cross-connection control/backflow prevention electronic test submittal western washington cross...
TRANSCRIPT
CROSS-CONNECTION CONTROL/BACKFLOW PREVENTION
ELECTRONIC TEST SUBMITTAL
Western Washington
Cross Connection Control
The Group
ByRandy Engle
XC2 Software, [email protected]
On-line Test Submittal by
Backflow Testing Contractors
• “It will work just great”
• “It will be completely paperless”
• “It will reduce your labor by 50%”
• “It will be a seamless
implementation”
• “This software will need virtually no
IT resources”
• “This software is completely user
friendly”
• “This software practically runs itself”
• “This software is completely bug free”
• “This software doesn’t require any
computer experience.
• “This software is totally intuitive”
• “Does this software send notices
automatically"
• “Does this software need to be
monitored?”
• “Does this software need to be backed
up?”
ELECTRONIC BACKFLOW TEST SUBMITTAL
Is it possible?
To Go from
This
ELECTRONIC BACKFLOW TEST SUBMITTAL
Is it possible?
To This
ELECTRONIC BACKFLOW TEST SUBMITTAL
What is it?
The ability to successfully submit specific
and accurate backflow test results data
via the Internet to water purveyors, or
their agents, using a desktop computer,
laptop, tablet or mobile
device/smartphone.
ELECTRONIC BACKFLOW TEST SUBMITTAL
This includes validation of these results
prior to acceptance and confirmation of
receipt of these reports.
• Can’t you just make it work Automatically?
• I really don’t want to have to think about it.
• I’m a plumber! Not a computer expert!
“AUTOMATICALLY”
Let’s bring a little reality to the table.
It may not work the way you “Assumed” it would.
Who’s fault is that?
• What does “Automatic” Mean?
• It means the more “automatic” it is, the more IT and other staff it takes to keep things operational “behind” the scenes.
IT Staff
What Needs to be done
• Nobody is asking you to be a computer expert…
• But… if you are going to open up your system to outside, private contractors, there are several items to consider, to make sure that all is secure and will work the way that you need it to work.
• (Note: you could always hire someone to do this level of thinking for you… or get your IT folks involved.
Topics and Issues to Consider
• Why move away from handwritten test reports?
• What are the options for electronic test reporting?
• What are the benefits (and pitfalls) to the purveyor’s backflow program with electronic submittal?
• How do you control data integrity?
• How is security going to be managed?
• How is testing contractor access and customer access to the system controlled?
• Need to make it “user friendly” so testing contractors will accept it in a reasonable timeframe.
• Need to provide some training for testing contractors to use the system
• Need to provide instant feedback to the testing contractor that what they are doing is correct or not.
• What might some of the complaints be from contractors and customers. Need to be prepared to handle this.
• Need some type of “I do hereby certify that this is true”
Topics and Issues to Consider
• Why move away from handwritten test reports?
• It takes too darn much time to enter them by hand!
• Can’t always read the tester’s writing
• Need to store the paper copies somewhere. They take up
a lot of space and take time to file.
• Why move away from handwritten test reports?
• If test reports are not entered in a timely fashion, then the
customer may get sent an overdue notice that is not
correct. Hence, making the customer unhappy, which in
turn requires you to take the time to deal with the
problem.
What are the options for electronic test entry?
• Write your own web-based software
• Purchase a pre-fab web-based system
• Subscribe to a “cloud” service(Multiple Options Available)
• Write your own web based system
Write it from the ground up
Or
Write it as a part of another system, e.g. Utility Billing
You get exactly what you want (you hope)
You will need to work with the programmer to create
the specifications.
You will need to provide all of the testing.
Could take a long time to get up and running
You are in control
• Purchase a commercially packaged web based system
You will need to fit how you run your program into the
software.
It might be quite configurable to how you need to do
things or it could be customizable.
You are in complete control of your data
Your IT Dept needs to be involved
One time cost (with annual maintenance and support)
• Subscribe to a “cloud” service
This has the most options available:
Simple to Sophisticated:
A. The service runs your entire program
B. The service provides a web page for testers to
enter test reports, and makes a report available
to you.
C. The service provides a web interface for you to
run your program
• Subscribe to a “cloud” service
D. The service provides the web page for test entry, and
maybe you can automatically receive the information back
in your in-house database.
E. The service provides the web page for test entry, and
automatically “sends” the information back to your in-house
database…
• And provides a mechanism for you to automatically update
information on the website from your in-house system, e.g.
tester information, customer information, new backflow
locations and assembly information.
What are the benefits (and downsides) to the purveyor’s backflow program with electronic submittal?
Benefits:
• Takes away a huge amount of time from hand entering
tests and storing paper documents.
• Gets test reports entered in a timely fashion
• What else is there to say…
What are the benefits (and downsides) to the purveyor’s backflow program with electronic submittal?
Pitfalls:
• A certain degree of control is given up. 3rd parties are
entering the test results and unless you review each
entry, you need to trust that the system has enough
controls on it to ensure data integrity.
Some testers may not be happy about having to do this, or
they may have trouble entering on the web, and be calling
you a lot for assistance (or just to complain)
• How do you control data integrity?
• Lots and Lots of Validations during time of entry:
• Test Report Values
• Tester Certifications and Licenses
• Date sensitive entry
• No dates in the “future”
• Tester must have been certified at time of test
• Special licenses and certifications must be met based
upon the type/hazard of backflow being tested.
• How do you control data integrity?
• All of the above should be handled (by the web software)
at the time of entry, and the entry person (user) notified
immediately if all of the conditions are not met.
• Still, someone will come up with some “creative”
entries that the software developer hasn’t thought of
yet.
How is website security going to be managed?
• If you are going to have your organization be the
“Host” of the web server, the time is NOW to
contact your IT dept and get them on board!
• There are two kinds of “Web Security” as are being
discussed here.
How is website security going to be managed?
1. Security to keep hackers away from your
servers and the data on them. These guys have little
interest in the actual data on your system. They just
want to hack in and cause havoc.
This is what your IT Dept needs to setup.You don’t do it.The software vendor doesn’t do it.
How is website security going to be managed?
Security to keep unauthorized users from accessing
parts of the system or data on the system that you
don’t want them to access.
For example, testing contractors searching in the
database for potential new customers
• How is testing contractor access and customer access to the system controlled?
Users/Password:• Everything on the web has unique user names and
passwords these days.• This needs to apply to your backflow program as
well.
• Weak:• User Name:abc• Password: 123
• Strong:• User Name:AceBackflow• Password: M785qm6$
• You probably need to decide on something in-between
• How is testing contractor access and customer access to the system controlled?
The system needs to be configurable to require these levels of strength of user names and passwords:
Length of Usere.g. > 6 or 8 characters
Strength of Password:Strongest:Require length of 8 charactersRequire Uppercase letterRequire Lowercase letterRequire NumberRequire “Special Character” e.g. $%#!, etc.
• How is testing contractor access and customer access to the system controlled?
Entering Test Results:
Need to be able to look up backflow assemblies so that test results can be entered.
How? So that testers can’t just lookup anything they want.
1. Provide a “Tester Access Code” for each customer, listing all associated backflow assemblies
2. Provide a PIN number for each backflow assembly that the tester must enter along with the backflow serial number
• Need to make it “user friendly” so testing contractors will accept it in a reasonable timeframe.
?• What the heck does “User Friendly” mean?
• Need to provide some training for testing contractors.
• Roll out the system by starting with 1 or 2 testing companies that are on-board with your new system.
• Work with them to find any bumps and pitfalls to your new system
• Need to provide some training for testing contractors.
• Set up 2 or 3 sessions at your location demonstrating how the new system will work.
• Demonstrate entering real world test reports
• Encourage the attendees to try it themselves at the training.
• Make it obvious what to do:
The address that the tester must enter to get to your site should be easy to remember
• Make it obvious what to do:
• The first screen they see needs to be self-explanatory:
• Make it obvious what to do.
• Not a lot of options, just follow the simple directions. Make sure it’s something familiar.
• Give them a way to sign in if they forget their password or user name.
• Special Note about recovering passwords if they are forgotten.
• In a secure system, existing passwords are not recoverable, they have been “hashed”
• You could probably live a lifetime without knowing this, but this is what a password looks like in a secure computer system.
9dec17c501f72e6955e40d277bdcf1144cb77bc8b639beef675b43b9cae49b8b53829606dc9e999b2fff36af1b53ba9be6961bc8f8f5e16ac5436e86704b4b64
The only people with the ability to decrypt something like this might be the NSA, CIA, etc.
• Special Note about recovering passwords if they are forgotten.
• So…
• This means if someone forgets their password, the system needs to be able generate a new one and send it to them.
• Then you give them the option to change it once they log on again.
• Make it obvious what to do.
• Secure but easy way to find the desired (and authorized) backflow assembly records
• Access Code is generated by the system.• You include this code on the notice you send to
the customer.
• Consider regenerating every year.
• Make it obvious what to do.
• Have the user select an item from the list.
• Make the entry screen look like a test form
• Don’t accept the entry unless they “Certify” that all information is true.
• Provide instant feedback if something is not correct or complete.
• Be sure to tell them if they did it correctly!
• Follow up with an automatic email that the test was entered! Send to the tester AND the customer (if you have their email)
• Someone needs to “Administer” your backflow program, including tester access to the system.
ELECTRONIC BACKFLOW TEST SUBMITTAL
Do you think you are going to require
individual testers to be the ones to actually
submit their own test reports?
If so, remember that this is basically
unenforceable.
As stated earlier, with a Log-In and Password,
you can do just about anything.
Challenges/Advantages
ELECTRONIC BACKFLOW TEST SUBMITTAL
It really comes down a basic premise:
Less Work for You
vs. Control of your Program
Decisions
In House (Self Hosted)
vs
Subscribing to a service (out-sourced)
ELECTRONIC BACKFLOW TEST SUBMITTAL
Tester Considerations What about backflow testers that don’t
want to do submit my test results via the web?
You will need to decide what your policy is going to be.
Are you going to “REQUIRE” web entry
ELECTRONIC BACKFLOW TEST SUBMITTAL
Tester Considerations
Maybe give testers a “grace” period to get
up to speed about entering test results via
the web.
Deal with the fallout from some testing
contractors who give you grief because
they don’t want to submit via the web.
ELECTRONIC BACKFLOW TEST SUBMITTAL
Summary Decide if this is valuable for you
Explore available options (Get References!)
Get the backing you need, IT Dept., Upper Management, City Council, etc
Notify the Testing Contractors that this is what you are going to do. Have a meeting/training with them.
Document what your security considerations are.
Do some testing to see what issues might arise