For over thirty years, access control systems have been used to control access to all or parts of buildings. For example, such systems can impede unauthorized personnel from using the elevators to gain access to particular floors of a building. Upon entering the elevator cab in an access controlled elevator, an unauthorized person may find all of the floor select buttons unresponsive.
After presenting an authorized credential to a credential reader within the cab of an elevator, a person may be allowed to make particular floor selections. The access control system, upon receiving the access control indicium from the credential reader, responds by releasing the exclusions on the set of authorized floor select buttons for that credential. The person makes his selection from this authorized set and the elevator then responds by delivering the person to the selected floor.
Those of skill in the art will recognize that an access control indicium may be any of a variety of signals and may include, without limitation, numeric codes, such as a magnetically encoded control number on an access card, or biometric data. Accordingly, “access control indicium” as used herein refers to any information provided, directly or indirectly, by a person seeking access to a building. Similarly, a “credential reader” provides a data input to an access control system, and includes, without limitation, conventional card readers as well as more sophisticated devices such as biometric scanners.
In many real estate settings, common areas and resources may be shared among several different tenants. These common resources must be used to provide access to the tenants' private areas. For example, in an office tower tenants share the lobby, parking areas, high volume air conditioning (HVAC), and elevators. During off hours, these common resources are usually restricted to authorized individuals. In the case of elevators or HVAC, only parts (partitions) of the entire building's resource may be utilized by a tenant's authorized employee. Each tenant may wish access for thousands of individuals to these resources to comfortably access its private space.
For example, a high rise office tower may house several large corporations. Those corporations could desire access for all their employees to employee amenities like an automated teller machine (ATM) or a cafeteria. It has long been common practice for each tenant to equip their personnel with electronically readable credentials (coded indicia), which serve as a key to access the tenants' private areas. These credentials, when used in conjunction with electrically controlled locks on the building portals, are known as card access systems. The advantages of card access systems are well known to the owners and managers of these properties.
As these systems have proliferated, it has become common for each tenant within the building to purchase its own proprietary access control systems. The owners and managers of these properties desire to accommodate each tenants' desire to grant access to authorized individuals, yet deny access to all others. The property managers have essentially four choices: (1) issuing their own credentials to all authorized people; (2) allowing each tenant to mount its own credential reader and controls at the building portals; (3) requiring each tenant to periodically share its list of authorized credentials with the property management; or (4) exposing each tenants' credential databases on a common network. Each of these four techniques has significant disadvantages as described below.
Issuing everyone their own building management credential has several disadvantages. First, it requires the purchase and distribution of credentials for everyone authorized to use the common spaces afterhours. Typically, the common area credentials are incompatible with the tenants' proprietary standards for credentials. Therefore, this technique often requires the individuals to carry multiple credentials. Additionally, the building management must synchronize their credential list with changes from each tenant's roster. The typical implementation is a manual system of faxed or emailed paper work. A common problem with a manual system is the building's database becoming “stale” with outdated information.
The result can be terminated individuals still having access to the building and newly hired individuals being denied access because the system which transmits the changes from the tenant to the building management has broken down or is slow. Problems can range from inconvenience for the newly hired to a potentially dangerous situation where an aggressive terminated employee has after-hours access to the common areas.
Allowing each tenant to mount its own credential reader and control system on the building portals results in an aesthetically disagreeable and confusing collage of credential readers at each of the building resource portals. It is difficult and expensive to integrate more than one access control system with partitioned resources, like elevators or HVAC systems. The expense and large number of interconnections required make ordinary integration techniques impractical.
Additionally, if one of the controlling systems should fail, often the buildings resources are either locked or unlocked at the wrong times. With the portals controlled by multiple entities, the problem requires diagnostics to pinpoint the trouble source. Even knowing the source of the problem, multiple vendors must frequently be coordinated to resolve the problem. The diagnostic procedure and subsequent vendor coordination slows the repair process when compared to a single portal, single vendor solution.
If the tenant and the management can agree upon a specific credential technology, then building management can update their database of valid access credentials based on a database extraction of the tenant's system. The issue of choosing a specific credential technology has been eased by the introduction of credential readers capable of reading multiple technologies. An example of a multi-technology credential reader is disclosed by U.S. patent application Ser. No. 11/470,660, Andresky, et al., “Synchronization Techniques In Multi-Technology/Multi-Frequency RFID Reader Arrays,” page 1 paragraph [0011], and embodied by the HID Model RP40 multiCLASS Reader 6125. See, for example, http://www.hidglobal.com-/documents/rp15_rp40_rpk40_ds_en.pdf.
An example implementation of this technique was demonstrated by George Mallard's article “Future of access control tied to integration” in Access Control Magazine volume 34, number 10, September 1991, page one. This technique works well and addresses the aesthetic and service problems of multiple credential readers at the building portals. This technique partially addresses the “stale” database problems because the download and processing cycles are typically a batch process. The typical system has the batch run once a day, first by the tenant, then by the property management. Tenant credential changes done after their batch wait a full day before becoming active in the building's system.
However, maintenance of the database transfer can be problematic and requires customization of both the tenant's and the building management's access control systems software to accommodate the extraction and importing of each tenant's authorized credential list. Finally, many companies are reluctant to share a list of their credential holders with outside entities.
The Federal Government has addressed this same problem of authentication of credentials where several agencies need access to a shared portal. Its method of cross agency authentication is documented by the Backend Authentication Work Group prepared for the Federal Smart Card Interagency Advisory Board (IAB), “Framework for Interagency Authentication of Federal Personal ID Tenant Verification (PIV) Cards,” August 2006, see: http://www.idmanagement.gov/iab/documents/FrameworkInteragencyAuthenicationFederalPIV.pdf.
This method defines a protocol where one agency can query another agency's security database over a network. Where this method addresses the problem of multiple tenant authentications, it does require each tenant to expose its security database on a common network and all entities to conform to a standard protocol. On page seven of the report, the authors note that “A secure means of transporting these messages must be devised.” Further, on page 12, the authors state “The most important aspect of this security (since the message payload will be encrypted) is that a gateway can trust that the message was sent by another trusted gateway.” The Federal Government has the resources to implement the security required by this technique.
However, in a commercial environment, cost is a factor. Therefore, as is known to those skilled in the art, the cohabitation of databases on a common network both opens the possibility of unauthorized access to sensitive information and is expensive to implement and maintain. The standard protocol for exchange of information may not be supported by all tenants, and therefore requires expensive modifications to their access control systems. These factors make the common protocol choice unattractive for commercial users.
Further, multi-tenant control systems face a plethora of data encoding and access control options. In a typical prior art system, the credential reader communicates the alphanumeric code read from the individual's credentials to a control panel utilizing serial data, clock plus data, F/2F, or the Weigand interface well known to those skilled in the art. Serial data is sent using an interface standard such as defined by the RS485, RS232, RS422, F/2F, or other standard. The Weigand interface was defined by Sensor Engineering in the early 1980's and is documented in the HID application note AN004.DOC prepared by Eric Sprik Sep. 21, 1998 page 9, see www.hidglobal.-com/documents/0004_an_en.pdf. Also, the 2005 HID document “Understanding Card Data Formats” http://www.hidglobal.com/documents/-understandCardDataFormats_wp_en.pdf documents the Weigand message structure.
Tech Tip #5 within Mr. Sprik's AN004.DOC page 11 discusses the structure of a common indicia coding. A coding example is shown in FIG. 3A and FIG. 3B. A credential with an indicium facility code of 159 and a personal identification number of 2199 is illustrated in both figures. This coding has 26 binary digits, or bits, formed from the two parity bits 301, 304, the eight facility code bits 302, and the sixteen personal identification number bits 303.
Error checking is illustrated in FIG. 3A. The first parity bit 301, is set so that the count of bits with a value of 1 in the combined set of the first parity bit 301, and the first twelve significant bits 307 is an even number, in this case six. This scheme is known as “even parity”.
The second parity bit 304, is set so that the count of bits with a value of 1 in the combined set of the second parity bit 304, and the last twelve significant bits 306 is an odd number, in this case seven. This scheme is known as “odd parity”. Parity is used to insure the coding was correctly read from the credential.
The structure of the indicia coding is illustrated in FIG. 3B. The eight bits used for the facility code 302 defines a set of two hundred and fifty-six unique facility codes. The facility code 302 shown is 159. The sixteen bits of the personal identification number 303, defines a set of sixty five thousand, five hundred and thirty-six unique personal identification numbers. The personal identification number 303 shown is 2199.
A tenant's facility code distinguishes its credentials from those belonging to other tenants, much like telephone numbers. A person in Houston could have the same seven digit phone number as someone in New York. But different area codes make these phone numbers unique.
In the same manner, a twenty six bit credential from tenant A may have the same personal identification number as someone from tenant B. The facility codes make the credentials unique. However, because this twenty-six bit coding scheme was devised by Sensor Engineering in the late 1970's, the success of access control equipment has outdated the twenty-six bit coding scheme.
Schemes with many more bits, both for the facility code and the personal identification number, have been devised. These methods allow the manufacturer to enter into agreements that allow entities to “own” their facility codes. This practice is documented in the 2005 HID white paper “Understanding the Corporate 1000” page 1, http://www.hidglobal.com/documents/understandingCorp1000_wp_en.pdf. Some of these newer schemes have more parity bits and/or error checking and correction bits, as known to those skilled in the art. Essentially, any of the techniques used for error checking and/or correction in serial data transmission can be employed for the credential indicia, for example Cyclic Redundancy Checking.
Other schemes for dividing the indicia coding have been devised. One example divides the indicia into facility, site, and card number as documented in the 2005 HID white paper “How an HID Card is Read” page 2 http://www.hidglobal.com-/documents/howHIDcardIsRead_wp_en.pdf.
Access control systems also face varying requirements for access security. For example, elevators are a portal through which tenants pass to access their private spaces. Security methods have been devised to limit use to preauthorized sets of floors. One method simply treats the ground lobby “Hall Call” button that summons an elevator to the floor as a control point. A card reader is associated with the button preventing its use without an authorized credential. Elevators frequently service more than one tenant. This method does not prevent one tenant from accessing another tenant's floor serviced by that same elevator.
A better method for implementing securing elevators is to view them as a partitioned resource, each floor being a partition element. The addition of access control system relays, one for each floor select button, implements the partitioning system. When inactive, the associated floor select button is unresponsive. Upon reception of an authorized indicium, the access control system activates the set of relays corresponding to the floors authorized for that credential. This allows the credential holder to register his request to the elevator control machinery by pressing one of the now responsive floor select buttons. Pressing a floor selection associated with an inactive button will not register with the elevator control machinery.
Referring to FIGS. 2A-2C, a prior art control system is illustrated. A credential holder 200 approaches resource portal 209 and presents his credentials to credential reader 201. The electrically encoded identification is transmitted to control panel 202 via processor connection 106. The control panel 202 then formats this identification into a message and transmits it to the monitoring computer 204 via first, second, and third communication lines 203, 215, and 216. This message is received by the monitoring computer 204 which processes the message. The monitoring computer 204 consults a database of authorized users returning a message that authorizes access to the appropriate portions of the resource. The resource partitioning panel 208 receives the message from first and second communication lines 203 and 215 and via cables 105, activating appropriate relays (211a through 211n of FIG. 2C) within resource partitioning panel 208. Each of relays 211a through 211n corresponds to a partition of the resource. In the example of an elevator control system, the resource partitions correspond to floors. A floor selection will only be registered as a floor call by the elevator machinery if the associated relay is active.
The resource selection panel 214 is illustrated in FIG. 2B for an elevator. The floor select buttons (210a through 210n) are mounted on the resource selection panel 214. Credential holder 200 closes the desired electrical contact (one of 210a through 210n) by pressing the respective button.
The resource partitioning panel 208 circuitry is illustrated controlling access to the resource, elevator floor selections. The floor select buttons (210a through 210n) are normally open pushbuttons. The partitioning relays (211a through 211n) normally open contacts are wired in series with the floor select buttons (210a though 210n).
The elevator machinery control 212 registers a closure on the floor select inputs (213a through 213n) as a floor call. It responds by delivering the credential holder 200 to the corresponding floor. When secure, closure of the floor select button (210a through 210n) is not “seen” by the elevator machinery floor select inputs (213a through 213n), because the circuit is open at the inactive relays (211a through 211n). Thus, the resource partitioning panel 208 prevents floor requests from being registered.
When the credential holder 200 presents a valid credential to the credential reader 201, the access system responds by activating only those relays (211a through 211n) corresponding to the subset of floors the credential holder is authorized to access. The selected relays (211a through 211n) are active for the period of time deemed sufficient for the credential holder 200 to make his selection. The relays (211a through 211n) outside of the subset are not active. Thus, the floor select buttons not included in the subset are not responsive.
Some of the newer elevator machinery controls provide specific partitioning relay inputs. Software within the elevator machinery controls effectively places the relays (211a through 211n) in series with the floor selection buttons (210a though 210n). Other circuitry required to provide life safety and other functionality has been omitted for clarity. The fire alarm interface is an example of the omitted circuitry.
The number of floor select buttons in high rise elevators frequently exceeds the relay capacity of common access control panels. Often, the resource partitioning panel 208 is implemented as an independent controller. The Optomux controller, manufactured by Opto22 of Temecula, Calif., has the capacity for an array of up to sixteen relays. (See, for example, http://www.opto22.com/documents/1546_E1-—E2_brainboard_datasheet.pdf.) Should an elevator require more than sixteen control relays, multiple Optomux panels may be grouped implementing a larger resource partitioning panel 208.
A string of ASCII characters controls the Optomux. Received from an RS-485 or ethernet circuit, the string indicates which relays are to be active and for how long. When an indicium is presented to the credential reader 201, the monitoring computer 204 responds with a string appropriate for that credential. This string is directed to the resource partitioning panel 208. The resource partitioning panel 208 activates the predefined subset of floor select relays (a subset of 211a through 211n), as directed by the aforementioned string. Only then is the credential holder 200 free to make his floor selection. Because only the predefined set of floor selection buttons is active, the credential holder selection is limited to that set. After a short period of time, a typical value being 15 seconds, the floor select relays (211a through 211n) are deactivated, securing the floor select buttons.
Other prior art systems do not provide the functionality of the present invention. For example, U.S. Pat. No. 4,644,484 to Flynn, et al., “Stand-alone access control system clock control,” at column 2 lines 38-41 discloses that a cardholder database can be incorporated within the control panel 202. By extension, the cardholder's authorized resource partition control strings are also included in some control panels.
The Laredo interface, as produced by KMS Systems, Inc., which was demonstrated to the public at TechSec in Dallas February 2007, incorporated certain features of this invention. However, the Laredo system presented did not incorporate the “Virtual Card Read” described below.
Further the present invention differs from U.S. patent application Ser. No. 12/274,799 (“the '799 application”), “System for Integrating Multiple Access Control Systems,” because the invention described in the '799 application operates independently of the legacy building management access control system. The present invention also differs from pending U.S. patent application Ser. No. 12/317,684 (“the '684 application), “System for Integrating a Plurality of Access Control Systems having Partitionable Resources,” because the '684 application replaces the legacy building management access control system. The present invention interfaces with both legacy building management access control systems and tenant access control systems.
U.S. Pat. No. 7,644,299 to Kosaka discloses a system using a plurality of redundant master controllers with a single database. This single database is copied to a group of master controllers to provide a seamless failure protection system. This application integrates a plurality of separate entities that do not have the same set of authentication indicia.
Kosaka employs multiple communication ports utilizes peer to peer network communications. Further, Kosaka discloses a full communication channel between devices. Thus, Kosaka has the disadvantages associated with shared databases that are avoided by the present invention. The present invention isolates the tenants' databases by means of card reader interfaces which allow only indicia numbers and binary responses to flow between the base building system and the tenant systems.
Additionally, the system published United States Patent Application No. 20040172309 (Selwanes, et al.) alerts the card holder if his card has an indicium not found in the database. That system responds to this condition with an exception message to the input device, which in turn alerts the card holder. In contrast, the present invention has no response to indicia not found in the database.
Further, Selwanes provides a full communication channel between devices owned by separate entities (e.g., tenants), again having the disadvantages associated with shared databases. The present invention isolates the tenants' databases by means of card reader interfaces which allow only indicia numbers and binary responses to flow between the base building system and the tenant systems.
A method to extend credential reader signals point to point over a network is illustrated by the Cypress Computer Systems, Inc. dual reader extender model DPX-7200 http://www.cypressworld.com/CD/PDF/cutsheet/DPXCutSheet.pdf. As described on page one of the Cypress Computer System user manual, http://www.-cypressworld.com/CD/PDF/Duprex/DPX-7200.pdithe 7200 series is a paired central and remote point to point network devices. The Nov. 18, 2004 setup document http://cypressworld.com/271101/CD/Duprex/Ethernet/AN-SY-DPX-7200-1_v100.pdf further illustrates this with the central device's IP address requiring the remote device's IP to be entered in the setup, page 8. Similarly, the remote device's IP is required when setting up the central device. In contrast to a point to point system, the invention described herein is a multipoint network system.
The Wiegand to RS485 Converter W2RS485 manufactured by ETConcept Engineering described at http://www.etconcept.com/images/ETConcept/products/security/interface/w2rs485/W2RS485%20Brief%20User's%20Guide%20EN%20v1.pdf offers another device that extends credential reader signals point to point utilizing RS485 circuitry. It does not offer the features of either multipoint networking or the Virtual Card Read described below.
The DataBender™ series of manufactured by Cypress Computer Systems, Inc. mutates a credential indicium from one bit structure and/or electrical format to another, preserving the indicium personal identification number as best it can. The CVX-1201 (http://cypressworld.com/271101/CD/Converter/SS-CVX-1201_v105.pdf page 5) and the CVX-1200 (http://cypressworld.com/271101/CD/Converter/SS-CVX-1200_v118.pdf page 5) offer test modes where predefined indicia are output. However, the DataBender™ output is not under the control of an external input. Instead, it simply reformats the input indicium into the same indicium represented in a different format. The DataBender™ output is not a network message routed to the originating panel from a plurality of potential panels. Nor can the DataBender™ test indicium output be adjusted.
In contrast, the invention described herein uses an external contact's active state to control the generation of a predefined pseudo-credential message within a sequential framework of outputting the original credential and waiting for a response within a certain time frame. That pseudo-credential message is reflected back into the originating panel from one or more possible originating panels. The pseudo-credential message, in certain cases, retains the Facility Code of the original indicium.
The present invention also differs from a distributed database system, as disclosed by U.S. Pat. No. 5,721,909 (“the '909 patent”) to Oulid-Aissa, et al., “Distributed Database Architecture and Distributed Database Management System for Open Network Evolution,” at column 1 lines 32-40. Specifically, this invention is not a distributed database system.
Because, in the present invention, each tenant manages its own list of credentials, the system is a collection of independently managed files. No relationship or linkage exists between the entities' lists of credential holders. Thus, the system of the present invention does not present a true database. Further, there is no mechanism or administrator feature that would allow a single tenant to manage all the access control system's databases. Therefore, the present invention is not a true database management system.