AUSTRALIA
Patents Act 1990 COMPLETE SPECIFICATION Standard Patent Application A METHOD OF IMPLEMENTING ANTI-PASSBACK CONTROL IN A PARTIALLY CONNECTED PHYSICAL ACCESS CONTROL SYSTEM The invention is described in the following statements TITLE: A METHOD OF IMPLEMENTING ANTI-PASSBACK CONTROL IN A o PARTIALLY CONNECTTED PHYSICAL ACCESS CONTROL SYSTEM 0 FIELD OF THE INVENTION O The present invention relates to a physical access control system N The invention has been developed primarily for multi-zone large-scale installations of access control systems having many access zones some of those being Anti-passback zones and many users, and will be described hereinafter with reference to that application.
OHowever, it will be appreciated that the invention is not limited to that particular field of use and is also suitable for those access system having only small numbers of access zones and users.
o DISCUSSION OF THE PRIOR ART Any discussion of the prior art throughout the specification should in no way he considered as an admission that such prior art is widely known or forms part of common general knowledge in the field.
Known access control systems include a plurality of access readers that are disposed at or adjacent to respective access points at a given facility. Typically, the facility is a building, and the access points are respective doors in the building which separate one access zone from another access zone. Access points are installed with access readers or sensors for the user to request for access to be granted and respective locking devices that are pulsed between a locked and an unlocked configuration in case an access is granted. By default, the locking device is maintained in the locked configuration to prevent passage of the user through the access point and changed, upon an appropriate request being made, into the unlocked configuration for a set period of time to allow the passage by the user and then reverted back into the locked configuration.
Each user of the system is issued with a token, such as a pass card, which contains a unique identifier that is stored on the card. When the card is presented to the reader, the latter extracts the identifier from the card.
One type of prior art access control system includes a host server or servers that are part of a computer network. This network accommodates not only the access control system, but also other computer devices and software, including at least one database for containing records relevant to the access control system. The host server or servers read and write data to and from the database and other components of the system. Disposed between the host server or servers and the readers and sensors are a plurality of controllers, which are specialised computing devices that each control a plurality of readers and the associated locking devices and sensors. The controllers each include memory for holding all the necessary configuration information for the readers and locking devices, and are able to take 0 O access control decisions for the access points concerned.
SControllers communicate with the host server and other controllers and hold necessary O information to be able to make accurate access control decisions in most cases. However, \iO because controllers need to communicate with host servers as well as readers, locking devices and other sensors, all of which need to be connected via some communication media resulting in significant hardware, wiring and installation costs for such systems. Also if any of the O communication media happens to fail for any reason, or if any controller fails for any reason,
\D
a number of readers or other devices will not be able to function and thus a large part of the e¢3 C access control system can fail causing serious inconvenience for the users and loss of security O for the facility.
CK, To solve this problem, some more advanced access control systems use smart tokens.
Smart tokens consist of several different varieties, the most common of those including a smart card chip in one form or other. The smart card chips (herein after referred to as smart cards) have sufficient memory to store relevant identification, authentication and in some cases authorisation information about a user called the token holder and can upon request transfer this information to the reader. The reader passes this information on to the controller.
This reduces the need for the controllers to store such identification, authentication or authorisation information and hence the controllers do not need a lot of memory. This in turn significantly reduces the individual cost of these controllers to the extent that a controller can now be used to control only one or two readers. In further advanced systems the controller and the reader are integrated into one unit as a single smart reader. This results in smart readers acting as controllers and being able to take correct access control decisions themselves in most cases. Just like controllers, these readers can directly control the locking devices for their respective access points as well as monitor any sensors installed on the access points.
This removes the need of having extensive wiring between the various devices and the typical controllers, thus significantly reducing the overall cost of the access control system.
That said there is a possibility to have an access control system with smart readers which are all disconnected. IHowever, in real life systems, things change. Also in most access control systems, the system administrators or managers need to know about what is happening in their facility. For example, it is important for managers to know about movements of people at least in some sensitive areas of the facility. Hence at least some of the smart readers (hereinafter called readers) are connected to the host server or computer network via some form of communication media be that a serial, parallel or network connection or some other form of electric or wireless connection. Typically these are standard network connection.
However, there is no need for all readers to communicate with the host server. In some 0 O systems connected readers also communicate with other readers. In further systems there are Sgroups of readers which communicate with each other but only some of those readers in the O group communicate with the host server. Such access control system wherein some readers O are connected to the host server while there are other readers that are not connected are referred to as partially connected access control systems.
This largely solves the very high cost problem of typical access control systems.
SHowever, because there are disconnected readers in the system, as described above, these readers have to rely mostly on the information carried on the respective user's tokens to take Ccr the access control decisions.
O Readers thus control the passage of users from one access zone (hereinafter referred to CK, as zone) to another zone. Each zone has a plurality of access points which permit entry into the zone from another zone as well as a plurality of access points which permit exit from the zone to enter into another zone. It will be appreciated that while the user is requesting for entry into a zone, he or she will be disposed outside the zone at the time of such request.
Hence the entry access points are controlled from outside the zone. Conversely the exit access points are controlled from inside the zone. However, in some instances, the system managers want only to control the entry of users into some zones, whereas the exit from these zones is not controlled i.e. one does not need any proper identification, authentication or authorisation to exit such zones. In most cases there is no reader installed to control the exit of the user from such zones, instead a sensor called Request to Exit (REX) is used. The sensor can automatically by means of a motion sensor equipment) or manually (by press of a switch) recognise the request for passage through the access point and the respective controller or reader permits the passage by changing the locking device to unlocked configuration for the set period of time.
A zone is called Anti-passback (APB) zone if a user despite having valid authorisation to enter that particular zone, having entered the zone once can not re-enter the zone from any of its entry access points without having exited the zone by gaining a valid authorisation at one of its exit access points. Likewise, a user despite having valid authorisation is not permitted to exit an APB zone at any of its exit access points without having previously entered the zone by gaining a valid authorisation at one of its entry access points. It will be appreciated that an APB zone has no access point which permits entry or exit from the zone without a valid authorisation.
The purpose of the APB functionality is to prevent users from unwittingly or knowingly sharing their respective smart cards or other tokens with other users or 0 O unauthorised personnel. For example, in a system with no APB functionality, an Sunscrupulous or ill-disciplined user is able to enter a zone and then somehow or other pass the O token to a fellow user to allow the fellow user or other individual to enter the same zone.
ICThe APB functionality also makes it awkward for users to enter a zone without individually presenting their respective tokens and, hence, provides an improved environment for encouraging proper and complete use of the access control system. For example, if two authorised users who are known to each other, simultaneously approach an access point, it is not unusual for only one of those users to present their respective token to pulse the access e¢3 point and then hold the door open for the other user to pass through the access point. That is, O both the first and the second user will have gained access to a given zone, notwithstanding CK, that the information contained on system 1 would evidence only that the first user has entered that zone. However, if APB functionality is configured for that zone, while the second user has access to the zone, as soon as that second user attempts to exit the APB zone, the relevant reader will disallow access due to the operation of the APB determination logic The APB functionality can also be used to keep an accurate count of people entering or leaving a zone.
In some simple access control systems APE functionality is used for peripheral zone of buildings, i.e. only the zone bound by main access points used by users to enter or leave the building premises. In other embodiments, it is used internally particularly for higher security areas.
In partially connected access control system described above where there is at least one reader which is not connected, the readers have to rely mostly on the memory of the token held by the users to determine if access has to be allowed or not. In some advanced access control systems the tokens have a record of zones where the user has been granted access in the form of zone identifiers. Some of these identifiers are for APB zones. The readers can use this information to make APB determination to validate if the access should be granted or denied.
IHowever, in real life this creates a serious problem. Because the host server does not have access to the access tokens and the permanently or temporarily disconnected access readers, the server is unable to take care of situations where the secured premises or building has to be evacuated in a hurry because of occurrence of an event like fire or other life threatening condition. In such cases the priority is for the people to evacuate the premises and hence all users are made to leave the premises through access points which are temporarily placed in unlocked configuration to allow hasty evacuation of the premises. This will result in the possibility of one or more APB zone identifiers recorded on the smart card tokens held 0 O by some of the evacuated users to become inconsistent with regards to the actual locations of C",l the respective users. Because the access readers or controllers use this information to take O future access control decisions, all such future access control decisions have the potential to INC be incorrect because they will be based on possibly incorrect information.
D DESCRIPTION OF THE INVENTION SIt is an object of the present invention to overcome or ameliorate at least one of the disadvantages of the prior art, or to provide a useful alternative.
O According to a first aspect of the invention there is provided an access control system for a plurality of access points between respective pairs of zones that are selectively accessed by a plurality of users, the access points being selectively pulsed between a locked and an unlocked configuration for granting or denying the users access from one zone to another zone in the respective pairs of zones, the system including: an access token for each of the users, each token including memory for containing a user's location (LOC) record indicative of at least the last APE zone and time when the user was last granted access to that APB zone, and a passback control list (PCL) record indicative of times when the occupancy status of respective APB zones was last updated by the host server and referred to hereinafter as the token PCL; each token being responsive to an interrogation signal from the access reader for generating token signals derived from the LOC record and token PCL record; a computer network for containing information indicative of the system wide passback control list (PCL) referred to as central PCL; and access readers for each access point, the readers having respective: reader records indicative of the pairs of zones, at least one of those pairs of zones being the entry APB zone and the exit APB zone; and local passback control list (PCL) record indicative of times when the occupancy status of respective APB zones was last updated by the host server and referred to herein after as the local PCL; the reader generating an interrogation signal and being responsive to the corresponding token signal, the local PCL record and the reader record for determining if the access is to be granted or denied.
Preferably, the or at least one of the readers communicates with the network to receive b the central PCL maintained by the host server and update the local PCL with the information 0 o contained in the central PCL; and the merging of the token PCL and local PCL includes the C"l respective reader: O reading from the token which is presented to the reader, the token PCL and comparing IN the timestamp of the local PCL with that of the token PCL; and updating the token PCL to match the local PCL if the timestamp of local PCL is more recent than that of the token PCL; and updating the local PCL to match the token PCL if the timestamp of token PCL is more recent than that of the local PCL.
en3 C, In an embodiment, the merging of the local PCL and the token PCL occurs prior to 0 determining if the access point is to be pulsed.
0 C, In an embodiment, the reader is, or the readers are, connected to the network and the updating of the local PCL from the central PCL occurs in real time. In another embodiment the reader is, or the readers are, connected to the network and the updating of the local PCL from the central PCL occurs periodically. In further embodiment the reader is, or the readers are, connected to the network and the updating of the local PCL from the central PCL occurs at different times such as when a token is presented to the reader. In another embodiment the system includes at least one other reader that is disconnected from the network. It will be appreciated that this other reader, being a disconnected reader, does not directly update the local PCL with the central PCL. Rather, for a disconnected reader, the local PCL is merged with the token PCL for each token that is presented to the reader to initiate a request for access.
In an embodiment, each PCL includes a plurality of records wherein each record is one of: a timestamp for the PCL specifying the last time and date when a pre-existing PCL was updated by the host server or a new PCL was created by the host server a base validity date specifying the time and date for all APB zone's occupancy status an APB zone identifier and a corresponding update time and date for occupancy status of that particular APB zone In an embodiment, the reader record is indicative of: an exit APB zone in which the user is located when polling the access point; and an entry APB zone to which the user will progress if access is granted. Preferably, the reader record is also indicative of an exit zone in which the user is located when polling the access point, and an entry zone to which the user will progress if access is granted. In an embodiment the APB zone includes all non-APB zones wholly enclosed within the APB zone.
0 O In an embodiment, the reader is responsive to the entry APB zone and the exit APB zone for determining if the access is to be granted or denied.
C)
O In an embodiment, the LOC record is indicative of the APB zone to which the token ICwas last granted access ("the last APB zone") from a different APB zone; along with the time and date when that access was granted. In other embodiments the LOC record is also indicative of the zone to which the token was last granted access ("the current zone"). In some further embodiments the LOC record is also indicative of the time and date when the last
\D
access was granted to the current zone. The information in LOC record is selectively written e¢3 C to the token by the readers at the time of polling if access is granted.
0 In an embodiment, if the reader has an exit APB zone that is different to the entry CK, APB zone, the reader is responsive to the token signal for determining whether the last APB zone in the corresponding LOC record matches the exit APB zone in the reader record. If the result of this determination is true, access is granted. Otherwise the reader is responsive to the local PCL to determine if the occupancy status of the last APB zone in the token LOC has been updated since the time when that access was granted to the last APB zone. If the result of this determination is true, access is granted. Otherwise access is denied. The procedure described above to allow access from one APB zone to a different APB zone is hereinafter referred to as "APB determination".
In an embodiment, if the access is granted, the reader updates the LOC record for the current zone as well as the associated last access time. Preferably, the reader also updates the LOC record to change the last APB zone and the associated last APB zone access time when the access was granted if the exit APB zone in the reader record is different to the respective entry APB zone. It will be appreciated that when an access is granted on a reader whose reader record indicates an exit APB zone different to entry APB zone, the user will move from one APB zone (the exit APE zone) to a new APB zone (the entry APB zone).
In an embodiment, the token stores user information in the memory and the token signal is derived from the user information. More preferably, the reader extracts the user information from the token signal and makes a user determination as to whether or not the access point should be pulsed between the locked and the unlocked configuration. Preferably, the reader extracts the LOC record from the token signal and makes an APB determination as to whether or not the access point should be pulsed between the locked and the unlocked configuration. In the preferred embodiment, the user determination is made prior to the APB determination. However, in other embodiments, the user determination is made after the APB determination. In further embodiments, substantially all the action required to make a first of the determinations is taken prior to the actions required to make a second of the 0 O determinations.
C',I
SPreferably, the user information includes one or more of: identification information for 0 Q the respective user; authentication information for the respective user; and the authorisation ICinformation for the respective user.
According to a second aspect of the invention there is provided a method of access control system for a plurality of access points between respective pairs of zones that are Sselectively accessed by a plurality of users, the access points being selectively pulsed between a locked and an unlocked configuration for granting or denying the users access between e¢3 C zones in the respective pairs of zones, the method including: o providing an access token for each of the users, each token including memory for CK, containing a user's location (LOC) record indicative of at least APB zone and time when the user was last granted access to that APB zone, each token being responsive to an interrogation signal for generating a token signal derived from the record; and providing an access reader for each access point, the readers having respective reader records indicative of one of the pairs of zones, and a local PCL record; the reader generating an interrogation signal and being responsive to the corresponding token signal and the reader record and local PCL for determining if the access is to be granted or denied.
BRIEF DESCRIPTION OF THE DRAWINGS Preferred embodiments of the invention will now be described, by way of example only, with reference to the accompanying drawings in which: Figure 1 is a schematic representation of an access control system of an embodiment of the invention; Figure 2 is a flowchart illustrating the steps used for merging passback control lists (PCL) as per an embodiment of this invention.
Figure 3 is a flowchart illustrating the steps used for APB determination as per an embodiment of this invention.; Figure 4 is a schematic overview of the APB functionality provided by the system of Figure 1; DETAILED DESCRIPTION OF THE EMBODIMENTS GLOSSARY OF TERMS Before progressing to a more detailed description of an embodiment of the invention,
C
o some guidance is provided on the following terms as used in the description: Cl The term "user" refers to an individual person, an organisation, corporation, group of
U
O individuals, or otherwise who are to be selectively granted access to at least one access N point of at least one facility, site, building or other asset controlled by the access control system.
The term "access token" refers to an information carrying device that is typically issued to a user for use by that user only. The token typically includes information, as will be set out below, relevant to the user. It is preferred that each user is issued with en3 C, a single token. A token is, in the described embodiments, a smart card be that a O contact-less smart card or the one which has contacts to communicate with the readers.
C, However, in other embodiments, use is made of other tokens such as hybrid smart cards having both contacts and contact-less components, magnetic strip cards, RFID cards, USB tokens, and the like.
The term "identification information" refers to that information which is provided as being indicative of the identity of the user.
The term "authentication information" refers to the information that is provided by the user to assist in the verification of the user as the person as identified by the identification information. Authentication information typically includes a selection from items like PIN codes, passwords, biometric templates, digital certificates or other digital signatures relevant to the user.
The term "authorisation information" refers to the information that is assessed to determine the access rights of the person holding the token and is typically indicative of zones which the person is normally authorised to access along with respective times specifying the times when such access is authorised.
The term "access reader" refers collectively to the hardware and software that are associated with an access point. In some embodiments an access reader includes a locking device, a door contact, any user input device or devices such as a biometric reader, a keypad, a button, or a touch screen I/O hardware and software, memory (referred to as "local memory") and the like. The access reader is provided with the required information be that identification information, and/or authentication information, and/or authorisation information to make a determination on a request for access from a user without, in most cases, having to resort to communication with the host server. It will be appreciated that in the embodiments described below there is no separate or additional controller disposed between the access reader and the host server.
0 O The term "location" or "location status"- having the abbreviation "LOC" refers to the information stored on the token by an access reader after a successful authorisation O of the token holder to gain access to a zone, and is indicative of the whereabouts of the INC token holder in term of zones and specifically APB zones, along with the time and date when the access was last granted to the respective zones.
The term "passback control list" having the abbreviation "PCL" refers to a host Sserver created and system wide list indicative of times when the occupancy status of various APB zones was updated or reset by the host server because of an extrae¢3 C ordinary event which resulted in the location information held on access tokens for O various users possibly becoming unreliable or inconsistent and consists of one or more C records indicative of respective APB zones and there respective update or reset times.
An example of a record in the PCL is an identifier for a main entry zone of a premises after an evacuation of the premises caused by a fire or some other unforseen event, along with the time of such happening. The actual format and content of a PCL can be tailored for different embodiments.
The term "central PCL" refers to the PCL stored or otherwise held by the host server or some other server on the network.
The term "local PCL" refers to the PCL stored or otherwise held on the reader. It will be appreciated that in the described embodiments of the invention both connected readers and disconnected readers include respective PCLs. For connected readers the local PCL is likely to be equivalent to the central PCL due to the real time connection between the connected readers and the host server included within the network.
However, the local PCL for a disconnected reader is derived from a token signal when the respective token is presented to the reader, as a result of merging the local PCL with the token PCL. It will be appreciated that, the token PCL, as well as the local PCL for a disconnected reader are less reliable as both the disconnected readers and the tokens do not have a real time connection with the host server.
The term "token PCL" refers to the PCL stored or otherwise held on the token. It will be appreciated that the token PCL, allows communication of the PCL from the central host server to the readers which are otherwise disconnected from the host server.
The terms "merge" or "merging", when used in the context of two PCLs, refers to the updating of one of those PCLs to ensure the records in both PCLs reflect the most recently available information.
The term "access control decision" refers to a decision that is made as to whether or 17 not a request for access at a given access point will be granted. In the described
C
O embodiments of the invention, the access control decisions are made by the respective _readers regardless of whether those readers are connected readers or disconnected
U
O readers.
I(n) The term "real time", in the context of communication with readers, refers to the communication being sufficiently contemporaneous to allow for a connected reader the respective local PCL to correspond with the central PCL prior to that reader having 1"to make a subsequent access control decision.
The term "pulsed", in the context of an access point, refers to the progression from a C, locked configuration to an unlocked configuration. For physical access points this O typically involves a door having a locking device that progresses between the locked 0 C, and the unlocked configuration, and then back to the locked configuration after a predetermined delay.
The term "access point", in this context of physical access control refers to entry points to a secured area. Typically these are access doors which allow a person to proceed to one area of space from another area of space. An access point is further defined to be "controlled" if a user must present his or her credentials and gain valid authorisation to be granted access at the access point, whereas an "uncontrolled" access point is one where there is no need for any further authorisation to gain access.
The term "zone", in the context of readers and tokens, refers to a secured area or space which is accessed only via one or more access points. If access is granted to the area by any of those access points, no further access control is applicable until the user leaves that area via any controlled or uncontrolled access point. It will be appreciated by those skilled in the art that, in some embodiments, a zone wholly contains within its area one or more zones.
The term "anti pass-back zone" or "APB zone", in the context of readers and tokens, refers to a secured area or space which is accessed only via one or more controlled access points. If the access is granted to the area by any of those controlled access points, no further access to the same APB zone is permitted until the user leaves the APB zone via another access point controlled by respective reader that is disposed inside the APB zone to enter a different APB zone. It will be appreciated by those skilled in the art that, in some embodiments, an APB zone wholly contains within its area one or more zones or APB zones.
The term "reader record", in the context of reader refers to memory contained in the b reader which is configured by a system manager or administrator based on the system
C
0 layout and includes information specific to each reader. Specifically the reader record Cl _is indicative of the pairs of zones which are separated by the reader and is inclusive of
U
O the pairs of entry zones and exit zones and pairs of entry APB zones and exit APB IN zones as described below. The entry zone being the zone to which a user enters after gaining authorised access from the reader, and the exit zone being the zone where the user is disposed at the time of attempting to gain access. It will be appreciated that the reader is always disposed of at the access point inside the exit zone and outside the entry zone. If the reader is disposed outside the boundary of an APB zone, that is by C, gaining access from the reader, the respective user will proceed to one APB zone and O leave a different APB zone, then the "entry APB zone" is indicative of the APB zone C, to which the user will proceed and the "exit APB zone" is indicative of the APB zone the user will leave. However, if the reader is disposed outside the boundary of non APB zone, both "entry APB zone" and "exit APB zone" are indicative of the smallest APB zone which wholly includes the "entry zone" i.e. the zone to which the user will proceed. In an embodiment, the reader is responsive to the entry APB zone and the exit APB zone for determining if the access is to be granted or denied if the entry APB zone is different to exit APB zone.
OVERVIEW OF THE ARCHITECTURE OF THE ACCESS CONTROL SYSTEM Referring to Figure 1 there is schematically illustrated an access control system 1 for two door access points 3 and 4 that are selectively accessed by a plurality of users that are representatively shown as users 5 and 6. The access points are pulsed between a locked and an unlocked configuration for respectively preventing and allowing users 5 and 6 access at the access points 3 and 4. System 1 includes access tokens, in the form of two contactless smart cards 7 and 8, for respective users 5 and 6.
System 1 is shown, for the sake of clarity, with only two readers, two cards and a relatively minimalist network 11. It will be appreciated, however, that system 1, in use, accommodates many more cards and readers, whether those readers are associated with one or many separate buildings distributed across a variety of jurisdictions.
Each smart card includes memory for containing among other things, identification, authentication and authorisation information and a token passback control list (PCL) as well as a token holder user's location information (LOC). Each token is responsive to an interrogation signal from a valid access reader for generating token signals derived from the b respective identification, authentication, authorisation information and the token PCL and
O
O LOC records. Authorising a user to access the access point potentially involves a very large number of steps. In some embodiments these steps include identifying the user, authentication
U
0 of the user and validating his or her access authorisations prior to doing advanced validation Nsteps like APB control. The scope of this invention is limited to APB control, therefore for the sake of clarity the following description assumes that all other authorisation and validation steps have happened prior to the validation of APB control steps as described below. In some embodiments a number of such steps take place prior to APB control steps and another number of steps take place after the APB control steps.
en3 A computer network 11 includes many components. For the sake of clarity only the O components relevant to this invention will be described in more detail below.
Computer network 11 contains database 21, which hold a lot of components. For the sake of clarity only components relevant to this invention are described in detail below.
Database 21 contains information which allows system 1 to provide a central PCL that is indicative of system wide passback control list. A connected access reader 15 is disposed adjacent to access point 3 and communicates with network 11 for maintaining a first local PCL that is merged in real time with the central PCL. Reader 15 generates an interrogation signal and is responsive to the corresponding token signal for determining if access point 3 is to be pulsed to the unlocked configuration; and merging the local PCL and the token PCL. A disconnected access reader 16 is disposed adjacent to access point 4 and communicates with smart card 8 for maintaining a second local PCL that is merged with the corresponding token PCL. Reader 16 generates an interrogation signal and is responsive to the corresponding token signal from smart card 8 for determining if access point 4 is to be pulsed to the unlocked configuration.
In this embodiment, access point 3 is an external front door that secures the main entrance to a building 17. Access point 4, on the other hand, is an internal door of building 17. In this embodiment there are many other access points within building 17 also accommodated by system 1 via respective readers (not shown) but have been omitted from Figure 1 for the sake of clarity. Some of these other readers are connected readers, while the balance of the other readers is disconnected readers.
In other embodiments, access points 3 and 4 are disposed in different buildings or facilities. For example, in one embodiment, a first plurality of access points is disposed in a given facility, and a second plurality of access points is disposed in a further facility. In some embodiments the facilities are adjacent to each other, while in other embodiments the facilities are spaced apart. In still further embodiments, there are more than two facilities accommodated by system 1.
0 O In this embodiment, network 11 is disposed within building 17. Ilowever, in other embodiments, the network is disposed remotely from the building. Where system 1 is 0 implemented over multiple buildings or multiple facilities, network 11 is typically spread Ibetween those facilities.
Reader 15, being a connected reader, is electrically linked with network 11 by a physical cable 18, while reader 16 is disconnected from the network. In other embodiments, reader 15 is connected to network 11 by either a physical cable and/ or a wireless connection.
While the connected readers are continually connected with the network, in other C, embodiments they are configured to tolerate temporary disconnection, and during such 0 periods will act as disconnected readers. Upon restoration of the connection between the 0 readers and the network, the readers will revert to acting as connected readers. Similarly, while disconnected readers are typically continuously disconnected from the network, they are configured for connected operation, should that occur. For example, in some embodiments, a disconnected reader includes a wireless connection to the network that is only active periodically due to bandwidth and cost limitations. That is, the connection between the reader and the network does not establish a real time connection.
A host server 23 interacts with database 21 and terminal 22 for allowing the overall control and administration of system 1 and is typically overseen by a system administrator (not shown) or other suitably authorised personnel. All communication between server 23 and the connected readers, such as reader 11, uses secure encrypted communication protocol, while in other embodiments, alternative protocols are used.
It will be appreciated that a plurality of zones are provided in some embodiments to provide multiple levels of access control, and this is combined with the anti pass-back functionality described below to provide further levels of security.
In the embodiment of Figure 1, an attempt to gain access includes an attempt to open that is, to "pulse" a physical lock to allow someone to enter a space or to allow someone to access logical or physical resources defining the infrastructure of an organisation e.g. an IT resource.
For a controlled access point, this attempt to gain access means presenting a valid token or other forms of credentials to the associated reader, which in turn interrogates the token and reader record to determine if the access is to be granted or denied. If the access is to be granted an electric signal is sent to pulse the respective lock to change to the unlocked configuration to allow access through the access point.
Uncontrolled access points do not have a reader. Instead they are commanded by a Request to EXIt (REX) sensor, which in this embodiment takes the form of an infrared
C
o sensor. In other embodiments a REX sensor in the form of a wall-mounted button is included.
C"l In further embodiments there is no REX sensor, as the user simply operates a door handle to
U
O allow an exit.
IN It will be appreciated that reader 16 includes similar components, and these are designated with corresponding suffixes.
OPERATION OF THE ANTI-PASSBACK CONTROL SYSTEM The APB functionality means that if a user enters a given zone, then he or she cannot re-enter that same zone unless the access control system has a record of that user having O exited the zone after having entered the zone.
0 C, System 1 is configured to provide anti pass-back (APB) functionality between selected access points. By way of example, reference is made to Figure 4 where there is illustrated a facility, in the fonnrm of a site 30, at which system 1 (of which only some elements are shown) is installed. Site 30 is defined by a perimeter wall and includes a plurality of zones, some of which are nested i.e. wholly contained within another zone, and some of which are anti passback (APB) zones. It will be appreciated that an APB zone is one that requires the user to request and be granted access by a reader to progress into that zone, as well as to leave that zone. That is, once a user has entered an APB zone, it is necessary for the user to exit that zone by presenting his or her token at another reader, disposed inside the respective APB zone, which allows the user to exit the respective APB zone and enter a different APB zone, prior to that same user being allowed subsequent entry to that particular APB zone. In other words, once a user has entered an APB zone he or she can not enter the same APB zone unless his or her token has a record of that user having exited the respective APB zone. It will also be appreciated that for a non-APB zone there is no such restriction. Typically it is not necessary for such non-APB zones to have access readers disposed at the access points used for exiting the zone. Instead they may be fitted with REX sensors which allow the user to exit the zone without presenting any tokens or credentials. It will also be appreciated that if a non- APB zone is wholly contained within the boundaries of an APB zone, the users disposed in such non-APB zones are still assumed to be within the same APB zone. In other words movement within all non APB zones which are wholly contained within an APB zone are not subject to such restrictions.
The system includes a plurality of access points between respective pairs of zones that are selectively accessed by a plurality of users. The access points are pulsed between a locked and an unlocked configuration for respectively preventing and allowing the users access between zones in the pairs of zones. The legend of Figure 4 depicts an access reader as an 0 O arrow, the direction of arrow being the direction of access controlled by the reader. The REX
C',I
sensor is depicted by a small circle. REX sensor is disposed inside the zone from which it O allows exit, whereas the access reader is disposed outside the zone to which it allows access.
IN The zone that lies beyond the perimeter wall of site 30 is defined as Zone 0. The zone that lies immediately within the perimeter wall and which is not bound by a nested zone is defined as Zone A. In this embodiment, Zone A and Zone C are APB zones because all access points for entry to and exit from these zones have an access reader to control i.e.
validate and authorise access to the user, while Zone B and Zone D are not APB zones C, because each of them has a REX sensor to allow an uncontrolled exit from the respective O zones.
0 C,1 Zone B is wholly included within APB zone A. Once having granted access to Zone B, a user can make an uncontrolled exit to APB Zone A. If a user has access to Zone A or Zone B, he or she is considered to be in APB zone A. Similarly, if a user has access to Zone C or Zone D, he or she is considered to be in APB zone C. It will be appreciated by those skilled in this art that the "last APB zone" in the LOC record of the token is indicative of this information.
Site 30 includes two access points (not shown) adjacent to which are disposed respective readers 31 and 32. Users of the system present access tokens to reader 31 and reader 32 to seek access to Zone A from Zone 0 and to Zone 0 from Zone A respectively.
Typically, for an APB zone, the readers for determining if access is to be granted from a first zone to a second zone are installed at a different access point to readers that determines if access is to be granted from the second zone to the first zone. That said: in some embodiments a single access point includes two readers, one of which is disposed in one of the zones and the other is disposed in the other zone in the respective pair of zones.
Located at site 30, and within Zone A, are two spaced apart secure buildings 33 and 34 the interiors of which respectively define a Zone B and a Zone C. These latter zones are referred to be nested within Zone A. Zone C is an APB zone, while Zone B is a non APB zone.
Building 33 includes a reader 35, and building 34 includes two spaced apart readers 36 and 37 that are disposed adjacent to corresponding access points (not shown) for allowing users to seek access in and out of those buildings. As the access point associated with reader includes a request to exit (REX) device, Zone B is not an APB zone. It will be appreciated that reader 35 is disposed adjacent to the access point in Zone A, while the REX device is disposed adjacent to the same access point, but inside Zone B. When a user triggers the REX device, the access point is pulsed to the unlocked configuration to allow the user to progress
C
o from Zone B to Zone A without any validation or proper authorisation. It will be appreciated that when a user goes from one zone to the other zone in this way, he or she has not presented
U
O any token to an access reader and hence the respective token has no information relevant to Ithis transaction.
The REX device typically takes the form of a button or switch that is manually actuated by the user, or an infrared sensor or other sensor that detects the likely presence of a user approaching the access point from the relevant one of the zones in the pair of zones associated with that access point. In other embodiments, the REX device is located at an exit en3 N (not shown) other than the access point at which reader 35 is disposed. In this case, the exit is O typically an "exit only" peripheral door. Alternatively, the REX device includes a door N handle for an exit door, where the handle is, in normal use, accessible and manually operable only by users within Zone B.
Building 34 includes an internal room 39, the interior of which defines a Zone D that is not an APB zone. A reader 40 is disposed adjacent to an access point (not shown) for allowing selective passage of users between Zone C and Zone D. Similarly to reader reader 40 includes a corresponding REX device for facilitating the uncontrolled granting of access to users desiring to progress from Zone D to Zone C.
While in this embodiment reader 31 is a connected reader all of the other readers 32, 36, 37 and 40 are disconnected readers, in other embodiments none or more of those readers are connected readers. It will be appreciated from the teaching herein that the APB functionality provided by the embodiments of the invention are independent of the connected or disconnected configuration of the readers. As such, alternative embodiments accommodate different combinations of connected and disconnected readers.
It will be appreciated that while Figure 4 only provides minimal access points between adjacent pairs of zones, that this is for illustrative purposes only. While some embodiments include only the minimal number of access point, more typically, and especially within larger installations, some of or each zone will have multiple readers and associated access points through which users are able to enter and exit a given zone.
The term "zone", in the context of Figure 4, means a bounded area or space having one or more access points and corresponding readers. It will be appreciated that each access reader acts as en entry reader for the zone to which the user proceeds after gaining an authorised access, and an exit reader for the zone where the user is disposed at the time of requesting the access. Accordingly, an APB zone and a non APB zone will each have at least one access point having a corresponding entry reader. An APB zone will have, in addition, at least one access point having a corresponding exit reader. A user must use an entry reader to 0 O enter a given zone. If an exit reader is included, the user must use that exit reader to leave that zone. This allows system 1 to acquire records for each entry into, as well as each exit O from, the zone.
INC In those instances where an access point does not have an exit reader there is typically included an automatic request to exit buttons or motion sensors for triggering a pulse of the access point between the locked to the unlocked configurations.
O The entry zone and the exit zone for a reader are the two zones in the pair of zones relevant to that reader. For example, reader 31 includes a reader record with the exit zone e¢3 Cl defined as Zone 0, and the entry zone defined as Zone A. The exit APB zone is defined as O Zone 0, and the entry APB zone is defined as Zone A. Similarly, reader 32 includes a reader Cl record with the exit zone defined as Zone A, and the entry zone defined as Zone 0. The exit APB zone is defined as Zone A, and the entry APB zone is defined as Zone 0. Zone B in not an APB zone but, rather, is included within the APB zone A. In this case the entry reader includes a reader record with the exit zone defined as Zone A, and the entry zone defined as Zone B. The entry APB zone, and the exit APB zone, are both defined to be Zone A.
When a token is presented to a reader, and access is granted, in one embodiment the reader writes to the token to update the LOC record. That is, to update at least the current zone to be the entry zone for that reader, that being the zone to which the user was just granted access. Additionally, if the entry APB zone is different to the exit APB zone in the reader record, the LOC record is updated to ensure that the last APB zone on the token equates to the entry APB zone of the reader. In another embodiment, both the current zone and the last APB zone are updated following each instance of access being granted.
To illustrate it by way of an example with reference to figure 4, when a user is granted access at reader 31 at a time tl, the LOC record on the respective token is updated to indicate current zone as "zone A" with access time tl, as well as to indicate the last APE zone as "zone A" with respective access time tl. When the user is further granted access at reader to gain access to zone B at time t2, the respective token LOC record is updated to indicate current zone as "zone B" with access time t2, whereas the last APB zone and the respective access time remain unchanged to "zone A" and time tl. This indicates that the user is still disposed in APB zone A even though the current zone has changed to zone B. If the user later decides to return to zone A, he or she does not need to present the token any where because the Zone B is fitted with the REX sensor to exit from zone B and enter zone A. Hence after this exit the current zone information on the token LOC record becomes inconsistent with the actual location of the user, however the last APB zone information still remains valid. If the user further wants to exit from zone A to zone 0 at time t3, he or she will have to present the 0 O token to reader 32. Assuming all else is OK; the reader will perform APB determination because the reader record indicates that entry APB zone is "zone whereas the exit APB O zone is "zone The APB determination verifies that the last APB zone indicated by the \iO LOC record on the token matches with the exit APB zone indicated by the reader record. This will be the case for this present user and hence the access will be granted and the LOC record on the token will be updated to include current zone as "zone 0" with access time t3, and last \O APB zone as "zone 0" with respective access time as t3.
\D
However, if prior to exiting to zone 0, there is an unforseen event in the building e¢3 C which results in an uncontrolled evacuation from the zone A to another zone considered to be O safe by the system managers. Say the system manager decides to evacuate all users to zone 0, CI all users will be evacuated to zone 0 without presenting their token to any reader. As a result the user will be disposed in zone 0, whereas the LOC record on the respective token will indicate current zone as "zone A" and last APB zone as "zone with tl as the APB zone access time. Now if the user attempts to gain access back to zone A after the unforseen event has passed and it is safe to return to the zone, the user will need to present the token to reader 31. The reader 31 has a reader record which is indicative of entry APB zone as "zone A" and exit APB zone as "zone As a result of this after other normal validation, the reader will need to perform APB determination. Unfortunately, this time the APB determination will fail because the exit zone indicated in the reader record i.e. "zone 0" is different to the last APB zone indicated in the user's token LOC record which instead indicates "zone A" as the last APB zone. Hence as per conventional wisdom the reader will incorrectly deny access to the respective user.
However the embodiment as illustrated in figures 2 and 3 avoids this situation. Prior to allowing anybody access to the "zone A" after the unforseen event, the system administrator may have to make sure that the zone is safe for people to return. After such a determination is made, the system administrator will need to approach the terminal connected to the host server to define the event resulting in the updating of the central PCL to include the event in the form of a new record indicating that the occupancy status of APB zone "zone A" needs to be reset for the current time t4. As per the steps illustrated in figure 2 "Merging Local PCL with Central PCL", the updated central PCL will eventually be copied to the local PCL by the connected reader 31. This new local PCL shall include the zone reset record for APB zone "zone A" with reset time as time t4.
Subsequent to this action by system manager, when the same user presents his or her token to reader 31 for gaining access to zone A at time t5, the steps illustrated in figure 3
C
O "Level 1 APB determination" will still fail because the exit APB zone as indicated by the
C-
_readers own reader record being "Zone 0" will not match with the last APB zone in the token
U
O LOC record being "Zone However the reader will now perform the steps illustrated in IN figure 3-"Level 2 APB determination". First it will merge the token PCL with its local PCL following the steps illustrated in figure 2-"Merging Token PCL with Local PCL". The local PCL being more current than that on the token, the token PCL will be updated to match the local PCL and will now include the last reset record for the APB zone "zone A" with reset time as time t4. Thereafter the reader 31 as per steps illustrated in figure 3-"Level 2 APB en3 C. determination", will search for a PCL record for the last APB zone as indicated in the token 0 LOC record being "Zone A" as described above, in the local PCL. This search will be 0 C, successful because as described above the local PCL has a record for APB zone "Zone A" for reset time t4. The reader will further interrogate the local PCL record for the respective APB zone to determine if the last reset time is later than the time indicated by the token LOC for the last APB zone. This determination will also be successful because of the sequence of events as described above, the time t4 when the system manager updated the central PCL was much later than the time tl when access was last granted. Hence the access will be granted to the respective user at reader 31, and the token LOC record will likewise be updated to indicate last APB zone as "zone A" with respective access time as time Further, as the user attempts to gain access at other connected or disconnected readers, the respective readers merge their respective local PCLs with the token PCL on the user's token following the steps illustrated in figure 2 "Merging Token PCL with Local PCL".
Hence in due time most readers have access to the updated PCL.
As further illustration of the invention, if subsequent to the time t5, the user somehow manages to pass his or her token to another person who say for example is still disposed in "zone When this other person attempts to gain access at the reader 31, the reader will again perform APB determination as illustrated by steps in figure 3, subsequent to other determinations. The reader record will indicate zone "Zone 0" as the exit APB zone of the reader. This will not match with the last APB zone indicated by the token LOC which incidentally is "zone Hence the Level 1 APB determination will fail and the reader will need to perform the level 2 APB determination by interrogating the local PCL record for APB zone "zone The reader will successfully find the PCL record for zone "zone so it will validate if the PCL indicates the zone reset time for the APB zone "zone A" to be later than the access time for the last APB zone as indicated in the token PCL. This determination will now fail because the PCL has not been updated by the system subsequent to time t5 which is the time indicated by the token LOC as the access time for the last access zone "zone A".
0 O IHence the access will be correctly denied.
In the descriptions of the workings above, we assumed that the system manager
C)
Q decided to evacuate people to zone O. It will be appreciated that the above logic will also work INC successfully if the system manager had chosen a different zone to evacuate people to. This is so because the zone where the users are disposed after the event is not at all significant because the logic as described above uses only the last APB zone as indicated by the token O LOC record and this zone is supposed to be where the incident happened and the APB zone whose occupancy status needs to be reset, and must be included in the PCL by the system e¢3 C manager.
O The zone records, and other information contained on the token, are encrypted to C protect their integrity and security. However, in other embodiments, no encryption is used, or only some of the information is encrypted.
The current zone is indicative of the zone where the token should be, based on the history of reader interrogations that have occurred. As mentioned above, the current zone is derived from the entry zone record of the reader that last granted access to the token.
In an embodiment, the PCL includes a base validity date representing when the PCL was last updated. The base validity date represents the reset time and date for all APE zones.
First the reader will attempt level 1 APB determination if the reader record indicates the exit APB zone is different to the entry APB zone. As per the steps illustrated in figure 3-"Level 1 APB determination", the reader determines whether the last APB zone matches the exit APB zone. If the result of this determination is true, the access is granted, otherwise the reader resorts to Level 2 APB determination. In this embodiment, the reader first interrogates the local PCL to check if the base validity date of the local PCL is more recent than the access time as indicated on the token LOC for the APB zone the user is trying to enter as indicated by the entry APB zone in the reader record. If so the access is granted, otherwise the reader interrogates the local PCL record for the APB zone. If the reader successfully finds the PCL record for the same, it will validate if the PCL indicates the zone reset time for the APB zone to be later than the access time for the last APB zone as indicated in the token PCL. If this determination is successful, the access will be granted otherwise it will be denied.
In an embodiment, the PCL only includes a base validity date representing when the PCL was last updated. The base validity date represents the reset time and date for all APB zones. First the reader will attempt level 1 APB determination if the reader record indicates the exit APB zone is different to the entry APB zone. As per the steps illustrated in figure 3- 17- "Level 1 APB determination", the reader determines whether the last APB zone matches the
C
O exit APB zone. If the result of this determination is true, the access is granted, otherwise the Cl reader resorts to Level 2 APB determination. In this case the reader interrogates the local PCL
U
O to check if the base validity date of the local PCL is more recent than the access time as ki indicated on the token LOC for the APB zone the user is trying to enter as indicated by the Cl entry APB zone in the reader record. If so the access is granted, otherwise it is denied.
The APB functionality has only been described with reference to a passage from Zone 0 to Zone A, and back to Zone 0. Notwithstanding, it will be appreciated from the teaching en3 C. herein that a passage between any of the zones in Figure 4 is regulated with similar steps, and o the application of the same APB logic of Figure 3 holds.
C, As long as the APB zones are nested which is always so in the embodiments of the invention the above APB logic will work infinitely. Accordingly, infinite levels of APB functionality are provided by the embodiments, even when use is made of disconnected readers.
The APB functionality provides filtering of users and their ability to gain access at the access points on the basis of a given token being presented to a given reader. The identification information and/or the other information carried on the token such as the certificate, and/or the authorisation information provide another filtering of users and their ability to gain access via that same access point and on the basis of that same token being presented to that same reader. For convenience, these two filters are respectively said to allow an APB determination and a user determination. In this embodiment, the reader makes the user determination prior to making the APB determination. However, in other embodiments, the user determination is made after the APB determination. In further embodiments, substantially all the action required to make a first of the determinations is taken prior to the actions required to make a second of the determinations.
In the embodiment illustrated in Figure 4 the APB functionality is operational on all relevant readers for all normal operational periods of system 1. However, in other embodiments, the APB functionality only applies at given times in a day, or to given users, or due to different threat or alert levels.
By way of summary, the following applies to the embodiment of Figure 4: Unlike normal zones, anti pass-back (APB) zones have no Request to Exit (REX) device. A valid token must be used to exit from an APB zone, just as for entering a zone.
All Readers are configured at least with entry APB zones and exit APB zones and preferably as well as with entry zones and exit zones.
O
O All Readers have local PCL which is indicative of APB zones and times when the
C,
respective APB zone's occupancy status was reset because of an event resulting in the
U
O uncontrolled exit of people from an APB zone the exit from which is normally iNO controlled. The local PCL is merged with central PCL for connected reader. Merging Cl of token PCL and local PCL happens as illustrated by the steps of figure 2.
Non-APB zones are considered to be included in the immediately enclosing APB zone (if any). For example, in Figure 4, Zone A and Zone C are APB zones. Zone B is included in APB Zone A, and Zone D is included in APB Zone C.
Tokens hold location information in LOC records about the current location of the user. LOC record includes at least the last APB zone and the time when the access was
O
Clast granted to that APB zone.
If the entry APB zone of the reader is different to the exit APB zone of the reader then as illustrated by the steps of figure 3-"Level 1 APB determination", the last APB zone of the token must match the exit APB zone of the token for access to be granted.
If so the access is granted, otherwise the reader follows the steps illustrated by the figure 3-"Level 2 APB determination" and the local PCL is interrogated to check if the occupancy status of the APB zone indicated as the last APB zone in the token LOC record has been reset since that access was granted. If so, the access is granted, otherwise the access is denied.
The APB logic provided by the system of the preferred embodiments avoids the need for the entry and exit readers of an APB zone to be physically connected to each other via any of several commercially available wired or wireless means and still handle uncontrolled exit of people from APB zones because of any events.
Although the invention has been described with reference to specific examples, it will be appreciated by those skilled in the art that it may be embodied in many other forms.