The fundamental processing means and methods for pneumatic tube systems are well known. Their basic function is transfer of physical packets (“carriers”) among a plurality of nodes or terminals (“stations”). The stations are physically interconnected by the use of pneumatic tubes/pipes, various types of switches (“transfer units”, “multi-linear transfer units”), and queuing and accumulation devices and/or piping constructions (“Traffic Control Units”, “Zone Gates”, “Selective Bypass Zones”, “Interzones”). These devices collectively define a pneumatic tube network. Interactions between these devices is generally controlled by one or more intelligent processing devices (computers, embedded controllers, programmable logic controllers, etc.) running software, firmware, or middleware to affect the desired device and system behavior to allow for successful carrier transport.
In normal operation, a sending user places a carrier in a launching device of a source station and enters the destination station through a keyboard or other interface device. The system then moves the carrier from source station to the destination station through the pneumatic tube network and its associated devices. The receipt of a carrier within the system and delivery to a destination station is often termed a ‘transaction’.
In most cases, sending users interact with the system as described. Once the carrier is accepted by the system, the system accepts accountability for delivery of the carrier. In most cases, the carrier arrives at the intended destination station without difficulty. In other, specific cases, the carrier arrives at a destination station other than the intended destination station or the carrier may be returned to the sending/source station. This sometimes occurs when a part of the network needed for the intended transaction is unavailable or when the target destination station is grouped (e.g., by the system administrator) with other stations usually in close proximity. Grouping increases the overall reliability of a station-receiver combination by assuring the carrier has a place to go should the original target destination station be full or otherwise unavailable.
Under the conditions described, the actions of sender and recipient are asynchronous and uncoordinated. A sender is sending a carrier to a station, not a specific recipient, and the recipient is unaware that a carrier is inbound for their receipt. A recipient takes action when the carrier arrives and they are notified a carrier is in the station, for example, audibly via a triggered horn or alarm or visually by observing a carrier is in the station. While these methods have typically resulted in a carrier being delivered to at least the correct region of a facility (e.g., hospital), a specified recipient may or may not retrieve the carrier.
As many facilities such as hospitals are open environments, this can result in lost transactions or poor accountability between the sender and recipient. While the system and its computers can verify that a carrier has arrived, it is though inferential logic based on, for example, time of day, the intended routing through the pneumatic system and/or and the presence of other carriers that it is inferred that a specific carrier was, in fact, correctly delivered. Recipients may retrieve carriers intended for others, leaving the original recipient unsure of the system's reliability since they may never directly receive a particular transaction. Finally, payloads of some transactions are subject to pilfering. For example, monetary transactions and pharmaceutical/drug delivery transactions may be subject to unauthorized removal after delivery to a destination station. Additionally, transactions may contain confidential or privileged information the receipt of which should be limited to authorized recipients.
Pneumatic tube system manufacturers have responded by providing several methods for improving delivery side security (e.g., access control methods). The first and simplest was to develop and install physical security and barriers at the stations themselves. These measures usually include a door or barrier between the delivered carriers and the general public. The door may be transparent or opaque and may include a lock. These devices are designed to provide a modest level of physical security by assuring only authorized personnel have access to the delivered carriers. While such systems decrease the chance of unauthorized personnel and/or third parties accessing a carrier, they do little for assuring the delivered carrier is reliably delivered to a specific person. In addition and like all physical barriers, the barrier can be defeated readily by, for example, users who forget to close and/or lock the door.
Another access control method is to physically hold the carrier in the destination station away from the receiver bin, typically above the bin pneumatic tube that connects the station to the pneumatic system. Since the carrier is held out of the bin, a recipient (intended or otherwise) must interface with the system controls by entering a PIN number, access code or other means designed to assure the transaction is tied to a specific individual. Once the correct PIN has been entered, the system releases the carrier from the station and drops it into the bin for retrieval, presumably by the intended recipient.
This approach is more secure than the simple physical barrier because it (a) often requires complete disassembly of the recipient station to retrieve the carrier, effectively limiting anyone except a maintenance person from recovering the carrier by any means other than the one intended, and (b) maintains transaction control and traceability from sender to recipient. While better than the physical barrier of a door, this approach also has its limitations. For instance, system resources may be occupied and/or reserved for the secure carrier, until its delivery is complete, effectively limiting or reducing overall system throughput. For instance, a recipient station holding a secure carrier may be unavailable for sending or receiving other carriers. Such an action disrupts traffic throughout the network.
An additional limitation of this method is the retention of certain open-loop aspects of the chain of custody. For example, a system or department-wide PIN number would augment the physical barriers of carrier retention behind the door or inside the station housing, but only guarantees that the individual who received a carrier knew the PIN number. It is often inferred that a specific PIN number is specific to a particular person. However, anecdotal evidence and experience points to sharing of PIN numbers among users and/or such PIN numbers being written in conspicuous locations. Other access control methods deployed by pneumatic tube suppliers also have certain limitations. For instance, access control cards may be issued to employees and healthcare workers. Though it is intended that such a card provide access to the person to whom the card is issued, the card will provide access to any person possessing the card itself.
Biometric solutions such as fingerprint identification and retina scan seek to overcome some limitations of ownership by assuring there is no practical physical means for transferring the physical property measured (i.e. a fingerprint) and the associated system access to another person. Using these techniques, access control remains persistence, and ownership is assured. While assuring the recipient is, in fact, physically present, these methods do not verify that the carrier delivered to the recipient is the correct carrier. Again, it is inferred by the location of the carrier in the system that the transaction and is the one intended for the identified recipient. Finally, like all access control methods, these methods do not address the related problems of requiring synchrony between sender and recipient, freeing system resources until access is needed, and/or verifying the transaction and carrier are in fact the one intended for the recipient except by inference.