Article Abstract: The physical access control industry is going through a transformation motivated by a need to deliver services from the web and thereby reduce operating costs. In government and other facilities where certain areas may have restricted access, new regulatory requirements have necessitated an upgrade of closed, legacy access control systems to secure, Cloud connected solutions. All this is calling for extensions and upgrades to the networking infrastructure currently in-place, and a move from proprietary narrowband communication to standardized and secure broadband communication. In this paper, we propose the application of a new technology called IP-485® to access control network upgrades, and describe how it could be utilized to transform closed legacy infrastructure for access control into open, Cloud connected IP LANs. The proposed solution enables a phased approach to the migration and ultimate transformation of access control systems.

Introduction

Traditionally, physical access control has referred to the ability to control the ingress and egress of people to and from a campus, facility or room. Simplest example of physical access control is the use of mechanical locks on doors to rooms. Although simple and relatively inexpensive to install, they do not offer the ability to gather even simple information such as when a person with the key to the lock entered a room. Electronic locks have the ability to monitor and control access, and are currently most prevalent in commercial and industrial facilities. They come with keyless entry cards or fobs each of which has a personal identification number which can be used to monitor a person’s access to facilities. The primary challenge faced by facilities managers is how to upgrade access control systems so that (i) they are Cloud connected for the delivery of web-enabled services, and (ii) they can be accessed by the fire & life safety system to enable automation in emergency response applications.

In a world where CapEx budgets are large, facilities managers would be able to overcome these challenges with simply a “rip and replace” plan to a new, open-standard IP infrastructure for both access control and fire and life safety systems, so that they may both be integrated with the corporate IT network. But practically speaking what they need is a migration strategy from their legacy infrastructure to one that satisfies their current and emerging bandwidth, security and service demands. In this article, we show that IP-485® enables structured and phased strategies for network upgrades, and future proofs the communication infrastructure to emerging needs.

Challenges in Access Control

Most traditional access control systems are built on closed low bandwidth communications infrastructure. They run proprietary serial protocol of one form or another at data rates as low as 2400 Baud in older installations. They need little in the way of error correction in communication or bandwidth/ latency management in the network. As a result, Quality of Service (QoS) in these installations resulted more from careful system design, and upgrades required end-to-end testing in the field to re-affirm QoS. More recent installations have leveraged the BACNet standards developed for Building Automation in an attempt to develop an integrated approach towards all aspects of building management. This has brought about improvements in bandwidth within access control systems and interoperability between various vendor offerings and across applications.

Several important changes are underway in the access control market and it is quite likely that the incremental improvements implemented in the past decade will be inadequate in addressing emerging requirements and trends in the industry. Key among them are:

• A need to integrate access information across multiple facilities and store data in a single secure location. Consider the typical situation present when companies merge or get acquired. Integration of the two disparate access control system post-merger cannot be implemented through incremental changes in either legacy system. A move to an open, Cloud connected system will be required for true integration across the enterprise.
• A desire to leverage web-enabled services to reduce operating costs. Historically, the access control system server resides within a facility, with all data stores in the local server memory. This implies that as companies grow, they would be required to maintain and update closed access control system deployments, which increases operating costs. As a result, there is a desire to transform the access control infrastructure into a standard IP Local Area Network (LAN) and integrate it to the Cloud for easy delivery of cost-effective web-enabled services.
• Need to increase the security of the access control system all the way to the readers, driven by regulatory changes, especially in state and federal buildings. While any system can be made secure through an appropriate design of firewalls and security protocols, there is clear evidence that an IP infrastructure enables the delivery of high levels of cyber-security in a cost-effective manner.

Traditionally, facilities managers have relied on the experience of system integrators to design and deploy vertically integrated systems consisting of products from a variety of vendors. In an industry trying to find ways to get to an IP-based access control system infrastructure, a new approach will be needed by system integrators to meet the emerging needs in the industry due to a variety of reasons. Most important among them is that any IP upgrade will by definition need either a change-out of the wiring infrastructure, or the deployment of a secondary infrastructure using an appropriate set of wireless products. Neither is likely to be an effective solution for a system upgrade. While wireless is becoming the technology of choice for cost-effective connectivity at the edge between the access panel and electronic locks, it lacks the reliability or robustness required to serve as an infrastructure solution for access control systems. A “rip and replace” of wires definitely delivers the reliability and functionality desired by facilities managers, but is not cost effective and requires substantial capital expense budgets. Further, neither approach presents a migration path for a phased transformation of the legacy infrastructure into an IP-enabled one.

Access Control Network Infrastructure Upgrade Needs

[an error occurred while processing this directive]In general, facilities managers look for two types of network upgrades. These are:

1. Network Expansions: Many legacy systems operate close to or at their bandwidth. So, a request to integrate additional edge devices (e.g., additional readers) may not be possible on the existing network infrastructure. In these cases, facilities may require an actual “expansion” of the bandwidth prior to the addition of new devices. We refer to this as Network Expansion.
2. Network Transformations: All legacy systems would (eventually) need to move to a open broadband IP LAN infrastructure. If achieved, this would immediately enable not only the total integration of the access network with the corporate IT network and the delivery of hosted services, it would also permit rapid and easy integration of access control products from a wide range of third-party vendors, and deliver high levels of security in a cost effective manner.

IP-485® for Access Control Network Transformation has demonstrated the ability to implement the changes needed in access control network infrastructure without any “rip and replace” of the existing wiring. It is a broadband solution that has reliability comparable to wired systems, but with cost points that are typical in wireless deployments.

IP-485® Technology

At the heart of the proposed IP-485® solution for BMS upgrade challenges is in the fact that it enables the simultaneous transport of IP data and serial data over the same wiring infrastructure (active twisted or untwisted pair) and even in the presence of significant conducted and radiated noise in the medium. The foundation of this technology lies in an algorithm called Dynamic Adaptive Channeling which decides in real-time how to encode data payloads into communication frequency channels, so that Quality of Service (QoS) can be maintained at all times subject to channel constraints. The algorithm starts with a full spectral sweep and a determination of the Signal-to-Noise Ratio (SnR) properties across the entire channel. To make the problem computationally elegant, the algorithm divides the overall communication channel into Orthogonal Divisional Frequency Multiplexing (OFDM) sub-channels and conducts the SnR analysis at the baseband associated with each sub-channel (shown in Figure 2). This helps determine available sub-channels at a given Quality of Service (QoS), which in turn maximizes the utilization of usable channel capacity.

Adaptive Channeling permits the deployment of robust communication networks in harsh environments. The algorithm is robust to white noise in the channels which degrade the communication bandwidth, and colored noise in the channels arising from factors such as EM interference from nearby operating equipment. In addition, it automatically discovers usable communication channels regardless of the type, gauge or topology of wiring used. As examples, IP-485® would operate successfully on 18-gauge, twisted pair, multi-drop wiring, coax cables or 26-gauge untwisted pair, simple daisy-chained wiring. Communication is robust to collisions arising from other applications currently using the channel, which are seen as interferences in channel analysis. This enables the technology to implement multiplexed channel access across applications at the physical level. In addition, if more than one OFDM sub-channel is available for communication, the technology enables the implementation of a Bus consisting of sub-channels that run concurrently, each of which may be multiplexed between applications.

Figure 2: IP-485® Network Architecture

The second set of properties manifest in PCN’s IP-485® relates to real-time network management at the application level. Concurrent with the adaptive channeling algorithm, we also implement a real-time communication engine that enables the delivery of serial data (that is multiplexed with IP date) with negligible latency, encoded in jitter free, almost copy-exact waveforms, regardless of wiring type, noise, interference of other considerations that affect signal integrity. Further, we also implement a network engine that enables network configuration and management in real-time. For example, in a Master-Slave configuration, the concept of a Floating Master may be implemented using the engine. Further, data payloads with high priority may be queued and delivered with very low latency across the network.

IP-485® Networks

Figure 2 shows a typical network established using IP-485® network products. It consists of a Router that is connected to the Cloud via an ISP line (T1, Fiber or Satellite) using a standard CAT 5/6 connection. It may also be connected to serial network(s) on its Low Frequency (LF) Bus(es). The PCN Single Channel Router (SCR) accepts a single serial network connection (shown in Figure 2), while the Multi-Channel (MCR) version permits the integration of up to 4 serial networks. The Router then transports both IP data and serial data on the same output channel, called the Broadband (BB) Bus. The SCR has a single BB Bus, while MCR would have as many separate BB Buses as serial network inputs on the LF Bus. In this architecture, the Shared Wire multi-channel, multiplexed access bus is implemented on the BB Bus wiring. 

Figure 3: Typical Access Control System Architecture

Each Router is connected to one or more PCN Switches on the BB Bus. A SCR would be capable of driving up to 4 switches, while a MCR has the capacity to drive up to 16.  Each PCN Switch has as input the BB Bus wiring from its Router. Serial network outputs are connected to its LF Bus, while its 3 IP ports enable the establishment of a redundant management IP network between the Router and the Switch. Network established with MCRs and Switches have the ability to integrate up to 48 IP Edge devices, and 4 separate serial networks, each potentially having a different protocol. SCRs, on the other hand, will be able to handle 12 IP Edge devices and a single serial network. In each case, the IP network would co-exist with the serial network without any impact on the performance of one network from the other. In our current product implementation the BB Bus as well as the LF Bus consists of standard twisted pair (TP) or untwisted pair (UTP). In addition, the technology has been validated on a variety of analog and digital wiring.

In terms of real-world applications, PCN products have been successfully applied on legacy access control and  BACNet networks operating at data rates ranging from 9600 Baud to 76.8K Baud. In addition, PCN products have also functioned on legacy building automation buses without issue. In both cases, IP data rates in the range of 1 - 4 Mbps were recorded consistently at the edge. This implies that while the example shows the integration of a simple device such as a thermostat, PCN products are capable of supporting the data needs of any upgrade that may be required in existing BMS. The SCR may either be connected directly to the Cloud, or integrated with the corporate IT infrastructure for the delivery of web services. 

Access Network Transformation using IP-485® Networks

Consider a typical access control system architecture shown in Figure 3. It has a collection of card readers connected to the access panel, many of which may be connected to the access control server in the data room. In legacy systems, each access panel has the ability to connect to a small number of readers and a corresponding number of electronic locks using simple Weigand wires. When a card is placed near the reader, their information is read and passed on to the access panel, which in turn, communicates with the server, confirms that the person holding the card is allowed access. With this confirmation, the access panel is able to instruct the electronic lock to open. Without the confirmation from the server, the access panel does not send out the “open” instruction to the door lock.

Communication between the reader and the access control panel is simplex, using a proprietary protocol. More recently, this has been implemented to be full duplex using ZigBee. Communication between the access panel and the electronic lock, traditionally, uses Weigand wires, but has also been recently switched over to ZigBee. Communication between the access panels and the server is serial, and managed using a simple polling, Master-Slave, or Token Passing arbitration scheme on a twisted or untwisted pair of wires. Most servers do have the ability to connect to the Internet, but only for remote log-in and update of database associated with who is permitted access to the facility.

Starting from the edge, tomorrow’s access control will ultimately have IP-enabled card readers. There are two motivations driving this change. First is that while traditional readers only deal with simple “mag-stripe” cards, IP-enabled readers have the ability to integrate the use of  “smart cards,” and conduct the initial validation directly between the reader and the card. Secondly, IP-enabled readers can be easily made secure with third-party software. Secondly, access control panels will also be IP-enabled. In addition to the security advantages already discussed, each IP-enabled access control panel is capable of driving tens of IP-enabled readers (as an example, many legacy access control panels can only integrate 2 readers, while IP-enabled panels can integrate 64 IP-enabled readers). Third, instead of having the access control server and database in the premises, tomorrow’s system will be connected to a servers and storage that reside in the Cloud.

Figure 4 shows the implementation of the access control upgrade using IP-485®. In the figure, we use an SCR or MCR at the head-end depending on the number of access panels that need to be supported. The server resides in the Cloud and is connected to the PCN Router. The Router, in turn, is connected to an appropriate number of switches on the existing wiring in the facility. Each switch can service up to 3 IP-based access panels in its proximity, and modern panels have the ability to communicate both with the reader and the electronic lock using ZigBee. As a result, the entire upgrade, on the infrastructure side of the problem, requires the change-out of locks and card readers, and the replacement of the in-premises servers and databases with their counterparts that reside in the Cloud. The entire wiring infrastructure is maintained. Since PCN routers and switches are broadband, they deliver bandwidths that are adequate for future expansions.

Conclusion

In this article, we have presented a new technology called IP-485® and described how it may be deployed to transform existing access control infrastructure into one that can support IP-enabled devices that are connected to the Cloud. The technology has been applied successfully on a variety of access control configurations and data protocols, and has operated on both twisted pair and untwisted pair wiring. Both daisy chain and multi-drop wiring topologies have been considered in the testing. At present, the products are beginning to proliferate within the market leaders in building automation, security and access control applications, and we anticipate rapid adoption of the technology in a number of Use Cases in the near-term.

[an error occurred while processing this directive]
[Click Banner To Learn More]

[Home Page]  [The Automator]  [About]  [Subscribe ]  [Contact Us]