ipvm access control fundamentals - ipvm-uploads.s3...
TRANSCRIPT
IPVM Access Control
Fundamentals
Version 3.00, February 27, 2015
2
Table of Contents
Life / Safety Codes ..........................................................................................................................3
Doors & Door Hardware .................................................................................................................5
Locking Hardware (Strikes) .............................................................................................................9
Fail Safe vs. Fail Secure ................................................................................................................. 11
Locking Hardware (Maglocks) ................................................................................................. 12
Readers & Credentials .................................................................................................................. 15
Controllers ................................................................................................................................... 19
Cabling ......................................................................................................................................... 21
Site Surveys & System Risks .......................................................................................................... 22
User Interface/ Main Database ..................................................................................................... 25
3
Life / Safety Codes
The “Golden Rule” in EAC: Nothing can keep occupants from emergency egress under ANY
circumstance.
“Codes” are enforceable, legal laws, while “Standards” are unenforceable, non-binding
guidelines.
“Codebooks” are sometimes cited only as ‘standards’ by local jurisdictions and local code
exceptions prevail.
The matter of national code adoption is highly political in nature, and in the US local code
exceptions are very common.
In the US (and subsequently the world) the following codes define Electronic Access Control:
NFPA 101
NFPA 72
IBC 1008.1
Design issues like maglock use, battery backup, Fire alarm tie-in, and required RTE devices are
often addressed by local code exceptions or interpretations.
Manual Egress (escape) is allowed at ALL times per NFPA 101 5-2.1.5.
Authorities will not permit locks to complicate exiting, and this extends to systems they may
not completely understand, like EAC. For this reason, there is a general bias in some
jurisdictions against EAC.
4
“AHJ” is a standard abbreviation for “Authority Having Jurisdiction” or a life/safety stakeholder
in an EAC system.
AHJs are commonly Fire Marshals, Code Inspectors, Engineers, Utility Companies, or even
liability Insurance Underwriters.
While it is important to understand the underlying laws and codes, the AHJ has the final word.
In many cases, they are punitively liable for enforcing the regulations, and while challenging
their interpretations are permissible; they ALWAYS have the final say.
Making contact with the AHJ before a project begins is prudent, and gaining concurrent
approvals during design helps establish a collaborative relationship.
If the AHJ cannot be identified, ask the local Fire Chief, City Manager, or Facilities Director who
the code enforcement body is for the area.
5
Doors & Door Hardware
Common parts of a commercial door include:
Frame
Leaf (or Leaves)
Mullion
Exit Devices
Lock Hardware
Closer
The interaction of these components is sensitive, and any modifications to the opening can
interfere with proper function of one or more parts of a door.
6
The door swing (direction the door opens) also plays a key role in hardware specification. Not
only must ‘emergency egress’ doors swing outward, but locking hardware must be compatible
with the door swing. Emergency egress doors cannot be made to lock during any emergency.
Access Control typically involves the entire opening – not only the door – but also auxiliary
features of the opening including Lites, Transoms, Frames, and Gaskets.
The number of different devices (locks, sensors, switches) hung at the door can be difficult to
install easily, and trade skills like locksmithing and millwork/finish carpentry may be required.
Many doors are actually ‘engineered openings’ that serve a specific architectural or structural
function, and modification is heavily restricted.
Fire-Rated Openings include two major parts: Rated Door Leafs AND Rated Frames.
All hardware hung on fire-rated openings must also be fire-rated.
Fire-Rated Doors and Frames include a ‘label’, or a permanent metallic tag that lists how many
minutes the door can withstand fire exposure without failing.
7
Load Bearing Frames are engineered, fabricated, and installed to support structural weight of
walls and roofs. Cutting or modifying these frames can cause structural damage and risk injury
to the occupants.
NFPA 80 is the codebook that addresses fire rated openings, and is the most recognized
authority governing fire doors. NFPA 80, Chapter 4 provides a tightly defined list of acceptable
‘field modifications’, including maximum thru-hole diameter, frame cutouts, and drilling
locations to mount hardware.
Modifying doors incorrectly can create a number of issues, including:
Changes in Occupancy Rating
Insurability
HVAC Balance
Security/Safety Rating
Noise Pollution
When selecting locking hardware, it is critical the answer is not oversimplified (ie: electric
strikes or maglocks?) because of familiarity or installer comfort level.
When considering which hardware is correct, the prevailing codes, holding force, available
latitude to modify opening, and how frequently the door will be used weigh greatly into
consideration.
Most commercial hardware is ‘graded’ based on cycles without failure, durability, and even
finish using joint BHMA/ANSI certification standards.
8
In general, three tiers of grading is offered, with ‘grade 3’ being the least stringent and ‘grade 1’
meeting the most stringent criteria.
Each hardware type is graded according to different criteria and grades are not equivalent
between lock types, but are generally useful to gauge ‘light duty’ hardware from ‘heavy duty’.
If hardware is not graded, it can mean that the product failed to meet any Grade certifications,
but it also can mean that the product has not been submitted for testing.
9
Locking Hardware (Strikes)
Electric Strikes are pivoting strike plates, or ‘moveable sections of door frame’ that work in conjunction
with existing door hardware to secure an access controlled door.
There are two major types of strike – Mortise or Surface Mount strikes.
Mortise strikes often require cutting or notching the frame during installation, and are often used when
the accompanying door locks are mortise or cylindrical locks.
Surface Mount strikes can often be mounted flush with a door frame, but are designed to work with
door hardware that is ‘surface mounted’ on the face of a door like exit devices and panic hardware.
When using electric strikes, the door hardware can remain locked at all times, but the door is still able to
be opened.
Free egress through an electric strike secured door is ensured by the mechanical door hardware – panic
devices, exit bars, crash paddles, etc – but the strike does not activate.
Often no RTE – Request To Exit lock release devices – is required by code when using electric strikes.
When installing and mounting electric strikes, measurement precision and location is vital. Because the
strike immediately adjoins a mechanical latch or bolt, the two devices must align.
Paper templates are furnished with every strike, but for high-volume installs, more permanent plastic or
metal installation fixtures are recommended.
10
Electric strikes DO NOT add security to the door, but only embellish the opening (modify the frame) to
work with EAC systems.
Due to the design of strikes using solenoids, geared keepers, and intermittent operation, they are low
current draw devices and can often be powered by less than 450 mA sources.
When specifying strikes, taking note of the following items will narrow selection greatly:
1. What type of hardware lock is on the door?
2. What special considerations does the opening/frame require? (Load bearing/Fire Rating)
3. How deeply does the lock’s latch extend into the frame/strike box?
Taking note of the hardware on the door ensures compatibility with lock latches, bolts, and deadlatches.
A problem with strikes call ‘preloading’ occurs when the door lock latch binds against the keeper and
prevents it from moving according to design. Correcting this problem involves adjusting the position of
the strike or the latches so they do not touch each other when the door is shut.
Strikes powered by AC solenoids make a characteristic ‘buzzing noise’ during operation, but DC powered
models are quiet, often marketed as ‘silent’ models.
11
Fail Safe vs. Fail Secure
Fail Safe: When power is interrupted (fails), the electronic locking device is released (unlocked).
Fail Secure: When power is interrupted (fails), the electronic locking device is secured (locked).
With strikes, the majority are installed in FAIL SECURE orientation, but typically can be changed in the
field:
Fire doors REQUIRE positive latching per NFPA 80, and Fire Rated installations must be configured to
‘Fail Secure’ as a result.
Maglocks cannot be made to ‘fail secure’ with power, because they require power to lock.
12
Locking Hardware (Maglocks)
A maglock is a ‘solid state’ device that has no moving pieces. It is essentially a large electromagnetic coil
composed of two pieces: the magnet box and the armature.
The magnet box is mounted on a fixed position, typically on the frame, while the armature (a steel plate
that bonds with the magnet) is mounted on, and swings with the door.
Maglocks use DC power to generate magnetic holding force. AC power would not work.
Doors that swing in warrant hanging maglocks using armature brackets, as the magnet box must always
be hung on the ‘secured side’ of the opening to avoid tampering problems.
There are two types of maglocks: Conventional (Pull) Action, and Shear Action.
With maglocks, the door must always be returned to the close position before the lock energizes. This
type of alignment is more difficult with shear locks that conventional (pull) locks.
13
The types are not interchangeable; shear locks should not be used in pull applications, and vice-versa.
The lock’s internal coil windings are constructed differently according to the action, and the hold force is
significantly diminished when used incorrectly.
Maglocks can be purchased in ‘single leaf’ or ‘dual leaf’ units, which control one or two doors from the
same controller.
“MOV”, or “metal oxide varistor” or diodes are components used to dissipate small, but damaging,
electrical spikes caused by the magnetic field collapsing.
Integrated MOVs are uncommon, because they might become damaged and need to be replaced.
However, most maglock manufacturers recommend installing MOVs in parallel with unit power.
Hold force of maglocks is measured in pounds, and units are available rated from 80 pounds up to 2700
or more.
Hold force directly corresponds to input amperage, and ‘low draw’ devices are typically the weakest.
Because a maglock requires continuous power to lock, most ‘pass-thru’ power sources are vulnerable to
breakdown or failure. Most maglock manufacturers recommend separate power supplies for maglocks,
and using the controller to interrupt power rather than supply it too.
Codes require ‘RTE’ hardware to be used with maglocks, in most cases two separate forms. For
example, IBC 1008.1.4.4 describes that both a ‘sensor’ (RTE PIR) and a ‘manual unlocking device’ (RTE
pushbutton) must be installed so that lock power is directly interrupted when RTE is engaged.
14
RTE guarantees that ‘free egress’ is possible by releasing lock power in emergency situations.
The actual composition and requirements of RTE vary according to local code exceptions. The type and
number of devices change differ from one AHJ to another:
15
Readers & Credentials
In most cases, reader selection is based on the ‘context’ of the opening, ie: where the reader is
mounted, who is using the door, and which type of credential(s) are to be used.
For proximity readers, ‘read range’ is critical to consider. Readers typically have a detection range
between 2” and 36”.
The mounting surface for readers can influence selection, because not all surfaces are sturdy or suitable
for securing a reader.
“Multiple factor” readers support multiple types of credentials – aside from proximity readers, biometric
scanners, keypad buttons, and magstripe readers are common ‘combo’ units:
Multiple factors can be used in conjunction with each other, or as independent/redundant credentials.
Installation positions of readers are subject to laws like “ADA”, or the “Americans with Disabilities Act”.
The role of the credential can greatly vary from simple unique ID to passing information about the user
to the door lock. Hotel lock credentials (magstripe cards) contain access permissions, while proximity
credentials often present no more than an ID number to the reader that is cross-referenced to the
internal database.
Types of credentials vary, but the major types in access control are:
PIN Code
Magstripe
Bar Code
Prox/Prox II
DESFire/MiFARE/iClass
Multi-Class
NFC
16
Multi-class credentials contain more than a single type, but the underlying ID details are the same for
each type.
A fundamental weakness of keypads is they often ‘tell’ combinations that can be guessed or limit the
range of potential combinations:
In order to be a ‘credential protocol’, a credential must have two parts: a standardized ‘transmission
method’ and a ‘data format’. No credential ‘standard’ exists without both parts.
Multiple standards ‘share’ one, but not the other. For example, there are various ‘Proximity style’
credentials (DESFIRE, Prox II, and iClass) that share ‘transmission methods’ but ‘data formats’ differ.
Wiegand is the ‘grandfather’ EAC credential, using a standard 26 bit communication format that is the
basis for most other credential formats.
The most common credential formats used with EAC are proximity types, which use ‘resonant energy
transfer’ to communicate wirelessly between credential and reader.
The three primary components of a proximity credential include the antenna (coil), the IC Chip, and a
Capacitor.
OSDP is a newer communication protocol designed to replace Wiegand. It features bidirectional
communication, larger throughput rates, and encrypted transfers between the reader and controller.
17
Resonant Energy Transfer passes a small electrical charge to a credential through an inductive field,
similar to the way a microwave oven can light a light bulb when turned on.
The two most common frequencies used by ‘proximity’ readers are 125 kHz and 13.56 MHz.
Read distance for proximity credentials is short – typically less than 12”, but through the use of ‘active’
(battery powered credentials) and long range readers the distance can be increased to several feet.
Biometric credentials include fingerprint, finger vein, palm print, palm vein, iris vein, and facial
recognition. However, fingerprint and finger vein units are the most common.
“NFC” or “near field communication” uses a rewritable wireless chip to pass details from a mobile device
to an EAC reader.
Because NFC is rewriteable, it can be used in many different systems like Bus Fare, Bank Cards, and
Access Credentials.
Despite the promotion and widespread marketing of NFC, several big challenges toward adoption
remain including:
“BYOD” – “Bring Your Own Device”, or concerns about managing devices not owned by
enterprises
Credential management workflow/processes
Sporadic US adoption of NFC into smartphones
Low-battery behavior (eg: does NFC work with no phone power?)
The biggest barrier toward NFC acceptance is that it introduces several no real security benefits for the
costs involved.
18
The chart below summaries the general credential options:
19
Controllers
The ‘Door Controller’ is the hub for all devices in an EAC system; the locks, readers, sensors, and head-
end servers all logically terminate at the controller.
Controllers are commonly available in one-door or multi-door units, and are commonly housed in
electrical ‘cans’ or metal enclosures.
Often, the controller is a PCB with contactor blocks, where both input devices (readers, door contact)
are combined with output devices (locks, buzzers, gate operators).
Fundamentally, controllers are used to unlock doors not lock them. Controllers coordinate unlocking
openings based on credential reads.
In essence, EAC systems are very similar to industrial PLC (Programmable Logic Controller) systems,
which use relay logic to coordinate door locks.
Wiring controllers are complex and skill dependent, and because many devices terminate in one sport,
attention to detail is required. Simple mistakes like reversing polarity can ruin devices or cause sporadic
malfunction.
“Modern” EAC systems use controllers that are typically all-in-one devices, while older systems use
parent/daughterboard architectures to provide different functions. (ie: input boards, power modules,
etc)
Controllers vary widely in size, from units sized to fit inside a ‘double gang’ electrical box, to units
covering 5 square feet or more and weighing 10 or more pounds.
20
Many controllers simplify wiring by using a system of color codes to organize the way devices are
connected to the controller:
EAC systems use either ‘host bound’ or ‘standalone’ architectures. With ‘host bound’, the controller
must remain in constant communication with the head-end server/panel, while ‘standalone’ systems
can operate redundantly even if communication is lost.
“Combo Units” combine controllers with other devices like readers or RTE Sensors. However, sometimes
there is risk in using these units because it means potentially installing them on the ‘unsecured’ outside
side of the door:
‘Stand Alone’ locks combine access controllers, readers, and door locks into a single device. Retrofitting
doors for use with EAC using ‘standalone’ locks typically only requires hanging new locks on the door.
‘Stand Alone’ locks usually are not used with a head-end server, but may be wirelessly associated with
each other in software.
‘3rd Party’ controllers are designed to work with a number of different systems. Controllers from
Mercury Security, HID Global, and Axis Communications are examples of these units.
21
Cabling
EAC cabling is diverse, because so many different types of devices are connected. Common wired
components include readers, RTE PIRs, door position contacts, and locks.
Most low voltage security devices use wire sizes ranging between 18 AWG and 24 AWG, however
recommended size is a function of required voltages, amperages, and cabling distance.
“Ohm’s Law” describes the relationship between voltage, amperage, and resistance, and is fundamental
in sizing wire gauges.
‘CMA’ or ‘Circular Mil Area’ describes the cross sectional area of cable, and is a critical value when
determining losses due to cable distance.
Despite calculated losses, it is important to observe Manufacturer recommendations on wire sizing
because Tech Support and Warranty policies are frequently invalid unless followed.
The drain wire is a critical aspect of cable shielding, and despite being commonly overlooked by
installers is a very common specification for connecting components.
While several types of cabling are required by the average EAC job, factory bundled wires specifically for
access control systems are offered by most wire distributors.
Using ‘factory bundles’ potentially saves labor in pulling wire, but costs more than bundling together
several wire types yourself:
22
Wirelessly connected doors frequently use proprietary protocols for communication because of
performance advantages (lower latency) and simpler networks (fewer endpoint devices) than 802.11
Wi-Fi Ethernet networks.
The hardware costs of wireless ‘standalone’ locks are higher, although installation labor is less costly for
all-in-one locks.
Just because a unit claims ‘wireless’ or even ‘wifi’ connections, the term is often muddied by marketing
and determining whether or not such a product is IEEE 802.11b/g/n is a matter of deeper research.
Site Surveys & System Risks
The goals of ‘convenience’ and ‘security’ are often at odds with each other in EAC systems. However,
systems can enhance both, or diminish both based on how well they are designed.
Day-to-day users always find the ‘weak links’ in system designs due to (forced) familiarity with the
system and knowledge of the weak spots.
The ‘biggest enemy’ in undermining access control is frequently the same people the system is
protecting.
Good EAC design requires both ‘engineering controls’ and ‘people management’ to be successful.
Most designers/specifiers underestimate cost & risk of ‘internal threats’ and do not fully evaluate how
to build EAC to mitigate the risks.
The greatest threats to EAC systems are:
Sharing Credentials
Entering without Validation
Preventing Doors from Locking
Nuisance Alarms
“Tailgating”, or entering an area without scanning credentials, is the primary killer of EAC. Because it is
a polite gesture to hold open a door for others, users may unwittingly undermine a system because of
politeness.
23
A number of engineering controls can be used to mitigate the risk of tailgating, including:
Detectors/Sensors/Video Analytics
Turnstiles/Revolving Doors
Mantraps/Airlocks
Hold Open Alarms
However, training and management vigilance is require to combat the tailgating issue. Continually
instructing users on the proper use of the system is key to mitigating the risks.
“Passback” is the “unauthorized credential sharing ” often done out of inconvenience, laziness, or
necessity – if system updates are not timely.
Methods of dealing with passback include:
Time Limit between credential reads
Reader Pattern/Flow logic control (No ‘In’ readers without first reading ‘Out’)
Biometrics (Cannot share credentials)
Door Propping is a risk because it prevents the door from closing and locking. Common methods of
dealing with door propping include:
Eliminating the Means (Removing Wedges, Kick-Downs, and relocating potential door stops)
Adding Signage/Education
Installing Specialty Equipment like Auxiliary Alarms and Door Closers
Because doors are the security perimeter, keeping them closed and locked is essential. In addition,
tracking each person that passes through is needed for more powerful features.
24
“Latch Monitoring” or “Bond Sensors” not only confirm the door is shut, but that the door is also locked.
The ‘pre-bid walkthrough’ or ‘site survey’ is more than just noting wire paths & hardware types. It also
includes observing user behavior typical of each opening.
Recommend changes to door hardware, management, or even building design/flow to match user
behaviors. (If security is the goal, considering user convenience is key.)
25
Access Management/User Interface/ Main Database
There are four primary goals of Access Management Software:
While user interfaces differ in appearance, the functions are largely the same. Most systems use a ‘tree
structure’ to layout functions. Settings can be changed on the fly, and most applications use the
common Windows design format (toolbar / ribbon interface).
The interface is often separated into parts: Main database, System Monitoring, and User Maintenance.
Unlike video surveillance clients, EAC ‘web clients’ often provide the same function as ‘thick clients.
Video surveillance is a common integration with EAC, where outputs from one system are overlaid into
the other.
Despite the appearance and complex combination of devices, Electronic Access Control is JUST a
database. All Controls and Features cut into a global system database that determines the function of
users, doors, system rules, and reports.
The most powerful feature in EAC is configurable access levels and schedules. This feature allows access
to be defined by who you are, when you need access. Unlike mechanical keys that can be used any
time, credentials can be configured to only work during certain hours or days of the week: