1. Field of the Invention
This disclosure relates to the field of electronic locks. In particular, to wireless access control systems and methods which permit wireless communications between a plurality of self-authenticating remote access controllers and a central access system in real-time. Further, the disclosure relates to wireless access control systems that have the ability to control an interlinked lock cascade (secondary locks residing on the same structure).
2. Description of Related Art
The need to have secured access to certain parts of facilities, such as, but not limited to, hospitals, has resulted in a long narrative history of access control devices and systems. In the beginning, simple mechanical locks (lock and key holes) were used to limit access to restricted areas. In the mechanical lock system, tangible keys were provided to authorized users. If locks were changed, new keys were provided to all authorized users. This approach was both costly and confusing. Without a way to identify the individual lock (an identifying mark or embossed code) it was challenging to identify the appropriate key for a specific lock. Since many authorized users would carry large numbers of mechanical keys, the process of finding the correct key for a specific lock could be a cumbersome one. The process was also subject to fraud since mechanical keys could easily be duplicated without detection. Thus, when a key was lost or misplaced, individual locks would often have to be replaced with new locks and new keys would have to be distributed to authorized users. This reconfiguration of locks and distribution of new keys was also generally undertaken whenever a user's access was revoked (e.g., because they had ceased employment and were no longer authorized to access the facilities). In any area where large numbers of authorized users were present and there was a frequent turn-over in authorized users (i.e., authorized users were added or cancelled every day), the simple mechanical lock system had significant deficiencies (e.g., high cost, high administrative burden) and, in many respects, was necessarily insecure due to the complexities of updating the system.
The access control system field advanced with the advent of credential cards or “tokens” that utilized new microelectronic technology. These advances made the cumbersome processes of the distribution of new keys and the reconfiguration of lock cylinders less expensive, as each lock no longer required a specific key. Instead, with these new technologies, locks could be programmed to accept certain credential cards or tokens, but not others. In effect, instead of having to distribute different physical keys for each lock (creating a “janitor's key chain” for authorized users), each individual had a universal credential which was accepted by all locking mechanisms in the facility they were authorized to open.
Despite the improvements of this system over the traditional mechanical lock system (such as the elimination of the need for a single user to carry multiple keys), it still had problems, one being the requirement that credential codes had to be adjusted locally at each lock in the system when the access of a particular key had to be changed. Because of the natural turnover in users (i.e., adding and removing users from the system), this system still required frequent updating and intensive manpower to maintain. The maintenance and updating process for this system was labor and cost intensive. Changes in the access database required credential changes at the specific lock location since each lock was independent (none of the devices were attached to a central access database). This required personnel to move from lock-to-lock to reprogram each lock or have the locks brought to a central location which rendered them unavailable for others to use while they were being updated.
The next development in the access control system field involved wiring all of the individual locking mechanisms in the system to a central access controller to create a locking mechanism network. This networked system allowed a security operator to reprogram each locking location from a central command/control station. While these systems solved the problem in previously utilized systems regarding the localized changing of access codes for each locking mechanism, these wired network systems were expensive to deploy and complex to install. For example, each individual locking mechanism had to be hard wired. Further, retrofitting into preexisting structures often proved to be very expensive. In addition, these wired networks were unusable on mobile devices such as drug carts, mobile computer stations, and related objects that were not rigidly attached to the structure.
The next advance in the field of access control systems was an elimination of the need to hard wire each of the individual locking mechanisms to the network by coupling a wireless communications device to each individual lock mechanism. In the operation of these systems, once a credential was presented to a locking mechanism, a signal associated with that credential would be wirelessly transmitted from the locking mechanism to the central access controller to determine whether or not the credential represented an authorized user. Once it was determined whether or not the credential represented an authorized user by the central access controller, a control signal either granting or denying access would be sent from the central access controller to the locking mechanism. Gonzales, et al. (U.S. Pat. No. 5,936,544) provides an example of such a prior art system.
While these systems eliminated some of the problems associated with wire-based access systems, they still had drawbacks. One drawback was the failure of these systems to have an onboard database at each individual locking mechanism that stored the current access information. This required each individual locking mechanism to communicate with the central control database on every entry attempt. This consistent back-and-forth communication resulted in a significant consumption of power. Further, the delay inherent in this communication could be problematic in emergency or normal operations where time is of the essence and the authorized user must quickly enter or exit the authorized area controlled by the locking mechanism. For example, if multiple requests were made to the central control unit simultaneously, or if the wireless communication was interrupted by external factors (such as cell phone signals, radiation usage in a hospital, etc.), an authorized user could experience significant delays in achieving access due to the central access controller having to handle increased traffic or not receiving the necessary requests. Further, if the central access controller experienced failure, none of the individual locking mechanisms would be functional and access to all of the areas controlled by the network would generally be completely denied.
Improvement of the centralized wireless access system occurred with the entrance into the market of access systems such as those described in Rodenbeck, et al. (U.S. Pat. No. 6,720,861). These systems marked an improvement over the original centralized wireless remote access system by their “decentralization” of the locking/unlocking process. Instead of only having a centralized database, these systems placed a decision making apparatus and associated database at each localized locking mechanism.
While these decentralized wireless systems solved the delay problem that was associated with the original centralized wireless systems (and overcame some of the power usage issues), they still had some inherent problems. In these systems, changes to authorized user access (e.g., the addition or deletion of authorized users) were made at the level of the centralized database; these changes were not made at the localized database at each individual locking mechanism. Accordingly, updates for the localized databases at each of the individual locking mechanisms had to be periodically obtained from the centralized server. Thus, the localized locking mechanisms of these systems would periodically request an update from the centralized database for their localized database. These systems would not transmit a signal for each event that occurred at the localized locking mechanism, but instead would periodically request an update for the internal database.
This periodic signal updating methodology was associated with two main problems. First, this methodology could still result in significant delays; access of an authorized user at an individual locking mechanism could be delayed as the system updated by propagation of signals through the system. Second, this methodology could allow a former authorized user whose access rights had been revoked to access the facility for a certain period of time until the update could propagate through the system and update the localized databases of the various locking mechanisms. Thus, this system carried with it a security loophole. Individuals who no longer had access to the facility could access areas in which they were no longer permitted until the time at which the localized database was updated. In addition, individuals who had just been granted access would not be able to access areas which they were authorized to access until the local database had been updated.
Carrieri (U.S. Pat. No. 7,701,452) continued the road of advancement in the access system field by providing enhancements to decentralized wireless access control systems. In the system disclosed in Carrieri, the complete database of access control data is transmitted from the centralized database to the individual locking mechanisms upon any of the following events: 1) an invalid access request signal at the individual locking mechanism; 2) a communication command input at the individual locking mechanism; 3) the expiration of a timer coupled to the individual locking mechanism; or 4) the activation of a transducer that is coupled to the individual locking mechanism by a transducer stimulator located remotely from the transducer. Upon any one of these events, a wireless signal is sent from the localized locking mechanism to the central database instructing it to send an updated database to the localized locking mechanism. If the update was brought about by an invalid access request, after the update the presented credential is compared to the newly updated localized database to determine whether or not the credential represents an authorized user in a “re-comparing” step.
As with the art before it, while Carrieri represents advancement in the field, this approach also has its own flaws. First, this system still allows access to a user whose credentials have been revoked in the loophole from the time at which his or her credentials are revoked to the time at which the localized database automatically updates (e.g., when the timing mechanism expires). If a user's credentials are recognized in the localized database (which they would be if the localized database had not been updated since the time at which the user's credentials had been revoked at the centralized database), the user will be granted access.
Second, the system of Carrieri also unnecessarily consumes energy, resources and power. For example, an entire database update is sent from the centralized database to the localized database everytime an unrecognized credential is presented to a localized locking mechanism. Thus, a full database upgrade (and the loss of bandwidth and power consumption associated with such an upgrade) occurs even when, in the end, the credential is invalid and there have been no changes to the central database.
Third, in large scale applications (where the number of localized locking mechanisms and the number of individual codes in the database is large) the amount of data being transmitted over the network with multiple database upgrades in the Carrieri system could potentially be enormous, causing a huge burden/drain in terms of power consumption. This unnecessary updating of a database which, possibly, has not changed since the last automatic update reduces the usefulness of the network by occupying unnecessary bandwidth and increasing the number of server access calls.
While the above show a clear progression toward improved access control systems and ease of updating, as noted, all of these systems have flaws. In the above systems, there is generally unnecessary energy consumption and use of network bandwidth (as in the system of Carrieri) when a complete database upgrade is sent to an individual locking mechanism every time an unrecognized credential is presented. Further, each of above systems has a security loophole present in which there is a period of time in which a previously authorized user whose credentials have been revoked has access rights in the system until the next regularly scheduled update from the centralized database.
Another problem with the above systems is that they do not provide for a system that ensures that a cascade access is made correctly by an authorized user. A cascade access requires a user to present security credentials to access a first level of security, then once past the first level the user must present further credentials to access a further, deeper level of security. One example of a common application for a cascaded security lock is a hospital's anesthesia cart. A number of hospital personnel may be allowed to access the cart to obtain anesthesia paraphernalia and drugs (the first level of security). However, certain controlled substances (such as narcotics) may be stored on the same cart, but will only be accessible to those with a heightened level of security access (the second level of security). In most present systems, the second level of security requires the presence of a credential to open the first level of security, and an unrelated credential to open the second. However, in the presently utilized cascade systems there is generally no indication that the credential used to gain access to the first level of security corresponds to the credential used to gain access to the second level of security. There is no connection between the security credentials for the first level of access and the second level of access. Accordingly, these unconnected systems could potentially be accessed insecurely by use of multiple different security credentials.