EP3051504B1 - Electronic access system with multiple clocks and storage devices - Google Patents

Description

The present invention relates to an electronic access system and a method for operating such an access system.

Electronic access systems are widely used in practice to grant access to a specific function or to a room or a container to authorized users only after verification. An electronic access system with a plurality of card readers and a central control device, in which card readers can temporarily store transaction information when the communication connection with the central control unit terminates is, for example, in US Pat EP 0 104 767 A2 described.

For example, a generic access system may only provide access to a particular function of a secured (parent) system when an authorized user is recognized. Thus, for example, the identity of a user can be verified in order to enable access to certain account functions only after positive verification at an ATM or bank terminal. Similarly, a generic electronic access system can preclude an unauthorized user from having access to a secured room or a secured container or housing, such as a room. B. a gun cabinet receives.

Such electronic access systems usually have at least one outdoor unit and a separate control unit for this, but usually in spatial proximity to the outdoor unit, that is, for example, located within the same building or on the zuzusdenden element or room. The outdoor unit is equipped with an input device and an evaluation logic, wherein by means of the evaluation logic detected by the input device User identifier with at least one reference, in particular at least one reference value or pattern is comparable to evaluate based on the corresponding comparison, whether the detected user ID to an access authorized or not. For this purpose, the input device may comprise, for example, a fingerprint scanner, so that it is possible to determine with the aid of a scanned fingerprint as a user identifier whether an authorized user requires access. The separate and coupled to the outdoor unit control unit of the access system is adapted to receive from the outdoor unit an enable signal when the detected user ID authorizes access. In response to this enable signal, a control signal is generated by the control unit, as a result of which access is granted to an authorized user of the access system. Thus, while a check is made by the outdoor unit as to whether an authorized user requires access, upon granting a positive check, the granting of the respective access is triggered at the control unit.

In an electronic access system for a secured room or a secured container or housing, the outdoor unit is provided, for example, in the area of a door of the room or of the container or housing. In contrast, the control unit is usually in the interior of the room or the container or housing in order to provide additional protection against any manipulation. In this case, the control unit controls, for example, an electronic lock or an adjusting mechanism, so that the respective door is automatically released or even automatically opened upon detection of a permissible user identification and thus of an authorized user.

Electronic access systems, in particular for securing doors to rooms or to containers or housings, are typically self-contained systems that are possibly connected to a power supply but have no (permanently activated or contacted) interface to a control system. Thus, for example, a connection to a computer network or a single computer system would result in a greater susceptibility to manipulation, since an appropriate interface would also facilitate an abusive attack on the external access system.

The autarky of electronic access systems, however, involves problems with regard to the logging of detected events. For example, it is not easy to store access granted and not granted chronologically and reliably. Especially with burglaries but there is a great criminal interest To determine when and, if appropriate, by whom the most recent access was granted. Likewise, the insurance side may also require that an electronic access system used be able to indicate with the date and time whether and when the most recent access has been granted in order to prove, in the event of damage, that an unauthorized access has actually taken place.

The present invention has for its object to improve an electronic access system in this regard and to overcome the aforementioned disadvantages.

This object is achieved both with an electronic access system of claim 1 and with a method for operating an electronic access system according to claim 13.

• die Außeneinheit eine Eingabeeinrichtung und eine Auswertelogik aufweist und mittels der Auswertelogik eine mittels der Eingabeeinrichtung erfasste Benutzerkennung mit wenigstens einer Referenz vergleichbar ist, um anhand des Vergleichs zu bewerten, ob die erfasste Benutzerkennung zu einem Zugang berechtigt oder nicht, und
• die Steuereinheit eingerichtet ist, von der Außeneinheit ein Freigabesignal zu empfangen, wenn die erfasste Benutzerkennung zu einem Zugang berechtigt, und in Reaktion hierauf ein Steuersignal zu erzeugen, infolgedessen einem Benutzer des Zugangssystems Zugang gewährt wird.

According to the invention, an electronic access system with at least one outdoor unit and a separate - usually internal - control unit is proposed, wherein

• the external unit has an input device and an evaluation logic and by means of the evaluation logic a user identifier detected by the input device is comparable to at least one reference in order to evaluate based on the comparison whether the detected user ID authorizes access or not, and
• the control unit is adapted to receive from the outdoor unit an enable signal when the detected user identifier authorizes access, and in response to this generate a control signal, as a result of which access is granted to a user of the access system.

According to the invention, at least one memory is provided both in the outdoor unit and in the control unit, in each of which at least time-stamped data relating to granted accesses are stored. Furthermore, the outdoor unit and the control unit each have a timer for generating time information, wherein the generated time information of the two clocks of the outdoor unit and the control unit are synchronized with each other to provide a balanced internal time stamp for the access system and a plausibility check for the from the different memories the outdoor unit and the control unit to allow data from each other.

After an initial initialization of the clock on the basis of a start time - preferably including the current date and the current time - is set, is on the clock of the outdoor unit and the clock of the control unit basically every subsequently occurring and electronically detectable event with a concrete reference at the beginning and thus connectable with a specific time. To make sure that any manipulation of the lighter accessible outside unit can be detected and the time stamp associated with a detected event can not be easily falsified, the spatially separated clocks of the outdoor unit and the control unit or the time information generated by you are synchronized with each other according to the first aspect of the invention. Synchronization provides identical time information in both units, which can then be used to record (system) events for use of a unified timestamp.

In this case, a time information generated in the less accessible control unit via their clock form a reference time information to which a time information of the outdoor unit is adjusted, or vice versa, a reference time information is specified by the outdoor unit. For example, the electronic access system may have a synchronization mechanism over which, after a defined period of time - e.g. after 12, 24 or 48 hours - time information of the outdoor unit and the control unit are compared with each other.

In this context, it is provided in an embodiment variant that the control unit is adjusted to the time information of the outdoor unit. Here, for example, play a role that a clock of the outdoor unit is more efficient and thus has a smaller deviation from the actual elapsed time. A clock controlled by the clock of the outdoor unit thus runs more accurate than a controlled by the other clock clock of the control unit. Thus, for example, once a day, the two clocks synchronized with each other and thus adjusted the time information given so, both clocks every 24 hours, at least no deviation from each other.

With regard to a cost-effective and space-saving design, the respective clock generator is provided by a (micro) processor of the outdoor unit or the control unit, by means of which the respective functions of the respective unit are also controlled and implemented. A time information is thus preferably (in each case) obtained from the clock of an already necessary (micro) processor and without the use of a separate real-time clock ("real-time clock", short RTC). Thus, the use of a real-time clock, and in particular a separate RTC chip, would, among other things, increase the cost and size of a board and / or the respective unit. In addition, an energy storage, for example in the form of a battery, would be absolutely necessary, which supplies the real time clock permanently with power and at regular intervals must be changed. Battery replacement, however, entails increased maintenance to ensure system performance, and is particularly undesirable for access systems aimed at (home) end users, such as front doors or safes.

The time information is preferably stored - at least during synchronization - in a persistent, i.e. non-volatile memory of the outdoor unit and / or a persistent memory of the control unit. For example, the control unit and / or the outdoor unit for this purpose have a flash memory. In one embodiment, the control unit has a (volatile) memory and a persistent memory for the time information of the control unit, while the outdoor unit has only a volatile memory for the time information of the outdoor unit. In the respective working memory, for example a RAM (abbreviation for "random-access memory"), the time information is continuously updated. In other words, the volatile memory is provided with a clock representing the current time, from which a time stamp used for logging events in the outdoor unit or control unit originates. During synchronization, the current time information is transferred from the volatile main memory of the outdoor unit to the control unit. In the control unit, the obtained time information of the outdoor unit is then stored both in the volatile main memory and in the persistent memory of the control unit. Thus, on the one hand a clock of the control unit is adjusted to the time information from the outdoor unit and on the other hand, a reference time information at the time of synchronization permanently stored. About the permanently stored reference time information is e.g. in particular after a power failure, it is possible to recalibrate the clock of the outdoor unit.

Thus, the outdoor unit is usually more likely to be exposed to the risk of power failure, possibly also due to unauthorized manipulation, than the control unit, which is regularly better protected against manipulation. If the power fails on the outdoor unit, the time information is lost from its volatile memory. If power is again present at the outdoor unit, synchronization is automatically carried out by means of a corresponding control logic of the access system, in which time information is transferred from the volatile main memory or from the persistent memory of the control unit to the outdoor unit, so that a calibrated time stamp is provided within the system can be used in both units.

In one embodiment, the outdoor unit and / or the control unit has an energy storage, for. B. in the form of a battery or a battery, by means of which in the case of a power failure or data in a - preferably persistent - memory can be written. The memory is arranged, for example, in that unit which also has an energy store, although this is not mandatory. With regard to the reduction of the risk of manipulation or at least an improved, later recognition of a manipulation, at least one energy store is provided in the control unit. This can be provided, for example, that the control unit using the provided by the energy storage electrical energy in the event of a power failure nor its occurrence along with a timestamp in a persistent (flash) memory of the control unit logs.

In order to complicate the manipulability, in particular of the adjusted internal time information for the access system, the communication between the external unit and the control unit is encrypted in a variant embodiment. Alternatively or additionally, the outdoor unit and the control unit can be paired with each other so that they are unique in their combination. After a "Pairing" of outdoor unit and control unit after their commissioning is once properly initialized outdoor unit only with a specific, hereby paired control unit suitable for communication and thus functional.

The start time is preferably initialized via a wireless connection, for example via an infrared interface provided on the outdoor unit. For initialization, a remote control of the access system is used, for example. The access system may also be configured alternatively or additionally to allow the initialization of a start time only after an authorized user has been recognized by means of a fingerprint.

In one embodiment, at least data on granted and not granted accesses are also stored in at least one of the memories associated with the time stamp. In other words, each granted or not granted access is stored as an event together with the respective time specification as a data record in the at least one memory. In this way it can be determined at a later time, for example after a break-in, based on the data stored in the memory, whether at the time of the break-in or the last time one detected user ID detected as permissible and thus a (supposedly) authorized user has been identified.

The data associated with a time stamp are preferably stored in a readable file.

In order for the data also to be readable when the entire system or even only one of the two units is no longer supplied with power, a persistent memory is preferably provided, e.g. an already previously addressed flash memory.

According to the invention it is provided that at least one memory is provided both in the outdoor unit and in the control unit, in each of which at least provided with a time stamp data is granted to granted and possibly not granted accesses. Consequently, at least two spatially separated memories are provided, each containing data on granted and preferably also on non-granted accesses, so that, in particular at a later time, a plausibility check, for example of the data stored in the memory of the outdoor unit, based on the data stored in the memory Control unit stored data is possible. This is particularly advantageous since the outdoor unit accessible to external user detection is regularly exposed to a greater risk of tampering and thus a single memory in the outdoor unit provides a lesser degree of security.

In a possible embodiment variant of an electronic access system according to the invention, the outdoor unit has a more powerful (micro) processor than the control unit. For example, the evaluation logic of the outdoor unit must regularly be made significantly more powerful in order to check whether an authorized user requires access in order to be able to carry out the examination as quickly as possible. In contrast, an electronic control unit of the control unit may possibly be limited to a control signal for switching a relay to an enable signal of the outdoor unit produce. About the switched relay can then be controlled, for example, a door opener or a lock motor. The aforementioned aspects of the invention then complement each other in such an access system with differently powerful units in a particularly advantageous manner. Thus, for example, significantly more data can be processed and stored in its memory by the more powerful outdoor unit, while in return in the less powerful control unit a smaller amount of data on a detected event is sufficient to check the data of the outdoor unit for plausibility. However, the data stored in the control unit for this purpose, as well as the control unit housed in the clock with a lower risk of tampering in a secure area and spatially spaced from the outdoor unit before.

In the electronic access system according to the invention, in which data are stored both in a memory of the outdoor unit and in a memory of the control unit, it can be provided that stored data are identical in tamper-free operation of the access system in the at least two memories. Data is thus stored redundantly in both spatially separated memories. This facilitates a plausibility check. In this case, copies of the data recorded in one unit can also be stored in the memory of the other unit.

Alternatively or additionally, data stored in the at least two memories may be different in the case of manipulation-free operation of the access system. Thus, the data stored in each case can already be distinguished from one another in that different events are recorded electronically by the two units and data are stored for this purpose. For example, in an outdoor unit with a fingerprint scanner, a detected fingerprint and / or - in the case of a positive check - a user identification number belonging to the fingerprint (in short: user ID) can be stored together with a time stamp. On the other hand, in the control unit coupled with it-likewise linked with a time stamp-it is stored when an enable signal has been received and which has been generated by a plurality of possible control signals. Thus, for example, in the control unit also (only) linked to a time stamp can be stored, which was switched by several possible relay when. More generally, it is thus provided in one embodiment that data characterizing granted access in the memory of the outdoor unit are different from access granted characterizing data in the memory of the control unit.

Of course, identical data (sets) can be present in both memories in addition to the different data. For example, if a fingerprint is tested positively in a memory of the external unit, a user ID and the captured fingerprint or a compressed version of this captured fingerprint are always stored together with a time stamp and the user ID together with a time stamp is always stored in the memory of the control unit (FIG. as identical data) and additionally only one parameter for the switched relay (as data different from the data of the outdoor unit) is stored.

Since the clocks are additionally permanently synchronized here and thus the time stamps are exchanged, the log files stored in the memories can easily be viewed and evaluated together.

In one embodiment, the input device of the outdoor unit is designed and provided to detect at least one biometric characteristic of a user as a user identifier. Such a biometric characteristic may be, for example, a fingerprint. Accordingly, the input device may comprise a fingerprint scanner, preferably a semi-automatic fingerprint scanner. In a semi-automatic fingerprint scanner, a finger is dragged across a narrow scanner area of a line sensor. Such a system offers the advantage that no fingerprint of an authorized user can be removed from the fingerprint scanner itself.

• das Einlernen eines sogenannten "Masterfingers", also des Fingerabdrucks oder der Fingerabdrücke eines als Administrator betrachteten Benutzers;
• das Einlernen eines (weiteren) Benutzers;
• das Erfassen einer Benutzerkennung zusammen mit dem Prüfergebnis, also dem Ergebnis eines Identifikationsvorgangs zusammen mit einem Matching-Ergebnis, wobei bei einer positiven Überprüfung zusätzlich auch noch eine Benutzer-ID für den erkannten Benutzer abgespeichert werden kann;
• das Löschen eines Benutzers oder zumindest eines Benutzerfingers als eine in der Außeneinheit - vorzugsweise in einem Referenzspeicher - abgelegten Referenz;
• ein Reset des Zugangssystems;
• einen eventuellen Stromausfall und das (erneut) Einschalten des elektronischen Zugangssystems oder zumindest einer oder beider Einheiten des Zugangssystems;
• die Durchführung einer Implementierten Testfunktion zum initialen Testen der Funktionsfähigkeit des Zugangssystems;
• ein durch das Zugangssystem ausgelöster Sperr- und Entsperrvorgang;
• eine bestimmte, zum Beispiel 20 oder 30, Anzahl zuletzt erfasster Fingerabdrücke oder komprimierter und auswertbarer Versionen hiervon;
• Änderungen an den Einstellungen der Außeneinheit oder des Zugangssystems an sich, wie eine Umstellung von Relaisschaltzeiten, eine Umstellung eines hinterlegten Sicherheitslevels, etc..

For example, in an electronic access system with a fingerprint scanner, it is considered advantageous that a plurality of events, such as the last 50 or 100, detected by the outdoor unit are timestamped together in a memory of the outdoor unit. Such events include:

• Teaching in a so-called "master finger", ie the fingerprint or the fingerprints of a user regarded as an administrator;
• the training of a (further) user;
• the detection of a user identifier together with the test result, ie the result of an identification process together with a matching result, wherein in a positive check additionally also a user ID for the recognized user can be stored;
• deleting a user or at least one user's finger as a reference stored in the outdoor unit, preferably in a reference memory;
• a reset of the access system;
• a possible power failure and (re) turning on the electronic access system or at least one or both units of the access system;
• the implementation of an implemented test function for initially testing the functionality of the access system;
• a lock and unlock operation initiated by the access system;
• a particular, for example 20 or 30, number of last acquired fingerprints or compressed and evaluable versions thereof;
• Changes to the settings of the outdoor unit or the access system itself, such as a changeover of relay switching times, a change of a stored security level, etc ..

• die Ansteuerung eines bestimmten Relais;
• der Empfangs eines Freigabesignals von der Außeneinheit;
• die Ansteuerung eines von mehreren möglichen Relais zusammen mit einem Identifikationsparameter, der angibt, welches der Relais angesteuert wurde oder ob beide Relais angesteuert wurden.

In a control unit coupled thereto, a plurality of events detected by the latter, for example likewise the last 50 or 100, can also be recorded together with a time stamp, such as, for example:

• the activation of a specific relay;
• receiving an enable signal from the outdoor unit;
• the control of one of several possible relays together with an identification parameter indicating which of the relays has been activated or whether both relays have been activated.

With regard to an electronic access system, through the control unit, a door lock is released or opened, for example, two through the Control signals of the control unit controlled relay to be provided on the one hand to control a lock motor or a door opener and on the other hand, a higher-level alarm system. Thus, for example, the door lock is released via one relay, while the alarm is deactivated via the other relay, if active.

In one embodiment, the outdoor unit and the control unit of the electronic access system are interconnected via at least one signal line having two parts connected to one another via a plug connection between the outdoor unit. By releasing the plug connection, a connection between the outdoor unit and the control unit can thus be interrupted. The provision of a plug connection between the two units of the electronic access system on the one hand offers the advantage of easier integration of the two units in a device to be secured. For example, the outdoor unit can be more easily mounted in a door to be secured of a house, while the control unit acting as an indoor unit or controller unit is mounted inside the house, usually near the door. The plug connection is preferably accessible only within the spaces to be secured, so that a separation of the two units from each other for manipulation purposes from the outside is not possible.

The plug connection between the outdoor unit and the control unit is preferably used for reading data stored in a memory of the outdoor unit and / or in a memory of the control unit over granted and / or not granted accesses. For this purpose, a separate readout unit of the access system can be provided, which can be connected to the outdoor unit and / or the control unit if required.

Such a readout unit, which can be connected, for example, to a computer or mobile device, such as a PC, laptop, tablet or smartphone, via a suitable wired or wireless interface, has in one embodiment a first and a second connector. These two connecting pieces are formed complementary to two connecting pieces of the plug connection provided between the outdoor unit and the control unit. In this way, the first connection piece can be connected to a first connection piece of the plug connection and the second connection piece can be connected to a second connection piece of the plug connection in order to read data from one or more memories. By using two connecting pieces that can be designed differently from each other, on the one hand avoided that a connector of the readout unit is connected to the wrong connector of the plug connection. On the other hand, both the connecting pieces and the connecting pieces can each be designed as a plug part or as a socket part, so that the plug connection is easily separable and a parallel connection of both connecting pieces to the readout unit is possible with separate plug connection. It can thus be provided that the readout unit is simultaneously connected via its first and second connecting pieces temporarily to the outdoor unit and the control unit in order to read out (protocol) data about stored events from both units.

By means of a software executable on the readout unit, the data read out can be converted, for example, into a specific format and / or output on a display of the readout unit. Alternatively or additionally, the data read out can be imported, exported and displayed by a computer or a mobile device, which is connected to the read-out unit via a suitable interface, in a specific file format. It can of course be provided that a corresponding software on the computer or mobile device is running, with the help of which data can be read from a memory of the outdoor unit and / or memory of the control unit and processed.

A further aspect of the invention is the provision of a method for operating an electronic access system which has at least one outdoor unit with an evaluation logic and an input device, such as a fingerprint scanner, and a control unit separate from the outdoor unit for generating control signals.

• sowohl in der Außeneinheit als auch in der Steuereinheit mindestens ein Speicher vorgesehen ist, in dem jeweils wenigstens mit einem Zeitstempel versehene Daten zu gewährten Zugängen - und vorzugsweise auch nicht gewährten Zugängen - gespeichert werden, und
• sowohl die Außeneinheit als auch die Steuereinheit einen Taktgeber zur Erzeugung einer Zeitinformation aufweisen und die Zeitinformationen der beiden Taktgeber miteinander synchronisiert werden, um einen abgeglichenen internen Zeitstempel für das Zugangssystem bereitzustellen und eine Plausibilitätsprüfung für die aus den unterschiedlichen Speichern der Außeneinheit und der Steuereinheit stammenden Daten untereinander zu ermöglichen.

An inventive method is characterized in that

• at least one memory is provided both in the external unit and in the control unit, in each of which data provided with at least a time stamp are allocated to accesses granted - and preferably also not granted accesses - and
• both the outdoor unit and the control unit have a timer for generating time information and the time information of the two clocks are synchronized with one another to provide a balanced internal time stamp for the access system and a plausibility check for the data originating from the different memories of the outdoor unit and the control unit to enable.

A method according to the invention can thus be implemented by an electronic access system according to the invention. Consequently, the above applies in this regard and the following advantages and features also for embodiments of a method according to the invention and vice versa.

Further advantages and features of the invention will become apparent in the following description of exemplary embodiments with reference to the figures.

Figur 1

ein Ausführungsbeispiel eines erfindungsgemäßen elektronischen Zugangssystems mit einer einen Fingerabdruckscanner aufweisenden Außeneinheit;

Figur 2

schematisch und mit weiteren Details die Außeneinheit des Zugangssystems der Figur 1 und eine damit gekoppelte Steuereinheit;

Figur 3

schematisch die zwischen der Außeneinheit und der Steuereinheit ausgetauschten Daten und Signale;

Figur 4A

ein Beispiel für in einem Speicher der Außeneinheit und in einem Speicher der Steuereinheit identisch und chronologisch abgespeicherte Ereignisdaten;

Figur 4B

ein Beispiel für zueinander unterschiedliche Daten, die einerseits in einem Speicher der Außeneinheit und andererseits in einem Speicher der Steuereinheit abgespeichert werden;

Figur 5

schematisch die Außeneinheit und die Steuereinheit der Figur 2 mit einer über zwei Steckerverbindungen mit beiden Einheiten verbundenen Ausleseeinheit.

Hereby show:

FIG. 1

An embodiment of an electronic access system according to the invention with a fingerprint scanner having outdoor unit;

FIG. 2

schematically and with further details the outdoor unit of the access system of FIG. 1 and a control unit coupled thereto;

FIG. 3

schematically the data and signals exchanged between the outdoor unit and the control unit;

FIG. 4A

an example of identical in a memory of the outdoor unit and in a memory of the control unit and chronologically stored event data;

FIG. 4B

an example of mutually different data, which are stored on the one hand in a memory of the outdoor unit and on the other hand in a memory of the control unit;

FIG. 5

schematically the outdoor unit and the control unit of FIG. 2 with a readout unit connected to both units via two plug connections.

The FIG. 1 1 schematically shows an electronic access system 1, in which an electronic outdoor unit 2 is accessible in an exterior space AR and is coupled to a control unit 3 accessible exclusively via a secured interior IR. For example, a door to a house or a security area is secured via the electronic access system 1, so that access is granted to authorized users only. While on the outdoor unit 2, a user ID is detected to check whether it is the outdoor unit 2 the person using the user is an authorized user, a lock device, such as a lock motor 5, is actuated via the control unit 3 coupled therewith, if an authorized user has been identified on the outdoor unit 2.

For detecting a user identification, the outdoor unit 2 has an input device in the form of a preferably semi-automatic fingerprint scanner 21. To identify - as well as the previous teaching a corrected user - a finger over a narrow sensor surface of the fingerprint scanner 21 is pulled. The fingerprint scanner 21 is in this case housed in a housing 20 of the outdoor unit 2. An outside of this housing 20 is accessible, for example, on a door or in the region of a door frame, so that a person can have their finger read in on the fingerprint scanner 21. On the outside of the housing 20 display elements 22a and 22b, for example in the form of colored lights, provided to indicate in particular the current operating mode and status of the outdoor unit 2. In addition, a receiver E is provided on the outdoor unit 2, for example an infrared receiver having an interface for wireless reception of data. This receiver E can receive data in the form of operating signals which are transmitted via a transmitter S of a remote control F. These operating signals are used, for example, to initialize the outdoor unit 2 after its intended installation, including the setting of a current date and a current time. To trigger the operating signals, the remote control F on a control panel B with multiple buttons.

During operation of the electronic access system 1, the outdoor unit 2 acquires a fingerprint via its fingerprint scanner 21 and compares it with one or more reference prints stored in a reference memory. The features to be compared of the detected fingerprint can in this case, for example, according to one in the EP 1 402 460 B1 described method based on the minutiae. If the comparison is positive, that is, corresponds to the detected fingerprint or the features extracted therefrom of stored in a reference memory of the outdoor unit 2 reference and thus identified an authorized user, the outdoor unit 2 sends a release signal to the control unit 3 via a signal line LT Receiving the enable signal, the control unit 3 generates a control signal. As a result of this control signal, for example, a relay is switched to control the lock motor 5 to unlock the door.

The power supply of the electronic access system 1 via a connected to the control unit 3 power supply 6. This power supply 6 is connected to a voltage source 7. In this case, the outdoor unit 2 is also supplied with power via a multi-core configuration of the signal line LT or via an additional line between the outdoor unit 2 and the control unit 3.

In the FIG. 1 is also shown in dashed lines, that the control unit 3 in addition - preferably via a further relay - can be connected to an alarm system AS. In this case, in the case of a corrected user and receipt of an enable signal by the control unit 3, a shutdown of the alarm system AS can be triggered. Furthermore, it is possible to trigger a (silent) alarm via the alarm system AS in the event of a detected manipulation attempt on the outdoor unit 2. However, such an alarm can also be triggered, for example, if the external unit 2 repeatedly and within a short time it is determined that an unauthorized user requires access.

By making the electronic access system 1 a stand-alone fingerprint recognition system with no permanent connection to a computer or computer network, and thus a closed and self-contained system, the risk of external manipulation is significantly reduced. However, this makes it difficult to log reliably and with a reliable time stamp from the outdoor unit 2 and / or the control unit 3 detected events. In an event of burglary, however, it must be possible to prove for insurance-technical reasons that the access system 1 has worked reliably and, for example, no authorized access has taken place at the time of the break-in.

In the illustrated solution according to the invention, two significant improvements are made against this background, in particular with reference to FIG. 2 should be illustrated in more detail.

The FIG. 2 shows in this case further details of the outdoor unit 2 and the control unit 3, which are connected to each other via the equipped with a connector 4 signal line LT. So is out of the FIG. 2 it can be seen that the outdoor unit 2 has evaluation electronics 23, which is usually implemented with at least one microprocessor. About the transmitter 23 is detected on the fingerprint scanner 21 fingerprint checked and evaluated whether this authorizes access. The transmitter 23 has in particular for this purpose an evaluation logic 230 and an in of the FIG. 2 not shown reference memory for previously stored reference data to the fingerprints of authorized users. Furthermore, an (event data) memory 231 is provided as part of the evaluation electronics 23 and a clock generator 232. In a comparable manner, the control unit 3 has control electronics 30 with a control logic 300, an (event data) memory 301 and a clock generator 302. In particular, a received enable signal of the evaluation unit 2 is evaluated via the control logic 300 of the control electronics 30 in order to generate a control signal in dependence thereon. This control signal is used to switch relays R1, R2 of the control unit 2. The one relay R1 controls, for example, the lock motor 5, while the other relay R2 controls the alarm system AS. The two clocks 232 and 302 are each provided by a (micro) processor of the outdoor unit 2 and the control unit 3. By means of the respective microprocessor, the other functions can also be controlled and implemented in each case. In this case, time information is in each case obtained from the clock of a microprocessor which is provided anyway in the outdoor unit 2, for example for the processing of biometric data and in the control unit 3, for example for the generation of the control signals. The respective time information is consequently generated without the use of a separate real-time clock (RTC).

In the two memories 231 and 301 of the outdoor unit 2, on the one hand, and the control unit 3, on the other hand, event data are logged, in particular via accesses granted and not granted by the access system 1. The individual events are in this case associated with a time stamp, so that it can be seen at a later time, when a particular event has occurred, so for example a scanned fingerprint was not identified as belonging to a registered user or due to the identification of a fingerprint of an authorized user an access was granted. The memories 231 and 301 are preferably formed as non-volatile, i.e., persistent, memories, e.g. in the form of flash memories, so that data remain stored even without a permanent supply voltage and thus in particular in the event of a power failure.

In the memories 231 and 301, the corresponding data can be stored redundantly, so that at a later time by comparing records from both memories 231 and 301 on any manipulation, for example, on the outdoor unit 2 and its memory 231, can be closed. Alternatively or additionally, different data are recorded in the two memories 231 and 301, however, equally allow a plausibility check of the data originating from the different memories 231 and 301 with each other. If, for example, the identification of an authorized user and thus the generation of an enable signal are logged in the memory 231 of the outdoor unit 2 in the memory 301 of the control unit 3 at the same time or shortly thereafter, a control of one or both relays R1, R2 be logged.

Further, in order for a time stamp used in the outdoor unit 2 for logging event data to be comparable and valid to a time stamp used in the control unit 3 for logging event data, its clocks 232 and 302 or time information generated therewith are preferably permanent or unique within an adjustable time interval, eg 24 hours - synchronized with each other, so that a balanced internal timestamp for the access system 1 is present. As a result, it can be avoided, for example, that the event data stored in both memories 231 and 301 can be stored with a manipulated time stamp by a manipulation on the outdoor unit 2 without further ado. On the other hand, with proper, manipulation-free operation, a usually more powerful (micro) processor of the outdoor unit 2 and the clock 232 provided therewith can be used to check the time stamp generated by the clock 302 in the usually less powerful control unit 3. To initialize the two clocks 232 and 302, for example, a (current) start or reference time via the remote control F is specified. It may be provided that only after an authentication process has been carried out - e.g. the detection of a "master finger" - via numeric keys of the remote control the current date and time can be entered.

During synchronization, a matched time stamp is stored in the persistent memory 301 of the control unit 3 for the later proof of the synchronization carried out and for a recalibration of the system after a power failure. Thus, the read-out unit 2 and the control unit 3 can each have a volatile random access memory (RAM) 233 or 303 coupled to the associated clock generator 232 or 302 for generating the time information generated in the respective unit 2 or 3

The time information is continuously stored in the working memories of the outdoor unit 2 and the control unit 3. One using the respective clock 232 or 302 Realized clock keeps running. During synchronization, the time information of the outdoor unit 2 is forwarded to the control unit 3 and stored here both in the power fail safe (flash) memory 301 and in the volatile RAM 303. The subsequent updating is based on the timer 302 of the control unit 3 now on the adjusted with the outdoor unit 2 time information.

The clock in the more powerful outdoor unit 2 is more accurate (powerful processor with more accurate clock). The clock in the less powerful control unit 3 has a significant deviation (about 10 minutes per day, for example). However, due to the automatic synchronization performed at least once a day, the deviation of the time information of the control unit 3 from the outdoor unit 2 never exceeds a maximum value, e.g. of 10 minutes a day.

Since the outdoor unit 2 is in an externally accessible area, it is more likely to be a power failure, e.g. as a result of a manipulation attempt suspended. In the event of a power failure, the events previously logged are stored securely in the memory 232 of the outdoor unit 2. The time information in the working memory (RAM) of the outdoor unit 2 is lost during power failure. When the outdoor unit 2 is in operation again, synchronization with the control unit 3 is performed first, and the current time information of the control unit 3 is transmitted to the outdoor unit 2.

The control unit 3 may further comprise an energy storage, for. B. in the form of a battery or a battery, by means of which in the case of a power failure data can still be written in the memory 301. This can be provided, for example, that the control unit 3 using the provided by the energy storage available electrical energy in the event of power failure nor the occurrence of power failure logs together with a timestamp in the persistent (flash) memory 301 of the control unit 3. In addition, this time information stored in the power fail-safe memory 301 can be used after the power failure to update the system-internal time stamp and thus to have an updated and synchronized time information again both in the control unit 3 and in the outdoor unit 2. This emergency energy storage is in this case preferably designed and the respective control electronics set up so that at least one time stamp can be stored after the occurrence of a power failure via the electrical energy provided therewith. Due to this minimum requirement is the emergency energy storage easily dimensioned so that it does not need to be replaced during the calculated typical life of the access system.

An exchange of data between the two units 2 and 3 via the signal line LT preferably encrypted, so that this manipulation is not possible or at least largely excluded. Encryption can be done using standard encryption algorithms. Furthermore, the units 2 and 3 are paired with each other, so that they can only communicate with each other after assembly and initialization, but not with other units 2 and 3.

The FIG. 3 schematically illustrates the exchange of different data and signals between the two units 2 and 3 of the electronic access system. 1

Thus, on the one hand, a synchronization signal 80 is provided in order to synchronize the two clocks 232 and 302 of the two units 2 and 3 with each other and thus to ensure that a matched timestamp is used in each case when logging detected events by the two units 2 and 3 ,

In addition, the outdoor unit can transmit a release signal 81 to the control unit 3. This enable signal 81 signals that an authorized user has been identified via the fingerprint scanner 21 of the outdoor unit 2, and thus the lock motor 5 can be activated to unlock the door via the control unit 3.

Furthermore, event data 82 and 83 can be exchanged between the two units 2 and 3 in order, for example, to store certain information redundantly. For example, a specific user ID is stored in the outdoor unit 2 for each reference fingerprint. If it is detected via the fingerprint scanner 21 of the outdoor unit 2 that a certain user identified as authorized requires access, the outdoor unit 2 transmits not only the release signal 81 to the control unit 3 but also the user ID. Accordingly, the control unit 3 can recognize, for example at the user ID, which relay R1 or R2 should be switched (if this should be handled differently in different users). With priority, however, the transmitted user ID is used to store it as part of an additional data record in the memory 301 of the control unit 3 in order to log for which user - to the knowledge of the Control unit 3 - at which time a particular relay R1, R2 switched and thus, for example, the lock motor 5 was driven.

The stored in the memories 231 and 301 of the two units 2 and 3 event data are preferably stored in a tabular form chronologically. Such tables show the FIGS. 4A and 4B each schematically.

In the FIG. 4A a table stored redundantly in both memories 231 and 301 is illustrated. In this case, column-by-column different data are stored as memory entries L1 to L4. A first memory entry L1 contains the time stamp and thus allows a conclusion on the time of each logged event, in particular date and time. The memory entry L2 of the other column indicates in the same line the detected event, ie z. For example, a parameter for a granted access (value "1") or a non-granted access (value "0"). In the following column, a user ID of the recognized authorized user is stored as memory entry L3 if the fingerprint thereof has been recognized. In a further column, an action carried out by the outdoor unit 2 or the control unit 3 is then stored as a memory entry L4, for. Example, a value from which is read, which relay R1, R2 has been switched ("0" for both relays R1 and R2, "1" for relay R1 and "2" for relay R2).

In which by the FIG. 4B illustrated embodiment, at least partially different data are stored in the memories 231 and 301 of the two units 2 and 3 of the electronic access system 1. A data record of the memory 231 contains here by way of example analogously to the exemplary embodiment of FIG FIG. 4A the memory entries L1 to L3 supplemented by an additional memory entry L5. The memory entry L5 of the memory 231 of the outdoor unit 2 contains, for example, an indicator which has been detected by a plurality of detected fingers of an authorized user and / or a possibly compressed image of the detected fingerprint of the (authorized or unauthorized) user. A corresponding record of the memory 301 of the control unit 3 contains, in addition to the time characterizing memory entry L1, the memory entries L3 for the user ID and the memory entry L4 for the switched relay R1, R2.

• das Einlernen neuer Finger,
• einen Indikator zur Klassifizierung, ob ein Abgleich eines erfassten Fingerabdrucks mit den hinterlegten Fingerabdrücken zu einem positiven oder negativen Ergebnis geführt hat,
• einen Stromausfall und/oder ein Einschaltzeitpunkt,
• die Ausführung einer "Autotest-Funktion" und/oder
• ein Abbild der erfassten Fingerabdrücke - gegebenenfalls begrenzt auf eine bestimmte Anzahl, z. B. 20.

Gerade durch die Speicherung von an dem Zugangssystem 1 detektierten Ereignissen in der gegen Manipulation gut geschützten üblicherweise innen innerhalb des zu sichernden Raumes liegenden Steuereinheit 3 übernimmt diese die Funktion einer "Blackbox" des Zugangssystem 1, d.h., eines Aufzeichnungsgeräts, das Ereignisse bzw. zugehörige (Ereignis-) Daten chronologisch und auslesbar (und damit auswertbar) protokolliert.Both in the memory 231 of the outdoor unit 2 and in the memory 301 of the control unit 3 can also other events (or event data) associated with a time stamp and thus stored together with a memory entry L1 for the time stamp, such. B.

• learning new fingers,
• an indicator for classifying whether a comparison of a captured fingerprint with the deposited fingerprints has led to a positive or negative result,
• a power failure and / or a switch-on time,
• the execution of an "Autotest function" and / or
• an image of the captured fingerprints - possibly limited to a certain number, eg. Eg 20.

Just by the storage of detected at the access system 1 events in the well-protected against manipulation usually inside inside the room to be backed up control unit 3 assumes the function of a "black box" of the access system 1, ie, a recording device, the events or associated ( Event) data is logged chronologically and readable (and therefore evaluable).

For reading out the data stored in the memories 231 and 301, a read-out unit 9 is provided. This has two connecting pieces 9a and 9b for connection to the two units 2 and 3 of the access system 1. In this case, the two connecting pieces 9a and 9b are plugged into one of two connecting pieces 4a and 4b, via which two line parts of the signal line LT are connected to one another in the region of the plug connection 4. Accordingly, the connecting pieces 4a and 4b are designed, for example, as plugs and sockets, so that they can easily serve both as an interface for connection to the respective other unit 3 or 2 and as an interface for connection to the read-out unit 9. Accordingly, the connecting pieces 9a and 9b of the read-out unit 9 are accordingly designed as plug and socket complementary to the connecting pieces 4a and 4b.

By having read-out unit 9 two connection pieces 9a and 9b, data can be read from both memories 231 and 301 in parallel via read-out unit 9. The readout unit 9 serves as an adapter in this case and therefore has a connection piece 9c via which the readout unit 9 can be connected to a mobile device or a computer, eg via a USB connection, ie, in particular a PC or a notebook. As a result, the data stored spatially separated from each other in the two units 2 and 3 are easily stored in a log file be merged or converted into several log files and evaluated on the respective connected via the connector 9c device.

The plug connection 4 for connection of the outdoor unit 2 accessible in the exterior space AR and the control unit 3 accommodated in the interior IR is preferably likewise located in the interior space IR secured by the access system 1. In this way, access to the plug connection 4 and thus to the two connecting pieces 4a and 4b is possible only with access to the interior IR or within the interior IR.

LIST OF REFERENCE NUMBERS

1

access system

2

outdoor unit

20

casing

21

Fingerprint scanner

22a, 22b

display element

23

evaluation

230

evaluation logic

231

Memory (persistent)

232

clock

233

Memory (volatile)

3

control unit

30

control electronics

300

control logic

301

Memory (persistent)

302

clock

303

Memory (volatile)

4

plug connection

4a, 4b

connecting part

5

Castle motor

6

power adapter

7

voltage source

80

synchronization signal

81

enable signal

82

Event data (on outdoor unit)

83

Event data (to control unit)

9

readout unit

9a, 9b

connector

9c

joint

AS

alarm system

B

Control panel

e

receiver

F

remote control

L1 - L5

memory entry

LT

signal line

S

transmitter

Claims (13)

1. Electronic entry system, having at least one exterior unit (2) and a control unit (3) that is separate therefrom, wherein

   - the exterior unit (2) has an input device (21) and evaluation logic (23), and a user identifier captured by means of the input device (21) is comparable with at least one reference by means of the evaluation logic (23) in order to use the comparison to rate whether or not the captured user identifier provides authorization for an entry, and

   - the control unit (3) is configured to receive a clearance signal from the exterior unit (2) if the captured user identifier provides authorization for an entry, and to react thereto by generating a control signal as a result of which a user of the entry system (1) is granted entry,
   wherein

   - both in the exterior unit (2) and in the control unit (3) at least one memory (231, 301) is provided that is used to store in each case at least data (L2-L5), provided with a time stamp (L1), pertaining to granted entries, and

   - both the exterior unit (2) and the control unit (3) have a clock generator (232, 302) for generating time information, and the time information of the two clock generators (232, 302) are synchronized with one another in order to provide an aligned internal timestamp for the entry system (1) and to allow a plausibility check for the data (L2-L5) coming from the different memories (231, 301) of the exterior unit (2) and the control unit (3) among one another.
2. Entry system according to Claim 1, characterized in that at least one of the memories (231, 301), preferably a readable file, is used to store at least data (L2-L5) about granted and non-granted entries in combination with the time stamp (L1).
3. Entry system according to either of Claims 1 and 2, characterized in that
   data stored in the at least two memories (231, 301) are different during manipulation-free operation of the entry system, and data (L2, L3, L5) characterizing a granted entry in the memory (231) of the exterior unit (2) are different from data (L3, L4) characterizing a granted entry in the memory (301) of the control unit (301).
4. Entry system according to Claim 3, characterized in that

   - the exterior unit (2) is designed and intended to respond to a granted entry by using its memory (231) to store a time stamp (L1) together with a user ID (L3) and/or a captured fingerprint, and/or

   - the control unit (3) is designed and intended to respond to a granted entry by using its memory (301) to store a time stamp (L1) together with information about a relay (R1, R2) switched by the control signal.
5. Entry system according to one of the preceding claims, characterized in that a volatile memory (233, 303) is provided in the control unit (3) and the exterior unit (2) for continually updating the respective time information, and the entry system (1) is designed and intended to store, upon synchronization, time information of the exterior unit (2) in the volatile memory (303) of the control unit (3).
6. Entry system according to Claim 5, characterized in that the control unit (3) additionally has at least one non-volatile memory (301) and is configured to store, upon synchronization, the time information received from the exterior unit (2) in the non-volatile memory (301) too.
7. Entry system according to Claim 5 or 6, characterized in that the control unit (3) has control logic (300) configured

   - to store time information in a non-volatile memory (301) upon interruption to a power supply for the entry system (1) or just for the exterior unit (2) and/or the control unit (3) and/or

   - to transmit automatically after an interruption to a power supply for the exterior unit (2) - in order to synchronize the time information - time information of the control unit (3) to the exterior unit (2).
8. Entry system according to one of the preceding claims, characterized in that the input device (21) of the exterior unit (2) is designed and intended to capture at least one biometric characteristic of a user as a user identifier, in particular a fingerprint.
9. Entry system according to one of the preceding claims, characterized in that the entry system (1) has an interface for the wireless transmission of data, in particular an infrared interface, via which data for initializing a starting time are transferrable.
10. Entry system according to Claim 9, characterized in that in order to initialize the starting time there is provision for a remote control (F) via which data are transferrable to an interface provided on the exterior unit (2), and/or the entry system (1) is configured to permit the initialization of a starting time only after an authorized user has been detected.
11. Entry system according to one of the preceding claims, characterized in that the exterior unit (2) and the control unit (3) are connected to one another via a signal line (LT) that has, between the exterior unit (2) and the control unit (3), two parts connected to one another via a plug connection (4) .
12. Entry system according to Claim 11, characterized in that there is provision for a reading unit (9) that is connectable to the exterior unit (2) and/or the control unit (3) in order to read data stored in a memory (231) of the exterior unit (2) and/or in a memory (301) of the control unit (3) about granted entries, and the plug connection (4) has two connecting pieces (4a, 4b) connected to one another, and the reading unit (9) has a first and a second connection piece (9a, 9b), wherein the first connection piece (9a) is connectable to a first connecting piece (4a) of the plug connection (4) and the second connection piece is connectable to a second connecting piece (4b) of the plug connection (4) in order to read data from one or more memories (231, 301).
13. Method for operating an electronic entry system, in particular an entry system according to one of Claims 1 to 12, in which

    - an exterior unit (2) having an input device (21) and evaluation logic (23) is provided, wherein the evaluation logic (23) is used to compare a user identifier captured by means of the input device (21) with at least one reference in order to use the comparison to rate whether or not the captured user identifier provides authorization for an entry, and

    - a control unit (3), separate from the exterior unit (2), is provided that receives a clearance signal from the exterior unit (2) if the captured user identifier provides authorization for an entry, and reacts thereto by generating a control signal as a result of which a user of the entry system (1) is granted entry,
    wherein

    - both in the exterior unit (2) and in the control unit (3) at least one memory (231, 301) is provided that is used to store, respectively, at least data (L2-L5), provided with a time stamp (L1), pertaining to granted entries, and

    - both the exterior unit (2) and the control unit (3) have a clock generator (232, 302) for generating time information, and the time information of the two clock generators (232, 302) are synchronized with one another in order to provide an aligned internal time stamp for the entry system (1) and to allow a plausibility check for the data (L2-L5) coming from the different memories (231, 301) of the exterior unit (2) and the control unit (3) among one another.

Images