Printer Friendly

Access to Utopia.


NO OTHER SEGMENT OF THE security industry has enjoyed more research and development than access control. This has resulted in a frenzy of new systems, user identification methods, integration of alarm point monitoring, control functions, and features that only 10 years ago were thought of as utopian.

Largely responsible for this development is, as in so many other industries, the computer. With the computer as a central processing unit, manufacturers of access control devices are able to create systems of tremendous power and flexibility, incorporating functions that in the past required several separate systems. As a result, the security office has been transformed into a high-tech area with vital information instantly available to the security staff, as well as a place from which security professionals can control and manage facilities in an efficient manner.

In a card-based system, the card reader reads the data on the card, transforms this data into a number, and sends it to a control unit (an ACP--access control panel). The panel analyzes the number and verifies that all conditions to grant access are satisfied before the door is released (more on these conditions later).

If a printer is connected to the ACP, a message is printed stating who was granted access to the protected area and the time and date this person was allowed to enter. If access is denied, the message includes who attempted to gain access and why the requested was denied (such as wrong time, day, or door).

This information can also be transmitted to a computer (host). In this case, the host did not play an essential part in the access cycle because the ACP had all the necessary intelligence to operate, and the host was simply used as a logging, presentation, and programming device, thus making this a computer-enhanced or distributed processing system.

Some manufacturers use the host as a processing unit in which all verification and access decisions are made. In these systems, the only verification done in the ACP is the verification of the facility code or system code as it is sometimes called. If the facility code is correct, the ACP sends the sequential number of the card to the host; the host finds the card number in the data base (usually on the hard disk); checks the time and day of the week; and, if the card is authorized at that access point, sends a command to the ACP to release the door. Messages are presented on the screen or printer that an access request was granted or denied.

Arguments can be made for both types of systems. The distributed processing system makes faster access decisions and therefore can process more people through an area in a given amount of time. Until recently, it was necessary to program each ACP individually, but software developments for hosts in this system have made it possible to program, from the host, several ACPs at the same time.

They also benefit from the fact that there is no reduction in security if the communication line between the ACP and the host is down, since all the decisions and verification are done by the ACP, not the host. Most ACPs of this type are able to store access transactions in a buffer in case of a host failure or communication line failure until the problems have been corrected, and, at that time, upload the information to the host for storage, usually on a hard disk.

The drawback is that with a card-based system of this type, there is generally very little flexibility and few features. Capabilities such as disabling (masking) of alarm points and activation of multiple relays are seldom found. After all, a card is a means of carrying a number, and the ACP will have a given instruction for that number (verify and grant access). In some of these systems, the instuction can vary when the card is at a different reader, but it is still relatively limited. Functions such as sending a duress alarm if the cardholder is under threat are not practical.

TO INCREASE THE SECURITY LEVEL and flexibility of such systems, many manufacturers are adding a keypad to the card reader. This means that the user who is requesting access will use both a card and a code. Most systems use a specific code for a specific card, but some systems recognize only one code that remains the same for all cards.

The addition of the keypad to the card reader serves several purposes, one being increased flexibility now that the system can offer the user the capability of sending a silent duress alarm to the ACP or host.

Card-based systems incorporating alarm monitoring circuits (intrusion detection) and control functions (output relays to control various devices) are usually of the central processing variety (computer-driven).

Let us look at how a system can identify access, alarm, and control points. (A control point is a relay output). The following illustration is a simple system with one host, two ACPs, and one intrusion detection station (AID). The IDS has alarm input points and relay output points (control points). (see Exhibit 1.)

The host in this case has only one communication port; therefore, it is not necessary to identify each port on which the messages are received. To illustrate this concept, we will identify the communication port.

Connected to the communication line are two ACPs (ACPI and ACP2), each having four access points. A message from door two of ACP1 will look like this: 1, 1, 2, XX--that is, communication port 1, ACP1, door 2, card number XX. The host then finds on the hard disk the conditions and name for that cardholder and the parameters for access point 1, 1, 2. These parameters can be the location for the ACP and the physical location of the door itself, described in English as stockroom door, panel in west wing.

The fourth door on the second ACP will be identified by the host as 1, 2, 4--meaning communication port 1, ACP2, door 4. This number sequence is then used as an index to store additional information, such as door location.

The same concept is applied when the system is identifying alarm points and to store additional data at each alarm point. (See Exhibit 2.) If, for instance, the third alarm input circuit of IDS1 on communication line 1 is violated, the message (index) will be 1, 1, 3. The host, of course, has a way to differentiate an IDS from an ACP, and this may be done in several different ways--having all IDSs send a character, such as an *, along with the IDS address--1, *1, 3--or addressing them differently than the ACPs. Whatever the method, the concept is the same and repeats itself once more for the control (relay) points.

Again, the system must have a way to differentiate control (relay) points from alarm points. For relay 5 of IDSI on communication port 1, the message would be 1, *1, C5, where the character "C" designates a control relay.

SO, WHERE IS ALL THIS LEADING US? LET US TAKE A look at some instructions that can now be filed under the index number of an alarm point.

In some systems, alarms are separated by categories, and each category can be assigned a priority level. This means that in large systems with heavy traffic, several alarms may be queued. A new alarm of high priority is then processed and presented before other lower priority messages are processed. In this case, the category is included in the alarm point information.

Examples of categories are fire, intrusion, duress, non-alarm monitor point, and test. Examples of transmission/processing/presentation priorities, assigned to categories, are the following:

* priority 1: fire

* priority 2: intrusion

* priority 3: duress

* priority 4: monitor point

* priority 5: trouble conditions

* priority 6: test point

* priority 7: return to normal (alarm)

* priority 8: trouble, return to normal

The following is an example of alarm information.

1, *1, 3.

Category: intrusion.

Route alarm message to printer 1, terminal 2.

Description (English text--motion detector in west hallway of warehouse 2).

Normal status of the input (open or closed).

Masked (ignored) during time zone.

Activate relay or relays 1.

Mask other alarm points.

Display instructions to the guard.

Require acknowledgement from a guard.

Display a floor plan of the area in which the alarm is activated.

Let persons on the security staff write a comment of their action (such as working overtime, accidentally walked into the field of the motion sensor while going to the vending machine).

Route this alarm report to the following devices: printer 1, terminal 2.

Similar information is stored under the access point index number--access point 1, 2, 1--such as basic entry point and description: west lobby door.

In more powerful systems, additional data can be entered, such as the following:

* access request messages routed to printer 2, terminal 3

* antipassback entry or exit

* antipassback internal

* elevator control access point (will activate multiple relays)

* guard tour point

* alarm masking access point

* two-person control access point

* area loading access point (minimum, maximum)

* authority presence required

* enable second authenticator

* time/attendance point

The explanation of these items is sometimes, but not always, obvious. In some systems, several terminals and printers may be remotely located. In that case, alarm messages and access messages from these areas can be routed to printers or terminals located in that specific area. Antipassback (APB) prevents a user from passing back a card to allow a second person to enter. Access is also denied to someone attempting to follow (tailgate) the user into an APB area without using his or her own card and/or code.

There are even a few powerful systems that have an internal access point. This means that if a user tailgates himself or herself into an APB area, access is denied to all access points within the APB area, since the system did not see the person enter the area.

Elevator access point means that this access point triggers additional relays to enable travel to restricted floors. This access point is linked to cardholder information so the system knows which relays (floors) this specific user is authorized to travel to. Some systems also log which floor the elevator traveled to and then return the elevator car to the lobby.

A guard tour access point differs from one manufacturer to another, depending on how the manufacturer perceives the concept. In most instances, the simple form of guard tour is sufficient. Under this concept, an access point is defined only as an access point, and the guard has a separate card that only records that the guard was at this location at a specific time. This is very simple and straightforward and does not require special software.

The next step is systems with the capability of defining a number of access points of the system in a sequence that the guard follows during his or her tour and of defining the amount of time it should take the guard to move from one point to the next. In this case, it also is necessary to allow a little tolerance to adjust for the guard being a little early or late. If, for instance, it should normally take the guard five minutes to go from point 4 to point 5, it may be okay to make a [+ or -] 30-second time window at point 5. If the guard is too early, it could mean that he or she is cheating somehow, and this will create a message at the host.

If the guard runs past the maximum time allowed (in this example, five minutes plus the 30-second fudge factor), then something may have happened to the guard, and the system generates a message, "guard too late at guard point 5." The guards at the control room then may call the patrolling guard on the radio. If the guard is just delayed in reaching the checkpoint, the report will log the actual elapsed time from the previous point--for example, six minutes, 25 seconds. The the system will give the guard his or her allotted time to reach the next station on the tour.

For added flexibility, some systems also include a keypad. This arrangement enables the guard simply to use the card if everything is normal and on time. If, however, the guard knows he or she will be late to the next point, he or she can enter a code and get a time extension before having to be at the next checkpoint or can enter a duress code notifying the guards at the security control center.

A few systems allow an access point to be part of several different guard tours patrolled independently and simultaneously. Various statistics can be generated at the end of a shift--such as the average and total duratjion of any tour--and the system may randomly prompt the guards to begin various tours. Guard tours usually are found only in systems covering large, multifacility areas.

An alarm masking access point could be one located at the entry of an area secured with volumetric protection. Before a user is granted access to the area, one or more alarm points may have to be masked. The capability to do so is assigned to an access point, and the sensors to be masked are assigned with the user's card.

To put this in simple terms, a card can cause a masking operation. One or several alarm points may be grouped together into, for example, masking operation 19, the research and development lab on the third floor. Alarm points assigned to this masking operation are masked until the masking operation is reversed (1ser leaves the area) or until a specified masking time is up.

To prevent trapping a user in an area accidentally by removing a mask from a motion sensor in a hallway, alarm points may be part of several different masking operations that can be applied and removed independently of each other.

A two-person control point is the access point leading into an area in which at least two people have to be present. For this to operate properly, APB has to be in effect at all access points to the protected area, since the system must count the number of users entering and exiting the area. If the number of users within the protected area is zero, two users are required to enter their cards and/or codes within associated with this user, another message appears on the display informing the user that the weight sensors are now measuring the total weight of the entire mantrap module and the contents (user and anything carried in or out). This weight is then compared with the weight measured at the last passage (in or out) of this particular user. Any mismatch of these parameters causes an alarm within the security control center (SCC), and voice communication can be established with the person in the module.

Time and attendance access points vary greatly from one system to another (if time and attendance is offered at all). One simple way to provide such a service is to dedicate a card reader/keypad to recording employee entry to the facility, and then, at the end of the shift, the time of departure. Several software packages available from the nonsecurity industry take into consideration such variables as pay methods, overtime calculations, and comp time due. Time and attendance is an office function, not a security-related task, and as such should be kept away from the security system.

These are all examples of access point and alarm point assignments. Of course, an access point with a special assignment (such as an alarm masking point) will not perform its special function for every user who enters a card or code. These are just functions that the system performs from the specified access points when a card and/or code with matching assignments in the cardholder data base is entered to tell the system such information as which points to mask.

NOW LET US TAKE A LOOK AT SOME FUNCTION-RELATED card assignments such as the following: * time assignment * day assignment * access point assignment * activate additional relay or relays (always) * activate additional relay or relays (during time zone) * guard tour * mask alarm point or points * one- or two-person control * visitor * visitor escort privileges * authority (such as the area supervisor)

The first three function-related card assignments are very basic and determine when and where a user is allowed.

The assignment "activate additional relay or relays" is used, for example, when elevator control is required. "When used at an access point defined as an elevator control access point, the card and/or code tells the system to activate certain relays so the system knows the floors this person is allowed to go to (which relays to energize). Secondly, it may only be necessary to activate several relays during certain hours--for instance, during off-hours in the evening.

A card and/or code defined as a guard lets the system know that when this card and/or code is entered at an access point defined as a guard tour access point, it may not have to open the door but just log the guard as having reached the location. It will also know which tour this guard is patrolling, and many anticipate the arrival of a different guard patrolling a different tour when the same point is used in several guard tours.

When a mask alarm card and/or code is entered at an access point defined as an alarm masking point, the system knows which alarm points to mask and for how long. For instance, this allows a guard to cross an area protected with volumetric devices and an employee to work after hours in his or her area while the rest of the building is still secure.

A card and/or code can be defined as one that must be used in conjunction with someone else's card and/or code when entered at an access point defined as two-person control. This second person can be anyone else, a specific person, or a member of a specific group of persons. The system checks if two persons are required to enter together always or only if the current area occupancy is lower than two.

Visitor and visitor escort are variations of the same concept. The operator in the SCC can determine who has the authority to escort a visitor. A visitor status is assigned to a card or code not allowing the visitor to enter secured areas alone. A visitor is allowed entry only after the system has granted access to a person who has a card or code assigned with visitor escort authorization. If several visitors are escorted by the same person, the escort is granted access first and then holds the door open as the visitors enter their cards one at a time.

Authority is a multilevel feature that can be assigned to a card or code. In a way, the visitor/escort is a combination of two-person control and authority. The authority can be an area supervisor. When this person is present in his or her area, other users with access privileges into the area may enter.

If the supervisor leaves, no other person will be allowed into the area. This can be elaborated on by having several levels of authority (or priority) in the same system, the higher levels overriding the lower so that, for instance, the owner of the company can enter the area even if the supervisor is not present.

WITH THIS INFORMATION AS A FOUNDATION FOR SYSTEM design, let us look at a fictitious building. (See Exhibit 3.) This picture illustrates a building with 10 access points connected to three ACPs. The ACPs report on one common communication line to the host.

ACP1, access point 1, is the door into an office; access point 2 is an entry/exit reader from APB area 1; access point 3 is an entry/exit reader into APB area 2 from the outside of the building; and access point 4 is another entry/exit reader into APB area 1.

ACP2, access point 1, is an entry/exit reader into APB area 3 and also an access point with area loading and authority presence requirement. Access point 2 is an entry/exit reader into APB area 2, access point 3 is a normal access point with a request-to-exit push button, and access point 4 is unused at this time.

ACP3 has two access points, both just standard access points with request-to-exit push buttons.

As shown in Exhibit 3, the ACPs are located inside the area with the highest security level controlled by the ACP. We now add a safe and a filing cabinet to this, and, to check on the entire area, a guard tour.

First, let us add two more access points to the system. (See Exhibit 4.) We will add one to the filing cabinet (ACP3, access point 3) and one to the safe (ACP2, access point 4).

Now, let us determine how we want the guard to walk in this area. (See Exhibit 5.) Usually, the first station of a guard tour is at the SCC where the guard enters a card and/or code to initiate the tour. In this case, let us assume he or she walks directly to this building; therefore, we make the entry point here the number 2 station of the tour. So, configure ACP1, access point 3, and a guard tour point 2 of tour number XX. It should have taken the guard four minutes to walk here from the SCC.

The guard in this case is also allowed to enter the area, so the system unlocks the door. The guard enters and walks to the exit reader/keypad of the area, which is not necessarily a guard tour station. The guard walks over to the reader/keypad at the filing cabinet (ACP3, access point 3). This is guard tour station number 3, and the elapsed time should be, let's say, 30 seconds, [+ or -] 10 seconds from station number 2. he or she then walks to the reader at ACP1, access point 1 (guard tour station number 4). The system will not release the door here since the guard is not allowed into this office. He or she just needs to check that the door is locked. He or she then goes to guard tour station number 5 at the safe and then leaves the building.

If we now add alarm monitoring to the system by an IDS--and have the alarm points masked during normal working hours, allowing personnel to move without violating any alarm sensor--this would mean that when the guard enters his or her card and/or code at the entry, he or she must have the alarm points masked. So, now we made ACP1, access point 3, an entry/exit and guard tour station. We also must make it mask alarm point 1, 2, 3 of IDS1 -- (*1, 1) (*1, 2) (*1, 3).

This example has been an attempt to illustrate the concepts and applications of the various assignments that can be made to access points, cards or codes, and alarm points. There are, of course, many ways to arrive at the same result. In this particular example, one communication line connects the ACPs and the IDS to a host computer.

The host in this case makes all decisions, sends commands to the ACPs and IDS, grants access, masks alarm points, etc. It is, however, more and more common that the various ACPs and IDSs communicate and send commands to one another without the host having to make all the verification and decisions. It is the direction future systems will take--toward more powerful controllers, more intelligence, and more decision making at the local level. This will reduce the dependence on communication lines and host computers, as well as increase the speed of each transaction or decision.

The host computer will increasingly be used as a presentation enhancer with features like color grpahic displays and extensive information on each alarm and/or access point, including messages that prompt the guards to take certain actions. The capability of the host to generate various types of reports and statistics will develop as more software becomes available.

Some manufacturers use a distributed processing/data base system, where several smaller hosts are connected to form a network of their own. Each host communicates with a larger central computer. In large-scale systems, this approach minimizes the dependence on communication lines while the system can still be operated and programmed from either the central host or a local station.

In the case of smaller, decentralized systems, look for more features as processing power and memory increase, allowing each local panel to increase the data base of users, access and alarm points, and of course the instructions (software). There also will be more flexibility, allowing card technologies of diffrent designs to work in systems that also use codes and/or various biometric devices.

With the intense research and development currently taking place, security and confidence in all categories of the industry are increasing. Remarkable new applications are now in the process of being developed, promising a bright and exciting future for the security system industry.

Lars R. Suneborn is national training manager for Hirsch Electronics Corporation in Irvine, CA. He is a member of ASIS.
COPYRIGHT 1989 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1989 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:access control security
Author:Suneborn, Lars R.
Publication:Security Management
Date:Jul 1, 1989
Previous Article:Do you have to be Machiavelli to succeed?
Next Article:It's in the cards.

Related Articles
Utopia, an Elusive Vision.
Pape Jansland en Utopia: de verbeelding van de beschaving van middeleeuwen en renaissance.
Writing the New World: Imaginary Voyages and Utopias of the Great Southern Land.
Utopia. (Audiobooks: Fiction).
KBC selected for Lake Utopia upgrade.
Haus der Kunst.

Terms of use | Copyright © 2016 Farlex, Inc. | Feedback | For webmasters