EP1818874A1

EP1818874A1 - Remote monitoring system for a security lock

Info

Publication number: EP1818874A1
Application number: EP06121858A
Authority: EP
Inventors: Alan Bullock; Michael Cripps; Stefan Nellen; Clare Easterling; Philip Marsden
Original assignee: Insafe International Ltd
Current assignee: Insafe International Ltd
Priority date: 2005-10-05
Filing date: 2006-10-05
Publication date: 2007-08-15
Also published as: GB0520160D0

Abstract

A remote control, monitoring and recording system for a security system to remove control from the site of the door to an off-site location, and to help prevent unauthorised access to a safe or vault.

Description

The present invention relates to a remote control, monitoring and recording system for electronic locks, and in particular electronic combination locks.
It is commonly known to provide a number of devices such as keylocks, mechanical combination locks and digital electronic locks for use in securing vault and safe doors.
Keylocks and mechanical combination locks are considered to be "single user" locks i.e. only a single key or code is available to open the lock and therefore only one person is required to operate it. Such systems are not considered to be particularly secure and require frequent replacement of the lock or changes to the code to prevent unauthorised access. To overcome this problem, two keylocks are typically fitted, such that two people, or one member from each of two groups, are required to open a door which is protected in such a manner. Additionally keylocks can be added to enhance security further. This may result in a number of people having a key or combination code.
Another problem associated with keylocks and mechanical combination locks is that they are not auditable. That is to say, there is no automatic record or history of lock operation. Therefore, in such systems it is impossible to track who is opening or has opened the lock, at what time the opening occurred and for what length of time the lock remained open. This presents a considerable security risk.
Digital electronic locks generally have the capacity for handling multiple codes so that a number of different users can each be a code holder, each having their own unique code. Whenever a code is input, the lock is accessed, closed or reset, or the combination is changed an 'event' noting the specific function, time and personal access code used, along with other possibilities, may be recorded in the lock memory. As a result, these events are capable of being audited. However, auditing can only be used to monitor events retrospectively and requires a printer or laptop computer to be physically plugged into the lock to provide a record of the event history. Typically, only the last few hundred events may be recorded. Therefore, when the memory capacity of the lock has been reached, the oldest event will be lost each time a new event is recorded.
A feature of the aforementioned locking systems is that it is possible for the key or code holders to open the lock(s) even if a breach of security, such as a hold-up or hostage situation, occurs. Under such circumstances, under threats of physical harm the vault or safe can be opened by entry of a slightly different "duress" version of the normal multidigit access code, whereupon a secret alarm signal is transmitted to a remote station, alerting to the forced entry condition. If such a situation occurs, the vault or safe door will still open.
A problem associated with conventional locking systems is that they are locally controlled and, for convenience, to avoid having to unlock and relock the doors frequently, users often tend to leave the doors open and unmonitored for long periods. An additional problem is that there is no accountability for keys, codes and operation.
In highly sensitive security environments, it is desirable to be able to monitor the status of combination locks, specifically electronic combination locks, from a remotely located central monitoring station. In order to control access to the lock and to control and restrict entry to the safe or vault, it is desirable to remotely monitor the lock status i.e. whether it is in an open, closed or locked state. It is also desirable to monitor and authorise or prevent access to, and the use of, an input pad, keypad or dial for gaining access to the vault/safe. It is further desirable to control any modification of the lock access codes.
If an authorised individual with an authorised combination has uncontrolled access to the lock, it is possible for that individual to open the lock, re-set the combination, and close the lock without any control or supervision. Furthermore, it might be possible for the unauthorised operator to change the combination. However, it is desired that the lock is conditioned to allow only a change of the combination when authorisation of any such change is received from the remotely located central Area Control Centre (AAC), prior to any actual alteration taking place. However, it is preferable that the changes to the lock combination are directly implemented from the ACC itself. Through monitoring the operation and status of the lock remote from the site of installation, it is possible to take necessary action when unauthorised persons attempt to breach the lock security. Accordingly, monitoring of the system would allow security personnel located in the ACC to respond appropriately should the monitoring system indicate that the lock is being operated at an unexpected time or under unexpected circumstances.
The present invention seeks to overcome at least some of these problems and provide a remote control, monitoring and recording system to remove control from the site of the door to an off-site location, creating a break in the chain of operation. Such a break creates an added level or layer of security to help prevent unauthorised access to a safe or vault. All users of the security system including those operating the safe door and those monitoring the system and the operators at the Area Control Centre will have individual codes and will therefore be accountable, and their actions auditable.
An advantage of the system according to the present invention is that there is no requirement for significant modification of existing lock hardware as standard interfaces can be used. Therefore, the present system can be used in conjunction with existing security arrangements and hardware systems. A further feature of the present system is that control and monitoring of multiple secure doors at a single site can be achieved through a single local control centre (LCC), and that several thousand LCCs can be controlled and monitored by a single ACC. For example, at the present state of technology the described system will have the capacity to control and monitor up to 127 doors per LCC; 4,294,967,296 LCCs per ACC; and therefore 545,460,846,592 doors at the same time. However, in practice a typical system is likely to have a maximum of around 20 doors per LCC and around 200 LCCs per ACC. Since the system utilises modern Internet Protocol (IP) network communication, the control and monitoring of doors around the whole world can be achieved. In the event that connection is lost between an LCC and the ACC the system defaults to "shut-down" mode. If connection is lost whilst the vault is open a timeout will disable all pending authorisations automatically. The LCC will then buffer all events into its internal log files, and after connection is re-established these data will be automatically synchronized.
In accordance with a first aspect of the invention, there is provided an apparatus for remotely controlling, monitoring and recording access to an electronic lock system, wherein the apparatus comprises:

(i) an electronic lock for a safe or vault door, the electronic lock comprising a lock enable/disable unit, a power supply and ground signal;
(ii) a plurality of electrical conductors;
(iii) at least one remote input/output (I/O) module connectable to the safe or vault door and having a power supply and ground signal;
(iv) a Local Control Centre comprising an embedded computer implementing a monitoring program, a power supply and ground signal; and
(v) an Area Control Centre comprising a computer monitoring system and a connection to said Local Control Centre,

According to a second aspect of the invention there is provided an apparatus for remotely controlling, monitoring and recording access to an electronic lock system, wherein the apparatus comprises:

(i) an electronic lock for a safe or vault door, the electronic lock comprising a lock enable/disable unit, a power supply and ground signal;
(ii) a plurality of electrical conductors;
(iii) at least one remote input/output (I/O) module connectable to the safe or vault door and having a power supply and ground signal; and
(iv) an Area Control Centre comprising a computer monitoring system,

This arrangement may be preferable in systems in which only a single door requires remote monitoring as it requires that every vault door has its own Ethernet or network connection.
Suitably, the Internet Protocol tunnelling via an intranet is over an Ethernet.
Suitably, the safe or vault door comprises a second input/output module for internal event-logging in the lock.
Preferably, the apparatus comprises a heartbeat for system monitoring which periodically surveys all connected I/O modules. Preferably, the remote I/O modules automatically switch to a default state in which authorisation is disabled in the event that the system heartbeat fails.
Suitably, the apparatus comprises a watchdog mechanism. Preferably, the watchdog mechanism comprises a hardware timer that is continually updated and reset whilst the operating system is running normally, and in which the operating system is rebooted and the event logged in response to a system failure in which the operating system is unable to reset the timer. Suitably, the system must be reconfigured before the system hardware and watchdog mechanism can be re-enabled in the event that an attempt is made to disable the watchdog mechanism. Suitably, the LCC hardware comprises an integrated watchdog mechanism.
In accordance with a third aspect of the invention, there is provided a method for remotely controlling, monitoring and recording access to an electronic lock system, as described above, wherein the method comprises:

(i) contacting the area control office to request activation of the lock keypad, in which a contact is established by an onsite authorised user;
(ii) identification of the authorised user by an operator at the area control centre;
(iii) enabling of the keypad by the operator for input of an authorised user can input his access code;
(iv) inputting of an authorised user access code;
(v) retracting the boltwork for the door if the access code is correct,
(vi) opening the lock;
(vii) disabling the lock keypad automatically after a predetermined time or by an operator at the ACC;
(viii) sending an alerting signal to the ACC if there is any activity at the door subsequent to stop (vii); and
(ix) sounding an alarm if the doors are left open for too long.

Preferably, the authorised user is identified by closed circuit television.
Suitably, the system defaults to a shut-down mode in the event that connection is lost between an LCC and the ACC. Preferably, a timeout will disable all pending automatically authorisations if connection is lost whilst the vault or safe door is open. Preferably, the LCC buffers all events into an internal log files, and upon re-connection these data are automatically synchronized.
The present invention also provides a safe and a vault door comprising an apparatus as described above.
The above and other aspects of the present invention will now be illustrated in further detail, by way of example only, with reference to the accompanying drawings in which:

Figure 1a: is a system structure overview of an embodiment of the present invention;
Figure 1b: is an alternative system structure overview of an embodiment of the present invention;
Figure 2: is a detailed schematic representation of the vault door connections of Figure 1;
Figure 3: is a detailed schematic representation of connections to a remote input/output module of Figure 1;
Figure 4: is a detailed schematic representation of the connections associated with a Local Control Centre of the embodiment of Figure 1;
Figure 5: illustrates an RS485 Bus which links a plurality of remote I/O modules to a Local Control Centre according to the embodiment of Figure 1;
Figure 6: is an information flow diagram from the remote control centre to the electronic lock;
Figure 7: is a logic control flow diagram of the "heartbeat function" between a Local Control Centre and the remote Area Control Centre;
Figure 8: is a logic control flow diagram of the "heartbeat function" between a Local Control Centre and a remote input/output module;
Figure 9: is a logic control flow diagram for the "watchdog mechanism"; and
Figure 10: is a logic control flow diagram between a Local Control Centre and a remote input/output module.

Referring to Figure 1a, an overview of a security system according to the present invention is illustrated in which the system comprises four levels of security. The first layer, as illustrated in greater detail in Figure 2, comprises a vault door fitted with a digital electronic lock and a series of microswitches for monitoring the door and lock positioning and status. The digital lock has a conventional audit facility which is used to monitor the lock activity. Standard interfaces are used which enable the present system to be implemented alongside existing security systems, and also used in relation to a wide variety different digital electronic lock systems. The microswitches and a Ground Signal link the first layer to the second layer.
Figure 1b, is an alternative overview of a security system according to the present invention (doors are omitted for clarity) in which the Local Control Centre of Figure 1 (LCC), discussed below in relation to Figure 4, and alternative monitoring and control means in the form of a Telnet Client or internet web browser may be used for management of the security system.
The second layer as shown in Figure 3, comprises a remote input/output (I/O) module located within the vault or the vault door itself. Each module is connected to a single door and connection is made through six wires linked to the microswitches and two additional wires for enabling/disabling the lock by a relay (from the first layer). Two further wires link the module to a DC power supply. Additionally, in instances where internal event logging of the lock itself is required, a second remote input/output module with a single serial interface is also fitted. All information concerning events and hardware status from the locks and microswitches pass through the dedicated I/O module and is sent to the Local Control Centre of the third security layer.
Figure 4 illustrates the third layer of security and comprises the Local Control Centre (LCC). The LCC is connected to each I/O module through an isolated differential signaling integrated circuit such as a duplex RS485 bus, and can be linked up to a maximum of 255 doors and I/O modules. However, when online logging is used this figure is cut to 127 because remote serial input modules utilise the other half of the address range. Only one LCC is required for each particular site and this collects all data concerning events occurring at the doors from all connected remote I/O modules.
Connection of multiple I/O modules to a LCC is through a RS485 Bus and is illustrated in Figure 5. In the RS485 bus each signal uses one twisted-pair (TP) line which comprises two wires twisted around themselves. The RS485 bus is ideally suited for multipoint communications, in which many devices may be connected to a single signal cable, akin to an Ethernet network, and the balanced differential signal transmission of this system is less prone to interference, compared with other similar systems. Such a system has a transfer rate of around 2.5 MB/s system and allows a cable length of up to 1200 meters to be used.
Most RS485 systems use Master/Slave architecture, in which each slave unit has a unique address and only responds to information packets or telegrams addressed to the particular slave unit. These packets may also include a system heartbeat for system monitoring and are generated by the Master (e.g. LCC), which periodically surveys all connected slave units (e.g. I/O modules). If the system heartbeat fails, the remote I/O modules automatically switch to their default state in which authorisation is disabled.
As indicated above, the status of each bolt system/lock is monitored by the LCC through a number of microswitches which continually report their status through the system heartbeat. Every vault door is connected to at least one remote I/O module for processing digital inputs and outputs received from microswitches located on the door. The inputs are decoupled and driven by a 24V voltage. The outputs are connected by a Type A relay i.e. not opened as in a standard operation. If online-logging is used, a second remote I/O module is required and is connected to the serial line of the vault door's option box. This enables the remote I/O modules to communicate with the LCC via a double-wired standard bus, such as an ISO 8462 or Electronics Industry Association (EIA) RS485 bus. The LCC is hosted by an embedded ucLinux system, although it will also be recognized that other systems, such as standard UNIX systems and the Microsoft Windows product family could be used. The data collected from the microswitches is then reported to the ACC and subsequently used to update and monitor the LCC status.
The fourth and final layer of the security system, as seen in the hierarchy of Figure 1, is the Area Control Centre (ACC). This is a centrally manned operations office, located at an independent site, and comprises a computer network linked to all contracting LCCs by an Ethernet link (TCP/IP protocol) to monitor all LCC activity. The system also utilises a standard internet connection as a back-up in case of an Ethernet failure. A local or national security firm will typically operate the ACC, although the described system is also capable of operating on an international scale.
In Figure 6 the information flow from the operator in a remote central area control centre down to the vault door of the branch and vice versa is shown. In this process, the operator enables (or disables) the lock of the vault door within a graphical user interface (GUI). The GUI then sends this command to the ACC, which then repeats the command to the LCC within its heartbeat telegram (discussed below in relation to Figure 7). Upon receiving this command the LCC updates the output of the remote I/O module to enable or disable authorisation of the lock. The status of the I/O module is then updated and the LCC reads all input and output settings of the I/O module to retrieve the status of the lock bolts and authorisation system. At the same time the online logging of the lock system is read to check for any discrepancies such as incorrect code input or failures etc. This status information is then relayed to the ACC through the system heartbeat and the ACC records are updated, and the information displayed on the GUI for viewing by the operator.
Figure 7 illustrates the communication principle between the remote Area Control Centre and a Local Control Centre that is locally embedded in the vault or vault door, with communication being conducted using a standard User Datagram Protocol (UDP) over an internet protocol (IP). The internet protocol provides for transmitting blocks of data called datagrams or telegrams from sources to destinations, where sources and destinations are hosts identified by fixed length addresses. The internet protocol also provides for fragmentation and reassembly of long telegrams, if necessary, for transmission through "small packet" networks. The present system provides a heartbeat that is periodically sent from the ACC to constantly update the system status. The heartbeat works by sending out a telegram from the ACC, which is picked up by the various components of the system which then return or echo the heartbeat back to the ACC. All telegrams are packed within a single UDP packet. If this link between ACC and LCC is interrupted either because a response to the heartbeat fails to be received or responded to, or if the operator has forgotten to disable a code authorisation at the on-site door, the LCC will disable the authorisation automatically and will not allow access to the system until the heartbeat monitoring system registers a normal system status.
Communication between the LCC and remote input/output (I/O) modules is also guarded by the above described heartbeat mechanism, as illustrated in Figure 8.
In addition to the heartbeat monitoring system, the LCC hardware has an integrated "watchdog mechanism". The watchdog mechanism is a hardware timer that is continually updated and reset as long as the operating system is running normally. If the system fails to do this and hangs, the operating system is no longer able to reset the timer. As a result, the timer will expire which results in an automatic externally initiated reset in which the operating system is rebooted, with the debug information being displayed on a system console at the ACC (Figure 9). The hardware watchdog mechanism is enabled by default. If an attempt is made to disable the watchdog mechanism, the system must be configured before the system hardware and watchdog mechanism can be re-enabled. The hardware watchdog mechanism also serves as an initial safeguard against system hacking.
Figure 10 illustrates the communication cycle within the LCC link to all connected remote input/output modules.
In use, before a lock of a vault door can be opened it is necessary for a code input keypad at the site of the door to be activated, since the input pad is disabled by default. To enable the keypad the authorised users must contact an operator at the ACC to request the enabling of the lock input keypad. The operator at the ACC will activate a window on their display screen which will show the particular site details, including the last ~ 0 to 20 events on the door (although the system will record many more events) and the enable/disable buttons. Closed circuit television (CCTV), or other suitable identification means is then used to identify the authorised users and if the operator at the ACC is happy that the users are not under duress, the input pad is enabled. If the operator at the ACC is not happy with the situation at the door, depending upon the circumstance, they have the option to either enable the lock and contact the police (in cases of duress) or not to enable the lock if, for instance, an authorised user is acting suspiciously.
In a situation where the user incorrectly inputs a code in the keypad, the online-logging reports this event to the LCC. The LCC, in turn, forwards this information to the ACC for event-logging and also for display on the graphical user interface.
In the event the wires to the remote I/O modules are cut, the remote I/O modules automatically switch to their default state in which authorisation is disabled. The same effect results if the power line is cut.
As described above, the ACC generates a heartbeat that is transmitted throughout the system. This constantly monitors the system and reports events to the ACC for logging and also the occurrence of any faults in the system.
As the authorised users enter their codes into the lock an audit signal will be sent from the site to the ACC showing exactly who is entering their code and when the code is entered.
Once the locks have been opened it will be possible to retract the boltwork of the door. This operation will be reported to and recorded automatically by the monitoring computer at the ACC.
After a predetermined interval, for example 10 minutes, the lock input keypad will be automatically disabled.
The constantly monitored system will detect and report any activity at the door to the ACC where it will be recorded and viewed by the operator.
If doors are left open beyond a pre-determined period, an alarm will sound at the ACC and the relevant indication on the main display will flash. The operator will then be able to contact on-site security regarding the problem.
By providing an electronic combination lock, in addition to electronic I/O modules, microswitches may be attached to the electronic portion of the lock and subsequently connected to a Local Control Centre. The lock may also be modified to add circuits which provide signals to the Area Control Centre that will be interpreted to indicate the condition or status of the lock at all times. Other microswitches connected to the electrical system of the lock can provide signals to indicate other status conditions for various components of the lock. In addition, a position detector will be installed within the lock housing to monitor and indicate the position of the lock bolt to the LCC/ACC.

Claims

An apparatus for remotely controlling, monitoring and recording access to an electronic lock system, wherein the apparatus comprises:
(i) an electronic lock for a safe or vault door, the electronic lock comprising a lock enable/disable unit, a power supply and ground signal;

(ii) a plurality of electrical conductors;

(iii) at least one remote input/output (I/O) module connectable to the safe or vault door and having a power supply and ground signal;

(iv) a Local Control Centre comprising an embedded computer implementing a monitoring program, a power supply and ground signal; and

(v) an Area Control Centre comprising a computer monitoring system and a connection to said Local Control Centre,
wherein the lock enable/disable unit comprises a driving means, controlled by a microprocessor, and an electronic motor-bolt lock including a redundant power bolt drive, the bolt having an extended first position and a second withdrawn position, movable therebetween by the driving means; and wherein the input/output module is connected to the lock by the plurality of electrical conductors, said plurality of electrical conductors comprising at least three microswitches to monitor the status of the lock and door, and at least two electrical conductors connecting said input/output module to the lock enable/disable unit; the input/output module is further connected to the embedded computer of the Local Control Centre by an isolated differential signalling integrated circuit and the Local Control Centre is linked to the Area Control Centre through either Internet Protocol tunnelling via an intranet or an internet connection.
An apparatus for remotely controlling, monitoring and recording access to an electronic lock system, wherein the apparatus comprises:
(i) an electronic lock for a safe or vault door, the electronic lock comprising a lock enable/disable unit, a power supply and ground signal;

(ii) a plurality of electrical conductors;

(iii) at least one remote input/output (I/O) module connectable to the safe or vault door and having a power supply and ground signal; and

(iv) an Area Control Centre comprising a computer monitoring system,
wherein the at least one remote IO module further comprises a microcomputer and network stack and a connection to the Area Control Centre, and in which the lock enable/disable unit comprises a driving means, controlled by a microprocessor, and an electronic motor-bolt lock including a redundant power bolt drive, the bolt having an extended first position and a second withdrawn position, movable therebetween by the driving means; and wherein the input/output module is connected to the lock by the plurality of electrical conductors, said plurality of electrical conductors comprising at least three micro switches to monitor the status of the lock and door, and at least two electrical conductors connecting said input/output module to the lock enable/disable unit; the input/output module is further connected to the embedded computer of the Local Control Centre by an isolated differential signalling integrated circuit and the Local Control Centre is linked to the Area Control Centre through either Internet Protocol tunnelling via an intranet or an internet connection.
An apparatus as claimed in Claim 1 or Claim 2 further comprising a second input/output module.
An apparatus as claimed in any one of claims 1 to 3 wherein the system comprises a heartbeat for system monitoring which periodically surveys all connected I/O modules).
An apparatus as claimed in Claim 4 in which the remote I/O modules automatically switch to a default state in which authorization is disabled in the event that the system heartbeat fails.
An apparatus as claimed in any one of claims 1 to 5 in which the apparatus further comprises a watchdog mechanism.
An apparatus as claimed in Claim 6 in which the watchdog mechanism comprises a hardware timer that is continually updated and reset whilst the operating system is running normally, and in which the operating system is rebooted and the event logged in response to a system failure in which the operating system is unable to reset the timer.
An apparatus as claimed in Claim 7 in which the operating system must be reconfigured before the system hardware and watchdog mechanism can be re-enabled in the event that an attempt is made to disable the watchdog mechanism.
An apparatus as claimed in any one of claims 6 to 8 in which the LCC hardware comprises an integrated watchdog mechanism.
An apparatus as claimed in one of claims 1 to 10 in which the Internet Protocol tunnelling via an intranet is over an Ethernet.
A method for remotely controlling, monitoring and recording access to an electronic lock system, wherein the method comprises:
(i) contacting the area control office to request activation of a keypad for operating the lock, in which a contact is established by an onsite authorised user;

(ii) identification of the authorised user by an operator at an area control centre;

(iii) enabling of the keypad by the operator for input of an authorised user access code;

(iv) inputting of an authorised user access code;

(v) retracting the boltwork for the door when a correct authorised access code has been input,

(vi) opening the lock;

(vii) disabling the lock keypad automatically after a predetermined time or in response to an instruction by an operator at the ACC;

(viii) sending an alerting signal to the ACC if there is any activity at the door subsequent to stop (vii); and

(ix) sounding an alarm if the doors are left open for too long.
A method as claimed in Claim 11 in which the authorised user is identified by closed circuit television, prior to enablement of the keypad.
A method as claimed in Claim 11 or Claim 12 in which the system defaults to a shut-down mode in the event that connection is lost between an LCC and the ACC.
A method as claimed in Claim 13 wherein a timeout will disable all pending automatically authorizations if connection is lost whilst the vault or safe door is open.
A method as claimed in Claim 14 in which the LCC buffers all events into an internal log files, and upon re-connection these data are automatically synchronized.
A safe or a vault door comprising a mechanism as claimed in any one of claims 1 to 10.