assurance.

However, the absence of intermediate inference data and the loss of logs during system restarts and brief network outages limit the granularity and continuity of traceability. This limitation constrains the ability to perform fine-grained forensic analysis of model reasoning for particular incidents but does not impede the fundamental capability to identify the occurrence and type of detected hazards.

Operational monitoring of live system states as envisaged under Article 12(2)(c) is supported through real-time alert generation rather than via exhaustive logging. Operators receive immediate notifications of anomalies and hazard alerts, enabling timely intervention. The logging subsystem acts as a complementary record rather than a comprehensive operational monitoring tool.

**Rationale Underlying Logging Design Choices**

The decision to restrict logged data to final anomaly and alert records, and to tolerate interruptions in logging continuity, derives from an operational risk management perspective prioritizing system availability and prompt hazard detection. Extensive intermediate logging, such as CNN confidence trajectories or Random Forest decision path data, would impose significant storage and processing overhead incompatible with the low-latency, edge-deployed nature of Pipeline Safety Guardian. Furthermore, transient losses in logging align with system robustness principles that prioritize continuous sensing and alerting even under network instability or system restarts, albeit at the cost of some loss in traceability continuity.

Consequently, Meridian Safety Systems has calibrated Pipeline Safety Guardian’s logging design to strike a pragmatic balance between sufficient traceability for risk identification and post-market surveillance purposes and the real-world constraints of critical infrastructure AI deployment. This approach employs commonly accepted industrial AI standards for selective event logging while respecting data minimization and security best practices applicable in high-risk energy sector contexts.