Site access control systems. SKUD - access control and management system: nuances of use and main functions

• Access Controller is a device designed to control access through controlled access points by analyzing user identifiers read using readers (checking rights). Access controllers can make their own decisions to grant or deny access if user IDs are stored in the controller's memory (in which case local access is said to be used). Also, user IDs can only be recorded in the network controller (in the database software). In this case, the access controller performs the functions of a relay - it sends code to the network controller and receives from it a decision on granting or not granting access (in this case we talk about centralized access). Access controllers control barring devices using relay contacts;
• Identifiers– unique characteristics of ACS users. The identifier can be a Touch Memory electronic key, a contactless Proxy card, a radio key fob, a PIN code, biometric data (fingerprint, palm print, iris or retina pattern, geometric characteristics of the face, etc.). In the access control system, each identifier is assigned certain powers, in accordance with which access controllers allow or deny access;
• Readers– devices designed to read the user ID code and transmit it to the access controller;
• Access point– the logical object of the access control system is actually a physical barrier equipped with an access controller and a reader. The access point can be a door, gate, turnstile, barrier, gateway, etc. Access points can operate in two modes: with and without control of the direction of passage. Access points with control of the direction of passage can be either bidirectional (equipped with two readers) or unidirectional (with one reader, without the possibility of passage in the opposite direction). Exit through access points without controlling the direction of passage is most often carried out using a button;
• Access area– ACS logical object. Access zones are areas into which the territory of a protected enterprise is divided. Access points with the direction of passage are always located at the boundaries of access zones. Access zones are configured for access points if the system uses functions such as working time calculation and re-entry prohibition (antipassback rule);
• Access level– individual access rights, which determine the rules for passage through points and presence in access zones assigned to the user ID. Based on these rights, access controllers (or network controllers) decide whether to grant or deny access;
• Windows of time– a set of time intervals during which passage is allowed. Time intervals can be set for each access point or zone individually;
• Software– component of the access control and management system. Using the software, ACS controllers are configured, including setting user IDs, access levels and time windows in them. The software is also used to implement such additional functions as relaying events about passages to implement a re-entry ban, real-time monitoring of employees and visitors of a protected facility, logging (and accumulation in the system database) of access control events, recording time worked by facility employees , creation of various reports on ACS events.

Standard pass mode. Each access point in the enterprise that is subject to control is installed with an access controller and reading devices. In order for employees to be able to pass through access points, each of them is given a unique user identifier; biometric information can also serve as an identifier. The identifier is stored in advance in the memory of the access controllers or network controller, where access levels are assigned to it. If the system is controlled by software (AWS), then usually part of the employee’s personal data is also entered into the AWS database. Upon presentation of the identifier, the device or network controller makes a decision to grant or deny access to the employee. All facts of passages through access points, as well as events associated with them, are stored in the memory of the access controllers, and are also transmitted to a PC and entered into the workstation database. Subsequently, based on these events, you can receive various reports, calculate the time worked by employees, etc.

Anti-passback(rule antipassback) is used to ensure that one identifier cannot be used again to enter any access zone without first leaving it. The access controller's response to an antipassback rule violation depends on the antipassback mode set for the access level of the identifier in question. One of the following modes can be used:

• Strict - the system prohibits repeated entry into the access area until exit;
• Temporary - during the specified time, the system prohibits repeated entry into the access area until exit;
• Soft - the system will not deny access, but the fact of violation of the antipassback rule will be recorded in the event log.

The anti-passback rule can only be used for doors with directional control. Supported only by the S2000-2 controller.

Access according to the rule of two (or more) persons. To control access to access areas with increased security requirements, the passage mode can be used according to the “rule of two (three) persons” with agreed access levels. When the first identifier is presented, the access controller goes into standby mode for the second identifier. If the key presented after this has an inconsistent access level, the controller will deny access. If the access level is agreed upon, access will be granted (if access is used according to the three-person rule, this procedure will be repeated for the third key). This pass mode is an access parameter for the identifier and is configured independently for each pass direction (for each reader) in the access level. This function is supported only by the S2000-2 controller.

Access with confirmation. If not all persons participating in the access procedure according to the two (three) person rule are expected to enter the protected access zone (for example, a security officer confirms the access of another employee), then the “Confirmer” access mode is set for the access level of such persons. Independent access using a key with this access mode is impossible, and when accessing according to the rule of two (three) persons using such a key, the “Access granted” and “Passage” messages will not be generated. This function is supported only by the S2000-2 controller. The S2000-2 devices, starting with version 2.0x, also support the ability to organize confirmation not only with an additional identifier, but also with a special button.

Double identification. Each of the controller readers can operate in a mode where identification requires the presentation of two identifiers (for example, a Proxy card and a PIN code). This mode can be enabled independently for each reader. With double identification, the procedure for granting access begins with providing the main code (first identifier). If the key is recognized and there are no violations of the access mode, the controller goes into standby mode for an additional code. If an additional code is presented, the identification procedure is considered successfully completed. We recommend using “Proxy-KeyAH”, “Proxy-KeyAV” (for EM-Marine cards), “Proxy-KeyMH”, “Proxy-KeyMV” (for Mifare cards) as readers for this access mode.
The device can also be temporarily switched to “Open” or “Closed” access mode.

Access under duress. It is possible to alert the security of the facility that access or arming/disarming control is being carried out under duress. To do this, the user, instead of the usual identifier, presents a “Coercion Code” on the reader. In this case, an alarm message is generated, but otherwise the use of such an identifier does not differ from the usual one. There are two ways to present the Duress Code. In the first method, the user is given two identifiers instead of one. In normal mode, the first identifier is used, and under duress, the second. If dual identification is used, then you can use the second method to present the “Coercion Code”. To do this, in addition to the usual additional code, a second special “Additional duress code” is added to the main user code. Most often, with double identification, a PIN code is used as an additional key code. Therefore, the user only needs to have a single primary identifier and remember two PIN codes - a regular one and a duress code.

Closed access mode. In this case, all types of access through the managed point are prohibited. The device can be switched to this mode by a centralized command via the RS-485 interface, upon presentation of a key of the “Closing” type, or upon arming of access-blocking alarm loops. The mode can be used to temporarily block security service access to certain areas of the facility.

Open access mode. There is free passage through the controlled point without presenting identifiers. In the “Access Open” mode, the controller constantly provides an opening action to the corresponding relay (the relay in a given direction is either continuously on or continuously off), so this access mode generally cannot be used for some types of locking devices, for example, electromagnetic latches. The device can be switched to this mode by a centralized command via the RS-485 interface, upon presentation of a key of the “Opening” type. In “S2000-2” devices, starting with version 2.0x, the possibility of fully opening free access has been introduced using electromechanical latches, which open with a short pulse and go into the “closed” state only after opening and then closing the door. In this case, when the “Access Open” mode is turned on, the relay will turn on briefly (for the same time as when access is granted) each time the door is closed and the lock will be open all the time. Also, the new version of the “S2000-2” devices can be switched to open access mode using an external relay signal detected by the device’s AL.

The following important parameters are configured in the “S2000-2” device and the “S2000-4” block:

• View of the interface of connected readers - Touch Memory, Wiegand, Aba Track. This parameter is responsible for the method of transmitting the code of the read identifier to the controller.
• Passage sensor - the parameter indicates that the controller uses a passage sensor. The main purpose of the sensor is to generate a “Pass” message when this circuit is triggered after access is granted. The presence of the “Passage” event is necessary for the implementation of the antipassback function and for the correct operation of the “Work Time Accounting” function in the automated workplace;
• Door blocking control - when the door is opened during passage for a time exceeding the “Blocking timeout”, an alarm message “Door blocked” is generated;
• Burglary control - when this parameter is enabled, when a door is opened without granting access, an alarm message “Door is hacked” is generated;
• Access zone number - from 0 to 65535. Number of the access zone, the entrance to which is controlled by this reader (65535 - access zone number is not defined - for walk-through doors);
• Turn off when the door is opened - early interruption of the “opening” relay program when the door is opened (the relay turns off after the passage sensor is triggered). It is advisable to enable this function when using electromechanical locks (to which there is no point in supplying power when the door has already been opened);
• Turn off when closing the door - early interruption of the “opening” relay program after closing the door (the relay turns off after the passage sensor is restored). It is advisable to turn it on when using the turnstile, when after turning the turnstile you can begin a new procedure for granting access. When using a gateway, this option is always considered enabled, since when leaving the gateway, you cannot enter it again without presenting an identifier, and you can exit from inside only after pressing the exit button;
• Access controller relays can operate as either closing or opening switches. The relay operating tactics are selected depending on the locking mechanism used.

To organize one or several autonomous access points at an object in ISO "Orion", you can use a specialized access controller "S2000-2", a control panel "S2000-4" with access control functionality and biometric access controllers "S2000-BIOAccess-MA300" , “S2000-BIOAccess-F22”, “S2000-BIOAccess-PA10”, “S2000-BIOAccess-SB101TC”, “S2000-BIOAccess-W2”. The S2000-2 access controller can be used to organize bidirectional and unidirectional access points with and without control of the direction of passage. For access points organized using S2000-2, you can apply the antipassback rule, use access with confirmation or according to the rule of two (or more) persons. A reception and control unit with access control functionality “S2000-4” and biometric access controllers allow you to organize a unidirectional access point with or without control of the direction of passage.

The access controller “S2000-2” has the ability to operate in several modes: “two doors per entrance”, “one door per entrance/exit”, “turnstile”, “barrier”, “gateway”. The controller memory can store 32768 user IDs; 32768 events in case of lack of communication with the network controller, 100 time windows and 100 access levels. The logic of the controller depends on the selected operating mode. “S2000-2” also has two alarm loops, to which you can connect contact security detectors, signals for switching the controller to open access mode, and signals for allowing reading identifiers. The controller can be configured to lock the door if any security loops are armed. You can control the acquisition and removal of loops from the same reader and the same identifier that is used to control the access control system. To ensure the possibility of providing access to a wide range of people whose identifiers are difficult or impossible to enter into the controller’s memory (for example, there are too many of them), provided that the code of all these identifiers satisfies some well-known rule, access templates are implemented in S2000-2.

Operating modes of "S2000-2"

Two entrance doors

In this mode, the controller controls access through two independent access points, and granting access in one direction (entrance) requires the presentation of identifiers, and to grant access in the opposite direction, the “EXIT” button is pressed.
For each reader, you can configure dual identification, access based on the rule of two (or more) persons, and access with confirmation. Both readers in this operating mode of the device operate independently of each other. Those. when free access is opened (or, conversely, access is closed) on one reader, the second will function in standby mode until the corresponding command is also sent to it. In general, in this mode of operation, the antipassback rule cannot be used for doors (since the doors are not access points with control of the direction of passage in this case). However, if the exit button for one of the access points will not be used, antipassback mode can be configured for it.

One entry/exit door

This mode is designed to control access through one door, which has only one locking device and is controlled by one passage sensor. Providing access in both directions requires the presentation of user IDs. Exit buttons can also be used to provide access (for example, to open a door from a security post).
In this mode, the antipassback rule, access according to the rule of two (or more) persons, access with confirmation, and double identification can be used. In the “One door per entry/exit” operating mode, when free access is opened, the controller readers work synchronously - when a command is sent to one reader of the device, the second reader will automatically be switched to the same mode.

Turnstile

In this operating mode, the S2000-2 controller controls passage through the electromechanical turnstile. The turnstiles have two control circuits for each direction of passage (usually these control circuits are located in the remote control unit that comes with the turnstile). Moreover, providing access in each direction requires the presentation of user IDs on readers installed on both sides of the turnstile. To remotely provide access, the operator can use the “Exit” buttons. If it is necessary to authorize access and register passage by an identifier that would be denied access in normal mode (the time window is not active, the validity period has expired, antipassback is violated, or the identifier is not stored in the controller’s memory at all), an additional “Permission” button can be connected to the controller. . The “Resolution” button can be used for all operating modes of the device, except for the “Gateway” mode.
In the “Turnstile” mode, the antipassback rule, double identification, access according to the rule of two (or more) persons, and access with confirmation can be used. Both readers in this operating mode of the device operate independently of each other. This means that when free access is opened (or, conversely, access is closed) on one reader, the second will function in standby mode until the corresponding command is sent to it too.

Barrier

In this mode, the controller controls bidirectional access through one access point with one blocking device - a barrier. The first relay of the controller controls the opening (raising) of the barrier, and the second relay controls the closing (lowering). Typically, the controller relays are connected to the barrier control unit. Providing access in both directions requires the presentation of user IDs on readers installed on both sides of the barrier. For remote (manual) control of the barrier, the “Enter” and “Exit” buttons can be used. Car passage sensors, in addition to registering passage, perform the function of protection against lowering the barrier onto the car. As long as at least one of the passage sensors is in the activated state, the barrier will not lower. For this reason, passage sensors (usually optical beam sensors are used) are placed on both sides of the barrier so that any vehicle located under the barrier will trigger at least one sensor. To increase imitation resistance, vehicle presence sensors in the reader area can be connected to the controller alarm loops. In this case, the identifiers will be perceived by the controller only if there is a car near the reader. It is possible to control traffic lights using switching devices “UK-VK/06”. To turn traffic lights on/off, the reader LED control outputs are used. UK-VK/06 devices can switch voltages up to 220 V (AC) and currents up to 10A, which allows you to control almost any traffic lights.
In the “Barrier” operating mode, the antipassback rule, double identification, access according to the rule of two (or more) persons, and access with confirmation can be used. In the “Barrier” operating mode, when free access is opened, the controller readers work synchronously - when a command is issued to one reader of the device, the second reader will automatically be switched to the same mode.

Gateway

In this mode, the controller controls access through one access point, which is two doors with a closed space between them (gateway), and both doors cannot be opened at the same time. At the entrance to the gateway, two readers are installed on each side (outside the gateway). At the security post that controls the operation of the gateway, two “Exit” buttons are installed so that the guard can let a person into the gateway without presenting an identifier, two “Confirmation” buttons to let the person out of the gateway, and a “Ban” button to deny access. To go through the first door (entrance to the gateway), you must present an ID. The second door opens either automatically, after closing the first door, or after the guard presses the “Confirmation” button (set when describing the access level). If there is no security post and the gateway operates exclusively in automatic mode, then the “Confirmation” buttons still need to be connected so that a person has the opportunity to exit through the door through which he entered if he changes his mind or stays inside for more than the allotted time. The allowed time for a person to stay in the gateway is set by the “Time to confirm access” parameter. During this time, any of the “Confirm” buttons can be pressed and the corresponding door will open. If during this time none of the “Confirmation” buttons was pressed, then the access procedure is considered incomplete and the gateway is free. A person can be released from the gateway after the “Time to confirm access” has passed only through the door through which he entered by pressing the “Confirmation” button of this door. On the one hand, the “Time to confirm access” must be selected sufficient for additional identification; on the other hand, if a person presented an identifier but did not enter the gateway, then a new access procedure will not be able to begin during this time. When you press the “BAN” button, the “Access Denied” message is generated and no door opens. You can only let a person out of the airlock through the door through which he entered by pressing the corresponding “CONFIRMATION” button. If you equip the gateway with a presence sensor and connect it to the “BUSY” input of the controller, then there will no longer be a strict time frame - additional identification can be carried out as much as necessary. Doors must be equipped with opening sensors (the “Passage sensor” parameter is considered to be always on). In this operating mode, the antipassback rule, double identification, and access with confirmation can be used. In the “Gateway” operating mode, when free access is opened, the controller readers work synchronously - when a command is issued to one reader of the device, the second reader will automatically be switched to the same mode.

Organization of complex access points

When organizing complex access points, if during access through the reader of one controller “S2000-2” ver. 2.0x it is necessary to block access through the readers of other similar controllers, their operation can be synchronized using the “Busy” signal. In this case, upon presentation of the identifier, the device analyzes the “Busy” input and provides access only if the input is not active. From this moment until the fact of passage is registered, the controller activates its “Busy” output in order to block the readers of other controllers for this time. The “Busy” contact is both an input and an output of the device. To synchronize several “S2000-2”, it is enough to connect their “Busy” contacts to each other (as well as the “GND” contacts if the controllers are powered from different power sources). In addition, it is necessary to enable the “Accept BUSY” and “Issue BUSY” parameters for the reader, so that access through this reader is blocked when accessed through readers of other controllers, and vice versa, so that when accessed through this reader, readers of other controllers are temporarily blocked. At the same time, the “BUSY” signal can be used to connect a presence sensor if the next access procedure can only be started after the access point is released.

This scheme can be used, for example, when equipping the entrance to a two-level parking lot. One device controls the barrier from the street side, and the other two control the barriers at the entrance to the first and second levels. Presence sensors monitor the presence of a vehicle on the ramp. To block the simultaneous entry of a car onto a ramp from different levels, it is necessary to set the parameters “Issue BUSY” and “Receive BUSY” at one of the readers of each controller (the one that allows entry to the ramp). For those readers that control exit from the ramp, these parameters should be turned off.

The “S2000-4” block can control access through one access point, and providing access in one direction requires the presentation of user IDs, and to provide access in the opposite direction, the “Exit” button is pressed. When using the access control functionality in the block, the first loop is used to connect the exit button and the passage sensor, and the first relay is allocated to control the locking device. “S2000-4” has access blocking functionality if any (or all) of the unit’s alarm loops are armed. You can control the acquisition and removal of loops from the same reader and the same identifier that is used to control the access control system. Since using the block you can only organize a unidirectional access point without controlling the direction of passage, you cannot configure an antipassback rule for it. The block supports dual user identification mode.
The block supports up to 4096 user IDs, and the block event buffer is designed for 4088 events. Up to 16 time windows can be stored in memory.

When using inexpensive proximity cards (EM-Marine standard) or Touch Memory keys as identifiers, the security service or facility operation may encounter cases of cloning (copying) of identifiers by users. Reliable protection against card copying will be the use of specialized readers with the anti-clone function “Proxy-5MSG”, “Proxy-5MSB” and MIFARE standard cards (MIFARER Classic 1K (S50), MIFARER Classic 4K (S70), MIFARER Plus S 2K, MIFARER Plus S 4K, MIFARER Plus SE 1K, MIFARER Plus X 2K, MIFARER Plus X 4K).
In the first option, the factory unique card number will be used to identify the user, but the reader will transmit it only if authorization is successful. Authorization is carried out using a secret word written in a protected area of ​​the card’s memory, which is checked by the reader.
In the second option, not the factory code of the card will be used as an identifier, but the code stored in its protected memory area. This code is written to the card directly at the facility.
The third option is similar to the second. The difference is that the card code, stored in a protected memory area, is additionally encrypted. This option is recommended for use with less secure MIFARER Classic cards.
Selecting the operating mode of the “Proxy-5MSG”, “Proxy-5MSB” readers and setting the parameters for working with protected sectors is carried out using a master card. To create master cards and user cards, the Proxy-5MS-USB reader and free SecurityCoder software are used.
The readers have a Dallas Touch Memory output interface and are compatible with all ISO Orion devices.

Just like the “S2000-4” block, the “S2000-BIOAccess-MA300”, “S2000-BIOAccess-F22”, “S2000-BIOAccess-SB101TC”, “S2000-BIOAccess-W2” controllers can control access through one access point, Moreover, providing access in one direction requires the presentation of user identifiers, and to provide access in the opposite direction, the “Exit” button is pressed.
Fingerprints are used as the main user identifiers when working with “S2000-BIOAccess-MA300”, “S2000-BIOAccess-F22”, “S2000-BIOAccess-W2”. “S2000-BIOAccess-PA10”, along with a fingerprint reader, is equipped with a palm vein reader, and “S2000-BIOAccess-PA10” is equipped with cameras for identification based on the geometric characteristics of the face. Also, all controllers are equipped with a built-in proximity card reader and, with the exception of the S2000-BIOAccess-MA300, a keyboard for entering a password to provide access using a combination of any identifiers (biometrics, proximity card, password).
The controllers are connected to the system via an Ethernet network (TCP/IP). Since devices can only be used to organize a unidirectional access point, you cannot configure an antipassback rule for it.

Attention! S2000-BIOAccess-W2 uses a new biometric data storage algorithm that is incompatible with other controllers. It makes sense to use it only in new systems that are not planned to be supplemented with controllers of other modifications.

Based on contactless keyboard “Proxy-Key” readers of various modifications, it is possible to implement the most cost-effective solution for access control through one point. Moreover, providing access in one direction requires the presentation of user identifiers, and to provide access in the opposite direction, the “Exit” button is pressed. Proximity cards or passwords are used as user identifiers. The products do not connect to the system via information interfaces and operate only in offline mode.
Readers support up to 1000 key codes or 8 passwords.

Combining several access controllers with an RS-485 interface into unified system ACS can provide the following advantages and new functions.

Network and zonal antipassback

If there is a network controller (S2000/S2000M console or APM), messages about passages through access points will be automatically relayed to all access controllers. Thus, the antipassback rule will be triggered for all access points that allow the identifier into the access zone in question. The described operating mode of the system is called “Network antipassback”.
The antipassback rule can be made more strict by setting the “Zonal antipassback” (“Route Control”) parameter in the access level. In this case, passes to any access zone are taken into account, and if an attempt is made to pass through one of the access controller readers, then to fulfill the antipassback rule it is required that the last registered pass was to the zone where this reader is located. That is, it is possible to move from zone to zone only in order - 0, 1, 2 and in reverse order.

Integration with security systems

To unblock escape routes in case of fire, the “S2000-2” device and the “S2000-4” block can be switched to open access mode by centralized commands via the RS-485 interface coming from the “S2000M” consoles or the workstation that controls the fire alarm. ACS readers can be used for remote centralized acquisition/removal of alarm loops from other devices. In this case, the same identifier and reader can be used both for local access control and for centralized control of the security system.
The “S2000-BI” and “S2000-BKI” display blocks allow you to display the status of access points and readers controlled by the “S2000-2” and “S2000-4”: “Dress”, “Door hacked”, “Door locked”, “Door open”, “Door closed”, “Access open”, “Access closed”, “Access OK”.
The “S2000M” remote control can control the outputs of the BOD and relay units related to the fire alarm system upon the fact of breaking, blocking, opening and closing doors, as well as opening and blocking free access.

Centralized configuration. Event collection and processing

Often, even in small facilities with several access points, there is a need to add new or edit the powers of existing identifiers simultaneously in many access controllers. It is most convenient to perform these manipulations centrally, when you only need to carry out the adding/editing procedure once, and then write new data to all devices. In addition, the functionality of generating reports on ACS events and calculating time worked is in demand. For these purposes, software (AW) is used.

The Orion ISO uses the following software to work with ACS: Uprog, BAProg, Orion Pro workstation. Uprog software allows you to freely configure the configuration parameters of the S2000-2 access controllers and the S2000-4 unit, namely:

• operating mode, dual identification, access according to the two (three) person rule, number of the controlled access zone, interface type of connected readers, enable/disable the use of the passage sensor, blocking control, blocking timeout, etc.;
• recording and editing access level controllers, time windows and user IDs in memory.

BAProg software allows you to freely configure similar configuration parameters of biometric access controllers “S2000-BIOAccess-MA300”, “S2000-BIOAccess-F22”, “S2000-BIOAccess-PA10”, “S2000-BIOAccess-SB101TC”, “S2000-BIOAccess- W2".
When using Uprog and BAProg, it is not possible to configure several devices at the same time. Thus, these programs are used only for the initial setup of devices. During subsequent operation of the Uprog and BAProg systems, it is advisable to use only for small systems (no more than 5 devices).

The Orion Pro automated workplace software allows you to implement the following:

• accumulation of ACS events in the database (passes through access points; blocking and unblocking of access points; unauthorized attempts to pass, etc.);
• creating a database for a protected object - adding ACS logical objects (access points and zones) to it. As well as their arrangement on graphic plans of premises to implement the possibility of centralized provision of access and monitoring the condition of these objects;
• formation of a user database - entering the details of employees and visitors, indicating for each person all required attributes(full name, information about affiliation with a company, division, work and home address and telephone number, etc.), as well as setting access rights (authorities to pass through access points, stay in the access zone). The Scanner software allows you to automate the entry of personal data of employees and visitors into the database by recognizing documents (passports, driver’s licenses, etc.);
• creating a database for recording working hours - creating work schedules, as well as calculation rules for various employees;
• polling and management of controllers connected to a PC, as well as integration with storage systems for keys, small items and electronic safes (Electronic Safe software);
• group configuration of access controllers - centralized recording of time windows, access levels, user IDs into the device memory;
• network antipassback operation;
• configuration and operation of zonal antipassback;
• displaying the state of ACS objects on graphic floor plans;
• displaying information about the employee’s location accurate to the access zone;
• displaying CCTV cameras, as well as managing the status of these cameras;
• recording video at the command of the officer on duty, when a motion detector alarms, or according to a control scenario (for example, according to the event of granting access or an attempt at unauthorized passage);
• Thanks to the integration of the license plate recognition module into the Orion Pro video system, it becomes possible to use the video surveillance system not only for photo and video verification, but also as an additional means of identification in the access control system: providing access through barriers upon successful recognition of the license plate (Orion Auto system ").

It is worth noting that the devices are physically connected to the system computer on which the Orion Pro Operational Task is installed. When organizing distributed systems, remote objects can connect to a single “Operational Task” via a local network using S2000-Ethernet converters. It is also possible to install “Operational tasks” directly on remote objects. The second option will require more material costs, however, it will be more preferable if it is necessary to organize photo verification at remote objects (this function will be available even in the event of a failure of the communication channel between objects).
It is recommended to connect no more than 500 S2000-2 devices to one operational task.
To enter user IDs into the database of the Orion Pro automated workplace, you can use USB readers: “Proxy-USB-MA” (for EM-Marin, HID and Mifare cards), “Proxy-5MS-USB” (to implement the “anti-clone” function ) and “S2000-BioAccess-ZK9500” (for fingerprints of all biometric controllers with the exception of “S2000-BIOAccess-W2”).
Software modules can be installed on computers arbitrarily - each module on a separate computer, a combination of any modules on a computer, or installation of all modules on one computer. The ISO Orion block diagram shows the number of jobs that can be used in the system.

The “S2000-2” controller, designed for the access control and access control system in the ISO “Orion”, is powered by a low-voltage power supply (IE) with a voltage of 10.2 to 15 V, biometric controllers “S2000-BIOAccess-MA300”, “S2000- BIOAccess-F22", "S2000-BIOAccess-PA10", "S2000-BIOAccess-SB101TC", "S2000-BIOAccess-W2" from IE with voltage from 9.6 to 14.4 V, and the "S2000-4" block supporting ACS functions, has a supply voltage range from 10.2 to 28.4 V, which allows the use of sources with a rated output voltage of 12 V or 24 V accordingly (Fig. 36-40). A special place in the access control system can be occupied by a personal computer with a workstation of the duty operator or administrator. It is usually powered by AC power and its power supply is provided by UPS type sources.
To ensure the continuous execution of ACS tasks, it is advisable to implement a redundant power supply system using built-in RIP or external low-voltage batteries. The current regulatory document - GOST R 51241-2008 “Means and systems for access control and management” recommends that the IE have an indication that the battery is discharged below the permissible limit. At the same time, for stand-alone ACS systems, the discharge indication can be light or sound, and for networked systems, the battery discharge signal can be transmitted to the operator’s console. Distributed placement of equipment over a large facility, which is easily implemented in ISO “Orion” through the use of communication lines of the RS-485 interface, requires providing power to ACS devices (controllers, electromagnetic locks and electromechanical latches) at their installation sites. Depending on the size of the object, you may need from one IE to several dozen. There is a wide range of power supplies recommended for ACS.
In small systems, you can use RIP-12 version 11 (RIP-12-1/7P2) (output current 1 A, light indication of battery presence, charge and discharge). For systems with significant current consumption, the following are used:

• RIP-12 isp.02, RIP-12 isp.04 with an output current of 2A.
• RIP-12 isp.01 with an output current of 3A.

For network systems, with the transmission of messages about the state of the power supply to the operator console, you can use any RIP for fire automatics that has relay outputs, or a RIP with an RS-485 interface.

For the S2000-2 device and the S2000-4 unit, the following recommendations should be taken into account. The electromagnetic lock (latch) can be powered from the same power source as the controller, or from a separate power source. When powered from one source, the controller's power supply circuit and the lock's supply circuit must be made of different pairs of wires, which are combined only at the terminals of the power supply. If the readers have a current consumption of more than 100 mA or they are located at a long distance from the controller (100 m or more), then to power the reader it is necessary to use a separate pair of wires going directly to the power source. If the reader is powered from a separate power source, then the “GND” contact (negative power circuit of the reader) must be connected to the “GND” (for “S2000-2”) or “0V” (for “S2000-4”) contact of the device.
For free-standing controllers it is convenient to use “RIP-12 isp.20”. With a rated output current of the source equal to 1 A, the RIP is capable of delivering up to 1.5 A to the load for a long time. A design feature of this RIP is the presence of “two tiers”: a power supply module is attached to the rear of the case, and above it, due to the presence special U-shaped corners - the selected device is placed and fixed with screws (for example, “S2000-2” or “S2000-4”), the functionality of which is not limited in any way (see figure).

A 12 V battery with a capacity of 7 Ah is installed in the lower part of the case. Placing it inside the access controller will save on installation work and further maintenance.
Network access control systems may also require reliable power supply to communicators, modems, and splitters. For these purposes, you can effectively use RIP-24 isp.06, converter modules MP isp.02 and a switching protection unit BZK. The ability to install rechargeable batteries with a capacity of 2x40 Ah in the RIP-24 isp.06 allows you to repeatedly increase the operating time of the system in the absence of mains voltage compared to other power supplies. The MP module isp.02 converts the 24 V voltage to the required level: 3.3; 5; 7.5; 9; 12 V. The UPC protects each power bus separately, i.e. Malfunctions in one of the devices will not affect the performance of the remaining equipment.

An access control and management system (abbr. ACS) is a set of technical devices and software combined into a single system for monitoring and managing entry/exit points at a facility. ACS is popular among enterprises and companies that comply with a comprehensive security regime and do not want to see strangers on its territory. In order not to beat around the bush, let's take a closer look at access control systems: access control and management systems, operating principles, design and types of the system.

Purpose and properties of the system

The purpose of the access control system is based on 3 pillars:

1. Control over the movement of personnel/visitors and control of entrance to the premises using an electronic key card with personal identification.
2. Organization of security of the premises/complex. The access control and management system can be supplemented with fire or GSM alarms, video surveillance cameras, and sensors.
3. Personnel working time tracking. The device records the time of arrival/departure of employees at the site.

The system consists of elements that perform their functions and tasks.

Table 1 - ACS elements, their purpose and properties
Element	Purpose and properties
Controller	Processing information transmitted from the identifier key. After processing the signal, it denies or allows passage through the access point. To block the passage, additional devices, as well as sound and indicator warnings, can be used. Controllers operate on the same network; access control and management occurs on the server side.
Identifier	System identification element: map; electronic key; PIN code; keychain; fingerprint scanning; retinal data scanning, etc. Previously, all information about employees is entered and stored in a database on the server. You can assign access to employees according to the hierarchy of your structure (access level).
Reader	The transmitter is used to send information from the identifier to the controller.
Access point	An object that performs a security function. Can be done in the form: turnstile; doors; barrier; gates, etc.
Access area	A control system object divided into several access points. These points can be in one place (turnstile and barrier for the passage of personnel and equipment), and throughout the entire territory of the structure. Zones and points exchange information and work together. They can calculate working hours and, if necessary, prohibit re-entry.
Access level	This is a requirement for access points that prohibits or allows the passage of personnel on an individual basis. It can be used both with a hierarchy of personnel (so that a subordinate cannot enter the boss’s office without an invitation), and when entering only one of several rooms (for example, until he leaves one zone, entry into the second is prohibited).
Software	The “brain” of the system, through which all hardware ACS solutions are monitored and controlled using a set of commands.

Principle of operation

An automated access control system can use various technical solutions and have several operating principles that influence the choice of system installation.

ACS is divided into:

1. Simple - classic set with access control and management.
2. Extended - with a ban on repeated passage, simultaneous entry through an access point for 2 or more employees, two-step identification, closed and open modes, passage with confirmation.

Table 2 - types of system operation with examples of actions
View	Action diagram
Standard	an employee/guest near the access point, brings the key to the reader; the controller processes the information and sends the necessary signal to allow/prohibit passage, and also stores information on the server about the identity and time of the operation.
Re-entry prohibited	It is used in cases where the key card cannot be used in the second access zone while the personnel is in this one. You can set the following modes: full - passage is impossible; temporary - passage is limited for a time; soft - passage is possible, but an entry appears in the log about the fact of violation.
Simultaneous login through an access point for 2 or more employees	two employees are at the access point; one brings the key to the reader, followed by the second; the controller processes the information, confirms (if the access level of employees is ok) or denies entry (if at least one has a limited access level to the object).
Passage with confirmation	the employee brings the key card to the reader; the information is processed and an entry request signal is sent to a second employee or manager/security guard; the security guard presses the button and the first employee is allowed access to the facility.
Double (triple, etc.) identification	the employee brings the card to the reader; and brings his palm to the scanner; access to the object is allowed/denied accordingly.
Closed access mode	Used in cases where it is necessary to block access to all objects or a specific group of objects. Eg: the fraudster used your employee’s card and entered the forbidden territory; the security guard noticed the movement of a suspicious person and blocked further movement through the territory through access points.
Open access mode	Used in cases where it is necessary to provide access through an access point. For example, a tour of 15 people came to the enterprise. To prevent everyone from passing through the turnstile using a key, the security guard temporarily “opens” the access point.

Types of access control

The system is divided into 3 types:

1. autonomous;
2. network;
3. wireless.

Autonomous system implies the presence of a single controller that directly communicates with access points and readers, without access to remote servers. But even in autonomous access control systems, which are used in small premises, at least a minimum database is required.

Network ACS implies the presence of several controllers connected to each other (or separately using a server). It is used in large enterprises and is a common solution among access management and control systems. The requirements for networked access control systems are higher than for standalone ones, so advanced solutions are offered to improve control and security indicators.

Principle of operation wireless access control system the same as in the network one with the only difference - there is no need to connect installation wires to the system elements. But having eliminated one problem, you can stumble upon the next one - possible loss of the channel when transmitting data. Today, the SALTO company (the only one who offers a full-fledged wireless access control solution) has solved the problem of data loss using a secure channel.

Conclusion

ACS have basic and advanced technical solutions. The choice of system depends on the type and type of work, and on the wishes of the client. Autonomous systems have a simple base, are easy to maintain and are not expensive. Installation and maintenance of network and wireless solutions are much more expensive. Information about system actions is recorded in a protocol and stored in a database. For enterprises, it is recommended to use access control systems together with fire alarms and video surveillance.

Currently on Russian market There is a fairly large selection of access control and management systems, both foreign and Russian made. At the annual “Security Technologies” forum, there are usually several dozen Western brands alone. The number of Russian manufacturers has currently exceeded one hundred. In such conditions optimal choice specific ACS model is very problematic.

What basic parameters should be used to evaluate access control systems from different manufacturers? For this purpose, it is most appropriate to use such a characteristic as the cost of a specific manufacturer’s system to implement standard or identical functions.

Why do we need ACS systems?

The abbreviation ACS (Access Control and Management System) actually hides a device (or a set of devices) that operates on the principle of a smart lock on your door, at the entrance to an office building or to a warehouse, in general, “on site.” An access control system is needed if you are faced with the need to solve the following problems or a combination of them:

• Recording of entries and exits of personnel and/or visitors
• Monitoring the time spent on site (for example, recording working hours)
• Access control within an object depending on the powers of the subject

Access control and management system functions

Access control:

• For each facility, it is determined for each employee which premises he has the right to enter, as well as whether he has the right to arm and disarm the premises;
• By status. Access cards are issued to employees depending on the rights assigned to them;
• By time, each employee is given an individual access schedule to the facility; the access control and management system supports multi-shift work modes, sliding schedules and a holiday calendar.

Working time tracking:

• Time of arrival and departure of each employee;
• Time of presence at the workplace;
• Being late;
• Premature departures.

Security system mode:

• In the event of emergency situations, the ability to arm the premises. The access control and management system will issue an alarm; all events related to the alarm are recorded by the system.

Enhanced access control (multi-level identification system):

• Video identification mode (the image of the person presenting the card is compared with the reference image of the cardholder stored in the access control and management system);
• “Entry under duress” mode - hidden issuance of an alarm signal, invisible to others;
• Organization of access provided “card + set of Pin code”;
• Access with two cards - only two people can enter by meeting together;
• Access with additional selective security control (timed or random).

Re-entry prohibition:

• The access control and management system supports the Antipassback function - or the prohibition of repeated passage - this is a functionality of the system that excludes the passage of two employees using one card, or passage without using a card.

Issuing a visitor pass:

• To enter the protected facility, the visitor receives a temporary access card. When leaving the facility, the visitor returns the card, and it can be used for re-issuance;
• To ensure that the guest card is not accidentally taken away by the visitor, it is recommended to use a card reader in the ACS system. Until the guest card is inserted into the card reader, the exit will be blocked;
• All information is stored in an offline database, from where you can get a report on visitors.

ACS is a set of software and hardware tools and organizational and methodological measures with the help of which the problem of monitoring and managing visits is solved separate rooms, territories, as well as operational control movement of personnel and the time they spend on the territory of the facility.

In fact, ACS, being a hardware and software complex of technical security means, becomes an important structural component of the personnel movement control system. The block diagram of a simple access control system is shown in Fig. 1.

Fig.1 Block diagram of ACS

IN general view ACS may include the following elements:

• actuators (locks, turnstiles, gateways);
• electronic identifiers (plastic cards, “electronic tablets” and other devices);
• readers (plastic cards and other electronic identifiers);
• personal code (PIN) input devices;
• biometric personal identification devices;
• control devices for actuators (controllers, concentrators);
• equipment for interfacing the local ACS network with a computer;
• system administrator software.

The basis of any system is concentrator blocks with connected identification key readers, security sensors and electromechanical locking devices(locks, barriers, turnstiles).

Controller– This is the main part of the access control system. It is the controller who decides whether or not to let a person through a given door. ACS actuator controllers are complex electronic devices that can be implemented as separate units or built into the body of the corresponding actuator. The controller stores identifier codes in its memory with a list of access rights for each.

In addition to exchanging information with ACS concentrators via communication lines, the following is carried out: analysis of information received from electronic identifier reading devices, PIN code input devices and biometric identifiers, issuing, on the basis of this analysis, control signals for unlocking (locking) actuators; monitoring the status of actuators (open or closed); storage of a movement log in non-volatile RAM; registration of unauthorized access attempts. It is important that the controller can operate even in the event of a power failure and has a backup power source.

According to the control method, ACS controllers are divided into three classes: autonomous, centralized (networked) and combined:

• Autonomous controllers. A completely complete device, designed to serve, as a rule, one access point without transmitting information to the central console and without operator control. There are a wide variety of variations: controllers combined with a reader, controllers built into electromagnetic lock and so on. Standalone controllers are designed to accommodate a wide variety of reader types. Typically, standalone controllers are designed to serve a small number of users, typically up to five hundred.
  Autonomous systems are cheaper, easier to operate (often installing and configuring such a system is accessible even to a not very trained person), and in terms of efficiency they are sometimes no worse than network ones. But they cannot create reports and transmit information on events, and they cannot be controlled remotely. At the same time, autonomous systems do not require laying hundreds of meters of cable, interface devices with a computer, or the computer itself.
• Network controllers. A term denoting the ability of controllers to operate on a network under computer control. In this case, the decision-making functions fall on a personal computer with specialized software installed. Network controllers are used to create access control systems of any complexity. In this case, the administration receives great amount additional features. In addition to simply allowing or denying passage, you usually have the following options:
  • receiving a report on the presence or absence of employees at work;
  • you have the opportunity to almost instantly find out exactly where the employee is;
  • you have the opportunity to keep an automatic time sheet;
  • you have the opportunity to get a report on who went where for almost any period of time;
  • you can create a time schedule for the passage of employees, i.e. who can go where and at what time;
  • you get the opportunity to maintain an employee database (electronic file cabinet), in which you enter all the necessary information about employees, including their photographs;
  • the operator can quickly control system devices - remotely lock the locks or open them (for example, in case of fire)
  • and many many others. That is, there is always the opportunity to fulfill the most exotic wishes of the owner of the access control system.
  In such a system, all controllers are connected to each other via a computer. Network systems are used to manage multiple access points (checkpoints, office premises, high-security premises, outdoor facilities). The unit cost of one access point in a network system is always higher than in an autonomous one. However, networked systems are indispensable for large facilities, since managing dozens of doors on which autonomous systems are installed becomes a very big problem.
• Combined controllers. Combines the functions of networked and standalone controllers. If there is a connection with the control computer (on line), the controllers operate as a network device; if there is no connection, they operate as autonomous devices.

Computer control in these systems for the operator has priority over his own. The modular construction principle allows you to design and expand the access control system depending on current needs. It is possible to select exactly those system functions that are needed today and add certain options as needed. The versatility of the ACS involves ensuring the operation of a network of ACS actuators using universal interfaces. Important for ensuring the universality of the access control system is the ability to ensure its interaction with fire-fighting systems burglar alarm, security television, perimeter security, life support of the facility, differentiation of access to information resources at the logical and hardware-software levels, use of a single electronic identifier throughout the entire protected object and a single database of the facility security administrator, as well as output of alarm information in a unified form to the administrator’s computer in real time (integrated systems).

ACS architecture

Network controllers, as their name suggests, are networked. And this, oddly enough, can be done in different ways! Moreover, the method of integration is influenced both by the design principle of the controllers themselves and by the system software. Let's look at this in a little more detail...

Network Rank

Networks can be peer-to-peer (single-level) and multi-peer (multi-level), where the number of levels rarely exceeds two. A peer-to-peer network has a single bus (if it is extended by repeaters or splitters, this does not count). In a peer-to-peer network, all its nodes (in our case, access controllers) have equal rights. Among the popular representatives of this family are Northern Computers, Kantech, Parsec and most other systems, including those made in Russia.

Disadvantages of peer-to-peer networking: g>

• The need to have a complete database in each controller (list of users, their rights, and so on). Given the modern cost of semiconductor memory, this, admittedly, is practically irrelevant.
• The impossibility of implementing some global functions that require the interconnected operation of several controllers (for example, global “anti-passback” - prohibition of repeated passage). This drawback occurs only in networks where the computer is the master, that is, information exchange occurs only on its initiative. Strictly speaking, taking into account the computer, such a network is already multi-rank. Most modern access control systems have exactly this architecture. If the controller network operates on the principle of random access, there is no disadvantage.

Advantages:

• Maximum “survivability” of the network, since each controller has everything necessary for autonomous operation when the computer is turned off (“frozen”) or the network is damaged. For security systems this is a significant factor.

Multi-rank controller networks.

In a two-rank network there is a leading, or “master” controller, which coordinates the work of “slave” controllers that actually control one or more access points. The most famous representative in Russia is the Apollo system.

Disadvantages of a multi-peer network:

• Disruption of system operation when the connection between the master controller and slave controllers is damaged, since a significant part of the information and algorithms are the prerogative of the master controller.
• Increase in cost of small systems due to the high cost of the master controller (due to its obvious redundancy).

Advantages:

• Centralized memory for databases, which is of little importance today (see above).
• Implementation of all functions even when the computer is turned off.
• Gain in the cost of one access point for medium and large system sizes.

Controllers with Ethernet bus

An increasing number of ACS manufacturers are advertising controllers that can directly connect to a computer network (usually an Ethernet network). Is it good?

Firstly, such controllers are usually more expensive than controllers with the RS-485 interface standard for systems. Secondly, you will need a significant increase in the number of network (computer) equipment - hub, switch, and so on, which will further increase the cost of the system.

But in rare cases, controllers with such an interface have an obvious advantage: if it is impossible to lay an RS-485 network between remote areas of your facility, but there is computer network(for example, between remote checkpoints and the main building), then such a checkpoint can be included in the access control system without an additional computer.

An Ethernet-based controller network is redundant in both cost and performance. Judge for yourself: why do you need a transmission speed of 10, and even more so 100 megabits where, at best, once a second an event occurs, the description of which takes a couple of tens of bytes? But... if the controller's database is several tens of thousands of people and it needs to be completely rebooted, then, of course, Ethernet is better...

ACS identifiers

Any access control system has some identifier (key), which serves to determine the rights of the person who owns it. The following can be used as electronic identifiers in ACS: barcode, magnetic or smart (smart cards) plastic cards; “electronic tablets” (Touch Memory); Wiegand cards, where the information carrier is the material from which they are made; remote reading cards (proximity) emitting a radio signal. In addition, a code typed on a keyboard, as well as a number of biometric characteristics of a person, can be used as an identifier.

An access card or ID key fob can be given to another person, stolen or copied, and the code can be spied on. More reliable from this point of view b imetric authentication devices. They provide identification of employees and visitors by comparing certain individual biological parameters of the person with the parameters stored in their memory and providing information about the identification result to the actuator controller. However, it is possible to easily fake some biometric features (fingerprints are the most easily reproducible), so in organizations that require a high level of security, several identifiers are used simultaneously - for example, a card and a code, a fingerprint and a card or code. Today, cards with a high level of security are issued (powerful cryptography schemes are used), where the encryption keys can be assigned by the user himself.

(from the English touch memory is sometimes found in English contact memory or English iButton) - a class of electronic devices that have a single-wire protocol for exchanging information with them (1-Wire), and are placed in a standard metal case (usually shaped like a “tablet”). The code information is written into the memory of this circuit. The device is activated at the moment of contact with the reader. Read and write operations are performed almost instantly during contact. Reading time – 0.1 sec. Some models allow you to enter user information. The advantages are compactness, high resistance to mechanical damage, corrosion, temperature changes and low cost (comparable to the cost of cards with a magnetic stripe). The small size allows you to attach the contact memory to almost any medium - product, card, key fob.

.

A barcode card is a plate with black stripes (stroke) printed on it. The code information is contained in the varying width of the strokes and the distance between them. The code from such a card is read by an optical reader. On a magnetic card, code information is recorded on a magnetic stripe. The bar code can simply be stained with dirt. A magnetic card can be easily scratched in your pocket.

Perforated card is a plate (plastic or metal). Code information is applied to a perforated card in the form of holes arranged in a certain order. The code from the cards is read by mechanical or optical readers.

Code information on Wiegand card contained on thin metal wires arranged in a certain way, glued with special glue. Information from the card is read by an electromagnetic reader.

Proximity technologies have a lot of advantages - much greater reliability and durability compared to other identification methods, lack of a power source (in passive cards). The proximity reader constantly sends a radio signal. When a card enters the reader’s coverage area, it receives its radiation and in response sends a signal containing a code written on the chip. The distance between the reader and the card depends on the power of the reader and varies from 5 cm to several meters. The absence of mechanical contact during operation allows you to make identifiers of any shape (even in the form of a nail), the identifier can be implanted into an identification object. The advantages are the difficulty of counterfeiting and the possibility of using cryptographic algorithms (encryption).

In the literature, another name for this technology is sometimes used - radio frequency identification and registration of objects (RFID systems). They also identify an object using a unique digital code emitted by an electronic transponder tag attached to the object. Both active (powered by a built-in battery) and passive transponders are used. Transponders are available with different types of memory organization. These are RO (Read Only) transponders, containing a unique code recorded at the factory, and R/W (Read Write) transponders, into which the code is entered by the user, multi-page transponders with a user memory of up to 1 kB, as well as transponders whose memory is protected “ floating" code. Systems differ in the carrier frequency of the signals used, the type of modulation, radio communication protocol, and the amount of information returned by the transponder.

Currently, there are three main frequency ranges in which RFID systems operate:

1. Low frequency range (up to 150 kHz). The disadvantages of low-frequency RFID systems are the low radio transmission speed and the complexity of manufacturing highly inductive transponder antennas. The low exchange rate does not allow the reader (reader) to distinguish between several transponders simultaneously located in the field of its antenna.
2. Mid-frequency range (13.56 MHz). The system's exchange range is about 50 cm and allows you to identify up to 30 transponders simultaneously located in the reader's antenna field per second.
3. High frequency range (850–950 MHz and 2.4–5 GHz). Used to identify objects moving at speeds of up to 200 km/h at fairly large distances (10–15 m). Long ranges of high-frequency RFID systems are achieved through the use of highly directional reader antennas and high powers of the request signal. The cost of such systems is significantly higher.

A smart card (“smart card”) is a plastic card that has a built-in microcontroller with all its attributes (processor, RAM, non-volatile memory with a file system, input/output facilities, additional coprocessors). The main advantages of smart cards are a large amount of memory and high security of information from attempts to modify and duplicate. The disadvantage is the high cost. Is the standard equipment of the relevant automated systems, can be quite simply implemented into almost any arbitrary system.

PIN code. The carrier of code information is human memory. The user autonomously types a code on the keyboard and thereby gives a signal to the actuator.

Biometric identification systems are the most effective, since they recognize not physical media, but the signs or characteristics of the person himself (unique personal information). Access and information security systems based on such technologies are not only the most reliable, but also the most user-friendly today. All biometric devices have specific software and hardware requirements. In any authentication system, users must first be registered. Many biometric systems allow users to do this themselves.

Human fingerprints (papillary patterns) are of particular interest as a source of information for personal identification due to unique individual characteristics. The percentage of denied access to authorized users is less than 0.000001.

Currently, there are several practically used systems that have a reaction time of 1–3 s and are based on approximately the same approaches to recognition, but differ in a number of parameters. There are two fundamental algorithms for fingerprint recognition: by individual details (characteristic points) and by the relief of the entire surface of the finger, as well as a combination of these algorithms. Fingerprint access control systems use algorithmic solutions to distinguish a “living” finger from a “dead” one, such as determining the temperature of the applied finger, tracking over time the dynamics of sweating on the surface of the skin of the finger and the nature of the deformation of the pattern of papillary lines on the scanner window. Fingerprint readers cause some discomfort in people, although modern fingerprint readers do not store fingerprints themselves, but only a certain mathematical model of them, from which the fingerprint is not reconstructed.

Facial thermography– identification of a person based on the arrangement of the blood vessels of the face (similarly, recognition occurs based on the pattern of veins on the arm). In terms of reliability and time required for the entire identification procedure, this method is comparable to fingerprinting. Facial thermography is based on research showing that the veins and arteries of each person's face create a unique temperature map. A specially designed infrared camera allows you to scan information for fixed areas of the face. The result of the scan - a thermogram - is a unique characteristic of a person. The system allows identification even when a person is at the other end of an unlit room. The accuracy of the thermogram is not affected by high body temperature, cooling of the facial skin in frosty weather, or natural aging of the human body. The system provides recognition accuracy close to 100%, regardless of the use of special masks or even plastic surgery, since a thermogram is a diagram of the location of internal blood vessels.

There are four other facial recognition methods:

• analyzing grayscale images for distinctive facial characteristics;
• analysis distinctive features(the method is adapted to changes in facial expressions);
• analysis based neural networks, based on comparison of “special points”, capable of identifying faces in difficult conditions;
• automatic processing of facial images is based on identifying distances and distance ratios between easily identified features of a person’s face.

A system of automatic identification and tracking of persons through television cameras is built on these four principles. The system's capabilities allow you to record images of faces based on the best angle found during the capture process. Based on the received video signal, special algorithms are used to process the image to identify faces. A photo library of faces is compiled and stored in the archive. You can search the database of faces by time and date.

Technology identification of a person by hand shape is based on the analysis of a three-dimensional image of the hand. This method is not highly reliable, which is due, first of all, to the great variability of the shape of the hand both during a person’s life and in a relatively short time. A less significant drawback is the relatively large size of the receiving device (the minimum dimension in the plane cannot be smaller size brushes, and is more than 20 cm in height). Some dignity this method is a small volume of mathematical “portrait” of the hand (only 9 kB).

More often identification by voice characteristics used in security systems to control access to information. Usually done by saying a passphrase. Voice identification is a convenient method, but not as reliable as other biometric methods.

The main difficulty in identifying a person by voice is the wide variety of manifestations of one person’s voice - it can change depending on mood, health, age and much more. Another serious problem in practical application Personal identification by voice is taking into account the noise component.

The person's signature. Identification of a person by his signature is a reliable method of biometric personal identification, but recognition procedures still look cumbersome and clearly inconvenient to use. Mostly signature identification devices use special pens, pressure-sensitive tables, or a combination of both. So far it has not come to their serious use, and they are very rarely used.

Iris and retina. In terms of the reliability of the identification procedure, this method is comparable to fingerprinting. The scanning device is essentially a high-quality television camera. A pattern of iris spots is found on the surface of the eye. A video image of the eye can be scanned from a distance of about a meter. Such devices are still very expensive. Retinal scanning is performed using infrared ray low intensity, directed through the pupil to the blood vessels at the back of the eye. In this case, the image of the iris must be clear at the back of the eye, so cataracts may adversely affect the quality of the iris image. With age, the location of spots on the iris can change, and quite dramatically. Negative identification error can occur with even the slightest injury to the eye, due to insomnia or increased eye strain.

Fragments of genetic code. None of the personal characteristics of a person listed above can compare in reliability of recognition with papillary finger patterns. Their only “competitor” is the human genetic code. However, practical identification methods based on the use of unique individual characteristics fragments of genetic code are currently rarely used due to their complexity, high cost and the inability to ensure system operation in real time.

Biometric readers are still very expensive, although the cost of various scanners has come down significantly in recent years. In addition, they have a relatively long identification time (for a large flow of people this may be unacceptable). All biometric readers are not designed for outdoor use.

Correct identification rate various systems determines the reliability coefficient. The reliability coefficient shows the probability of errors and can be of the first and second types.

Error of the first type ( FRR-False Rejection Rate) is the rate of erroneous refusals to a client with access rights. Error of the second type ( FAR-False Acceptance Rate) is the probability of mistakenly identifying someone else as one’s own. In some systems it is possible to adjust the sensitivity threshold. This allows you to configure them in accordance with security requirements. But an increase in the sensitivity of the system is accompanied by an increase in identification time and an increase in the likelihood of a false refusal.

A reader is a device designed to read special code information stored in an identifier and transmit it in the form of a predetermined signal to the controller. Readers can be manual, stationary and stationary automatic, connected to the system.

Depending on the operating principles of the identifier, the technology for reading the code also changes.

The reader must be separated from the controller so that the circuits through which the lock can be opened are inaccessible from the outside. It is preferable to use the reader in a vandal-proof version. The most vandal-resistant are contactless card readers.

Passage point. Some obstacle (barrier) equipped with a reader and an actuator. The access point can be fully controlled and monitored at the entrance. In the first case, the passage is equipped with two readers - at the entrance and at the exit. In the second case - only with a reader at the entrance, exit is carried out freely or using the RTE button.

RTE button. The "RTE" (Request To Exit) button is used to force the crossing of the passage point, i.e., in other words, to open the actuator. In this case, the fact of opening is recorded in the controller’s memory, but who exactly passed through is unknown. Such buttons are installed to ensure unhindered exit from the premises.

ACS actuators

Locks. If the task of the access control system is to limit the passage through regular doors, then the actuator will be an electrically controlled lock or latch. Here you can use remote-type readers with a long reading distance.

Electric strikes inexpensive, easy to install on almost all doors. They are recommended to be used where the likelihood of break-in is minimal (doors inside the office). Doors equipped with an electric latch are usually locked with a mechanical key at night. Electric strikes can be voltage-opened (that is, the door will open when power is applied to the lock) or voltage-closed. The latter open as soon as the supply voltage is removed from them. All doors used for escape in the event of fire must be equipped with voltage locking devices.

Electric locks are divided into electromechanical and electromagnetic.

There are many different types. This is a fairly burglar-resistant lock. In electromechanical locks except electrical diagram There are mechanics similar to those of a conventional lock. This type of lock can be opened in three ways: with keys, with a mechanical button located on the lock body, or with an electrical signal. These locks can be overhead or mortise. Some disadvantage is the presence of rubbing parts. Most locks have a mechanical reset, which means that if an opening pulse is applied to the lock, the door will remain open until it is opened and closed again.

They are a powerful electromagnet. They are relatively inexpensive and easy to install. To close the lock, voltage is constantly supplied to it; opening is done by turning off the power (the locks are suitable for installation on escape routes in case of fire). The disadvantage is that the lock requires constant power to keep it closed. It is recommended to use a door closer in combination with such locks.

Turnstiles There are two main types of execution: waist and full-length. The operating principle of all turnstiles is approximately the same. The user presents the identifier to the reader, and if the identifier is valid, the turnstile is unlocked. The turnstile allows only one person to pass through with one card. Bar rotation sensors allow you to record passages through the turnstile and ensure correct recording of working hours in the access control system. Belt turnstiles should be installed only in an area of ​​constant surveillance by the security service, since such devices are easy to jump over, you can crawl under them or throw any objects over the turnstile. Turnstiles can be equipped with alarms that are triggered when attempts are made to bypass or jump over. For this, IR barriers, weight-sensitive sensors, etc. are used.

– the most popular and widespread type of turnstile, the most affordable compact device. The design is based on three rotating barrier bars; only one person can be between the bars at a time. There are two main types of tripods: mounted and stationary. The majority of models are electromechanical. Once passage is permitted, the drive is unlocked and the user must manually rotate the booms to the locked position. There are models of turnstiles in which the bar is rotated by a built-in motor. Today, turnstiles with “breakable” bars are produced for possible quick evacuation in case of an emergency.

They can be half-length or full-length. They provide a greater degree of security than a tripod and a gate, but also require more space for installation. The principle of operation is simple - three or four rotating blades are attached to the column, you need to push the barrier bars in the permitted direction, then the electric drive is turned on, and after a person passes, the turnstile automatically rotates to the closed position. To ensure free movement in any direction, a free passage regime is established.

When installing rotary turnstiles, a problem arises related to the passage of oversized cargo through these turnstiles. Therefore, when installing rotor turnstiles, additional passages should be provided. Such passages are also required by the rules fire safety. The turnstiles can be retrofitted with a metal detector, a weighing panel, an internal additional means of identification, and a reinforced blocker.

Subway turnstiles have the largest capacity, but they are very bulky. Models with different types of sashes are produced, different designs housings, different technologies opening the doors. Such structures can be either normally open or normally closed. The photocell system allows you to track the direction of the user’s passage and open (close) the doors depending on the situation.

Usually this is a partitioning bar (for example, in the form of a door), which must be pushed when passing. There are different types of gates - from a mechanical one, locked with a key or simply working only as an exit, to a gate with an electric motor, capable of opening at a given angle and closing independently after a delay time or after the photocell is triggered. When using them, it is easy to create the “normally open” mode. A motorized gate opens automatically either from the security guard's console or from a visitor identification device. But she also has low level protection of the protected object.

When equipping passageways with turnstiles various types It often turns out that the passage area is not completely blocked and there is a need to install additional barriers. Now we offer modular fencing made in the same design as turnstiles various models and easily integrated with them. The fence posts have a shock-resistant and wear-resistant coating. It is possible to attach readers of all types to fences.

One of the main characteristics of access control and management systems is the throughput of turnstiles. It depends on three time parameters: the time the person presents the identification device; the time of reading the code and processing the request by the program of the access control and management system, the time of operation of the actuator. Bandwidth approximately 15–20 people per minute for three-bar turnstiles, 11–16 for rotary turnstiles.

They are classified as blocking type blocking devices. Used in enterprises with enhanced security requirements. In gateway mode, the turnstile can be stopped in an intermediate position, blocking the user's movement in order to request additional identification confirmation. Some companies produce models with an integrated weighing platform, which allows for control of one pass at a time. In this case, the ACS can compare the current weight of the user who presented the card and entered the controlled segment with information from the database.

The entire range of models of airlock cabins can be divided into automatic and semi-automatic airlocks. In automatic gateways, doors are opened and closed using various electromechanical actuators controlled by gateway logic. Semi-automatic gateways use conventional swing doors, opened manually and closed with closers.

They manufacture cabins with revolving doors that combine the features of full-height turnstiles and automatic gateways.

Gates and barriers are most often used at entrances to enterprises and in car parks. For this purpose, ACS includes special vehicle identifiers, readers for installation under the road surface, and remote readers. The main requirement is resistance to climatic conditions and the ability to control from the ACS controller.

Classification of ACS by consumers

Small system consumers. Traditional consumers of small systems are small offices, enterprises retail and so on. Today, a new consumer has emerged among them - educational institutions, which are characterized by the use of access control systems in two main modes. Firstly, this is personal identification. This mode requires the installation of two readers for registration - at the entrance and at the exit. When a visitor presents a card, a photograph and brief information about the card holder appear on the monitor of the security post. Identification of the individual and delimitation of the passage is carried out by the duty officer of the security post. This mode is usually used in educational institutions with small flows of people.

Secondly, control and restriction of passage. In this mode, one or two tripod-type turnstiles are installed at the entrance. Typically, inexpensive turnstiles from domestic companies or “budget” models from foreign manufacturers are used. Passage through the turnstiles in both directions is possible upon presentation of a legitimate card. This mode is usually used in educational institutions with high traffic volumes. As a rule, in this case, CCTV cameras are installed above the turnstiles. In both modes, Prox cards are used for access, which are supplied to all employees and students of the educational institution. At such facilities, ACS is most often used without integration with other security systems and the main control is carried out at one (main) entrance. If integration is carried out, then, as a rule, with television surveillance systems.

Other features common to small systems are:

• installation of access control equipment on the doors of all premises in the service area;
• installation of dual technology readers on the doors separating the client area from the service area to increase the level of security.

Consumers of mid-level systems. One of the trends characteristic of traditional consumers of medium-sized access control systems (office buildings of large companies, business centers, wholesale trade enterprises, supermarkets, etc.) is the close integration of access control systems with a security alarm system (OS). The functioning of the access control system and the OS is closely interconnected, and at some facilities equipment for this purpose is installed from one manufacturer with full hardware compatibility. OS detectors in rooms equipped with access control means are connected in this case as follows:

• to the ACS controllers themselves, equipped with resistive inputs;
• to additional OS inputs on ACS interface modules;
• to the inputs of security alarm panels connected to a single central ACS and OS controller.

At the same time, it is quite common to use access control systems and operating systems from different manufacturers with integration at the software level, which makes it possible to connect equipment already installed at the site to a single control center. This solution is more flexible, but less reliable in terms of stability of subsystem communication. For the user, the integration of ACS and OS means the ability to arm and disarm premises by presenting the user's Prox cards on dedicated arming and disarming readers installed on the floors, or using dedicated Prox cards on access control readers to the premises.

This scheme is especially convenient for business centers: the tenant independently arms/disarms their premises, while the duty officer at the central post controls this process in real time, and the access control database records who armed the premises and when armed or disarmed. Another trend in the consumer market for mid-level systems is the mandatory connection with fire alarm and building control systems at least at the level of dry contacts to unblock escape routes in emergency situations. To prevent the deliberate use of fire alarm system signals for the purpose of uncontrolled entry into the building, the unlocking of doors on evacuation routes of fire zones is controlled by the security service.

The next trend is the use of the capabilities of the access control subsystem to organize control of the reverse movement of employees' vehicles in parking lots.

And finally, the widespread use of ACS capabilities to control the movement of vehicles in underground parking lots. A request to enter or exit from the underground parking floor is generated by placing the car on the induction loop and presenting the driver's Prox card on the reader. Depending on the priority set for a given user, a route for the vehicle to pass is organized using traffic lights and demarcation devices. As a rule, to control traffic in underground parking lots, long-range readers from HID or INDALA and equipment for regulating vehicle access - barriers, gate drives, etc. are used. To prevent a break into the building, a lift-type hydraulic blocker can be installed at the entrance. The use of Radio-Frequency Identification (RFID) technology for identifying vehicles when managing traffic in parking lots has not yet found wide application. This is explained by the customer’s reluctance to have two cards on hand (for himself and for the car) or to install additional equipment on the bottom of the car. However, interest in such systems is growing, as is the volume of their purchases, despite the high price.

Some manufacturers of RFID transport systems offer interesting solutions based on integration with classic Prox technologies from well-known global manufacturers. These are dual technology cards, as well as specialized devices that allow you to transmit the code of standard passive Prox cards over long distances (up to 15 m).

Consumers of top-level systems. In the market of traditional consumers of large access control systems (large corporations with branches in one or several cities, powerful manufacturing companies, airline and transport companies with a distributed network of ticket sales and passenger service offices, etc.), a number of trends can also be identified. One of them is the construction of integrated security systems based on access control systems, combining into a single complex subsystems that allow solving various problems in the field of technical security equipment. The central part of such integrated systems is the software core, which provides logical integration and control of all subsystems:

• maintaining a unified log of events for all subsystems;
• processing any events of all subsystems;
• programming reactions to events through a scripting language;
• setting complex algorithms for interaction of subsystems.

Another trend is the use of a distributed, customizable network architecture when building an integrated security system. The operation of the system does not depend on the location of objects; all objects interact at the kernel level. Changes to the configuration are made without stopping or restarting the system, that is, automatically at all objects via communication channels. In case of temporary communication failure, changes are made immediately after the communication channel is restored. Large consumers are also characterized by the use of dual technology readers and cards (Prox or Smart card plus fingerprint) in access control systems, increased requirements for operational and technical parameters actuating equipment for restricting passage and their appearance.

Characteristics of network controllers

Basic characteristics

Let us immediately make a reservation that for multi-rank networks all the arguments look somewhat different than those given below. But, given the small number of such access control systems, this will not be a significant omission.

We will include the basic quantitative characteristics, such as:

• Number of supported access points
• Event Buffer Volume

Number of access points

Many years of practice have suggested optimal solution, expressed in the ratio: one network controller per two access points. Why is this so? Because then such common resources as a housing, a power supply with a battery are required in smaller quantities. Controllers with a large number of serviced doors exist in nature, but in small quantities. Why?

Yes, because a 4...5 amp power supply with redundancy is already quite expensive.

The cost of communications between the controller and the doors begins to become significant. In addition, if the doors are located far from each other, then laying the lock's power wire becomes a problem - with current consumption of about an ampere on ordinary wires, up to half of the power may “disappear”, and the lock will stop working.

From a technical point of view, a single-door controller is ideal, since this ensures maximum system survivability and minimizes wiring. But, if we take into account the economic aspect, then two doors are optimal.

User database size

This characteristic is determined solely by the number of people who will walk through the most intense point of passage (the classic case is a factory entrance). When choosing a system, compare this characteristic of the system under consideration with your prospects for the next 5 years, and you will receive your requirements for this parameter.

With a controller serving more than one access point, it is naturally necessary to take into account the total traffic through all access points, taking into account the intersection of these sets.

Event Buffer Volume

This characteristic determines how long your network system can operate when the computer is turned off (frozen, burned out) without losing information about events. For example, for an office with about 20 employees, an event buffer volume of 1000 may be enough for up to a week. And for a factory entrance, through which 3,000 people pass, a buffer for 10,000 events is hardly enough for a day.

But is it really possible to talk about a serious corporate system in which the security system cannot “revive” the computer within 24 hours?

The most “advanced” controllers make it possible, when configuring the system, to redistribute the total amount of memory between the user and event databases.

// Send the request

You can send a request to receive additional information or commercial offer.

Do you need an access control and management system (ACS) in Moscow or the region? Order an access control and management system (ACS) from ASIS! Among the systems we install only equipment that has been proven by time and has been tested by dozens of clients. From us you can order automated access control systems using fingerprints, cards and other systems.

An access control and management system (ACS) is a set of devices that provide controlled entry and exit of people to the territory using a fingerprint or cards, as well as protection against unauthorized entry. Such solutions are often used in business centers, administrative buildings, enterprises and other facilities with constant movement of people and vehicles. An access control and management system (ACS) is one of the best steps to ensure security.

Among the services we provide

We provide comprehensive services for working with access control systems, including:

• Installation of access control and management systems (ACS)
• Repair, connection and configuration of access control systems (ACS)
• Maintenance of access control systems (ACS)
• Design of access control and management systems (ACS)
• Prices for access control and management systems (ACS)

How does an access control and management system (ACS) work?

Persons visiting the protected area are given a special card or key fob with a code that is read by the access control and management system (ACS). Obtaining a key is possible only after registering its owner. Personal data and photos of an employee or guest are entered into an electronic card, which is placed in the database.

After the reader contacts the key, the information is sent to the controller, which requests access to the database. From there they come necessary information about the card owner and his powers, after which he issues the appropriate command, for example:

• permission to open the door;
• access denial;
• alarm activation, etc.

Any actions are saved in the history of the access control system. There you can find out who used the access control system, what operations were performed, at what time, etc.

Components of automated access control and management systems

An access control and management system (ACS) includes several devices that provide access control to a premises or yard.

There are four main components, namely:

• Controller
  It can be standalone or networked. The first is used to restrict the movement of persons at one checkpoint, and the second is used to create a system that includes a large number of entrances;
• Key
  Two types of keys are used: a contactless card and a key fob chip. The first type is more often used for access control and management systems installed in enterprises, and the second - in apartment buildings. Control can also be carried out using a fingerprint or palm print;
• Reader
  Devices are classified by the type of key used;
• Executor
  The access control and management system can be equipped with electromechanical, electromagnetic locks and latches. In special cases, an airlock chamber may be used. The simplest and cheapest option is a turnstile.

Price of access control and management system (ACS)

The cost of automated access control and management systems varies. It may depend on a number of factors, in particular:

• type of system and its devices;
• number of system components (locks, readers, keys);
• Availability of a time and attendance system and other functions.

The ASIS company will help provide access control and management at any enterprise, business center or residential building in Moscow and the Moscow region. We offer solutions for various objects and with a diverse set of options. Thanks to this, you will always find a suitable option. You can calculate the cost of installation using the calculator on the company’s website. ASIS works for your safety!

An access control and management system (ACS) is a set of software and hardware equipment to ensure safe access to a protected area. ACS devices allow you to track working hours, control the movement of personnel around the territory, and also perform personal identification using digital identifiers or biometric data.

The access control system can be integrated with the general security complex, and. Access control equipment includes many devices, each aimed at providing security.

Main elements of an access control system:

• is the main device of the ACS. It performs visitor identification, access control, data monitoring and control of barrier equipment. It can be autonomous and work with one access point, or networked with several;
• designed to recognize encoded information from the media and transmit it to the controller. The media used are cards of Touch Memory, Em-marine, HID, Indala, Proximity and other formats;
• represents a device for storing information and making it available for recognition by a reader. Identifiers are electronic keys, contactless cards, key fobs, bracelets or biometric data;
• entry point or restriction device. This is a lock, barrier, turnstile, gate, electronic checkpoint or other fencing;
• designed to open a passage without an access card;
• allows you to centrally manage controllers, view the database, differentiate rights and configure ACS parameters.

There are special technical requirements and methods for classifying ACS; they are described in more detail in GOST R 51241-2008.

Selecting an access control and management system

When designing a complex, it is necessary to take into account several main factors, including: the location of the access control system, the number of users and intensity of use, the possibility of integration with other security systems.

In our trading company you can buy ACS from manufacturing companies PERCo, CAME, Nice, FAAC, DoorHan, Parsec, IronLogic. All devices comply with standards and have quality certificates. The price for ACS is determined depending on the configuration, functionality, difficulties of installation and programming. Our company also provides services for installation, configuration and installation of software.