Weighing the Options for Access Control and Evacuation Strategies
By Greg Zimmerman, Executive Editor - May 2005 - Security
Improvements in technology have transformed access control systems. Today, an access control system is the backbone of many organizations’ total security plan.
Not only does the access control system keep unauthorized visitors out of areas where they’re not allowed, it also serves as the center for integration with other elements of a facility’s security package, including CCTV, monitoring and alarm devices, security guards, and the facility’s visitor management policy.
The increasing convergence of security, facilities and IT has provided opportunities for other functions as well. Human resources may use the access control system to verify employee attendance. IT may use the system for logical access to computers. Access control systems can even affect how occupants pay for their lunches or control the temperature in their offices.
With all these factors to consider, facility executives designing an access control system face a challenge: maintaining the core goal of the system — ensuring a secure facility — while incorporating the peripheral features that will make other departments and end users happy as well.
The best place to start is identifying a facility’s potential vulnerabilities, and then analyzing how the access control system will address those areas. Experts say that such an assessment usually begins at the perimeter — with parking lots or garages — and moves in concentric circles inward, to access points of the facility, to specific areas or zones inside the facility, and finally to particular devices.
If there are problems at any of those areas, analyzing how a specific system will address those problems is important as well. Once the vulnerable areas and problems have been identified, facility executives then can look at different access control solutions that will best mitigate those threats. For instance, if laptops have disappeared from a fourth-floor computer lab, the facility executive may want to examine an access control system that is integrated with a CCTV camera that switches on and sends video to a guard whenever the door to that lab is opened.
“The initial step is to conduct a needs analysis to define the goals that are to be achieved through the deployment of an access control system,” says Mark Peterson, director of the iTechnology design resource at HID. “The results of such an analysis will identify the desired aspects of an access control system from the perspective of each organizational element that may ultimately use, administer or support the system.”
This means that the decision-makers from the key departments need to participate in determining how the system will function beyond just opening and closing doors. Those people will have input into what type of credentials — biometrics, PINs, magnetic strip cards, radio frequency identification cards (RFID) or contactless smart cards —the system will use and where access control devices will be placed. The type of credential chosen is also the vehicle by which other nonsecurity functions fit into the framework of the access control system. Certain types of cards can carry vast amounts of embedded information on a tiny chip, which allows occupants to use them for multiple functions all over the facility.
“Just as the access control system became the foundation for security systems integration, the access control card is becoming the platform to securely identify a person to many other systems within the workplace environment,” says Marc Freundlich, president of Indala. “Facility executives need to get the right parties around the table from the start, including human resources, security and IT. Roles must be determined and responsibilities defined.”
Not only is soliciting other departments’ input critical in determining the features of the access control system, it’s also important for mapping out how the system will be deployed and administered. The more complicated the system, the more crucial the IT department is as an ally.
“More and more, access control and security products are becoming IT-centric,” says Peterson. “Effective deployment now requires an increased level of technical expertise to effectively integrate access control devices and systems across an organization’s network.”
The access control system should be compatible with the existing IT setup and normal organizational operations, says Rob Zivney, vice president of marketing for Hirsch Electronics. “It should readily reside on the IT infrastructure,” he says.
Striking a balance
Over-buying an access control system can be both expensive and problematic. For example, a complicated biometric access control system that takes several seconds for authentication may hold a certain amount of cachet for an organization, but it’s probably not the best option at an office building’s main entrance. Lines will form, people will get frustrated and chaos will ensue.
The key is finding the balance between an acceptable level of security and normal facility operations. “The facility still has to function even though access control has been implemented,” says Bob McKee, director of business development at Pelco. “Improper design not accommodating for traffic flow during peak hours will cause tardiness and aggravation with employees who are attempting to abide by the security requirements.”
Even if the design of an access control system perfectly matches the security and operational needs of a facility, there’s always the danger that elements of the system will be neglected either because they’re improperly integrated into the total facility security plan or because facility executives don’t take the time to learn how to use them. This means that the system isn’t operating as designed and could lead the facility executive and the occupants to believe that they are safer than they might actually be.
While over-blowing and then under-using an access control system can be costly, under-designing one can be even worse. If upper management is unwilling to invest the necessary capital to fully fund a proposed project, facility executives should provide return on investment details about what a breach in security might cost the organization if an occupant were to sue. The facility executive can also provide data to show how an access control system can save money long-term by reducing stolen property.
But if the capital really isn’t available, skimping on the system may be worse than doing nothing at all. “If misapplied, access control can lead to a false sense of security,” says Tony Padilla, chief technology officer for Stanley Security Solutions.
Flexibility is a priority
Even if the access control system is working perfectly for the current security situation, it should still be designed so that it’s scalable to address future needs.
“The built-in scalability of many of today’s access control technologies provides a migration path that allows an organization to add features and expand the system as budgets allows,” says Holly Sacks, vice president of marketing for HID. “Facility executives can make technology choices based on what they need today and what they will need in the future, rather than simply on what is available.”
The system should also be flexible to handle changes in the security situation or threat level. This may include everything from the national color-coded terrorism threat level to switching the number of credentials needed to enter after 5 p.m. Many access control options exist that would require only a card swipe under ordinary circumstances. But if the situation changes, the device would require a card swipe and a PIN, or a biometric credential.
The basis for the change in security level can be automated. The access control system can be integrated with a computer system that changes the security level based on information from a Web site providing real-time local and national security data. The system could also be designed to automatically change based on the time of day or day of the week.
The level of threat or security situation may also affect how the facility’s visitor management policy is incorporated into the overall access control and security plan. As with the access control system, the higher the threat level, the more stringent the visitor management policy might be.
When considering the nuts and bolts of a visitor management strategy, facility executives need to decide how important it is that they know who is in the building, where they are going and how long they’ll be there.
“By requiring official documentation verifying identity as well as keeping a database, a facility executive can get a more accurate picture of who is on the premises,” says Julia Shih, marketing manager for Card Scanning Solutions. “Ideally, a good visitor management strategy will head off potential trouble before it even steps through the door.”
Updates in technology are making this task much easier.
As visitor management software improves, and scanning solutions make it easy to scan a driver’s license or business card, and print a sticker that can be applied to an access control card, visitor management and access control are becoming interdependent much more often.
Visitor management software can also save the scanned identification so that upon the visitor’s next visit, an ID can be waiting. Software that is integrated with the corporate Intranet can allow occupants to log on right from their workstations and send a request for a badge or card that can be preprinted before a visitor arrives.
New software allows customization of the badges or cards, so facility executives can create visitor badges or cards that look completely different than those of the regular occupants. That way, visitors are easily identified. Also, the access control system can be programmed with permissions so that access to certain areas can be restricted for visitors. Of course, permissions can always be changed if a certain visitor is authorized to enter a particular area. That visitor’s card would just need to be reprogrammed.
Many access control systems already have visitor management modules included, but there are independent visitor management systems that can be integrated with an existing access control system. Getting them to work together is just a matter of matching the type of credential used by the occupants with a visitor management software program that will work with that type of credential. For instance, if a driver’s license is scanned and a badge sticker printed, that sticker can usually be placed on a magnetic strip card, an RFID card or other type of card, and that card can be preprogrammed by the access control system to identify the person as a visitor. Unless a special card has been designed to identify visitors, the card will look exactly the same as those carried by the occupants.
In addition to the software and integration with the access control system, competent, trained and dedicated staff are required to ensure the visitor management policy’s success, says Sheila Stromberg, access control manager for Fargo Electronics. It’s also important, in high-traffic areas, to make sure the person handling visitors isn’t also answering phones, receiving deliveries, distributing mail or performing other tasks. And, of course, the more user-friendly the visitor management system, the better chances that the policy will be successful.
“User tasks such as registering visitors should be automated to eliminate keystrokes, by using driver’s license scanners for instance,” says Zivney of Hirsch Electronics. “The human-machine interface must be extremely easy to use.”
Even with a user-friendly, automated visitor management system, human guards are still a key component to the total facility security plan.
“It’s important to remember that one doesn’t replace the other,” says Stromberg. “The combination of security guards and access control provides the best blend of technology and human ability.”
‘Mustering’ gains popularity as way to track occupants
When considering an access control system, facility executives often weigh its potential impact on occupant safety during an evacuation as well as its ability to prevent unauthorized entry. Can the system be set up so that certain doors are locked down by the access control system during an evacuation? And, if so, is there potential threat to the safety of those trying to evacuate? If certain doors aren’t locked down during an evacuation, does a security threat exist? But even more importantly, is there a way to make sure everyone is present and accounted for after an evacuation?
Logging in, logging out
In facilities with high security requirements or where hazardous materials exist, the practice of mustering is becoming more commonplace. Mustering means using the access control system to keep a record of who is in the building at all times so that, in the event of an evacuation, a list of everyone in the building at the time of the evacuation can be consulted and people checked off as they’re accounted for. Essentially, the practice of mustering means that people log in and out of a building, just like they would a computer.
“Getting people out of a facility or campus is conceptually opposite to the primary function of an access control system,” says Debra Spitler, president of Omnikey. “But it is an increasingly recognized and utilized function of access control systems. Most systems have this ability, yet it is underused.”
To properly enact a mustering program, access control devices are installed at all exit points, or at muster stations — safety areas where people congregate in the event of an emergency. The visitor management policy must require card access and must be enforced meticulously, both by the guards and by the facility’s occupants.
“If employees allow others to enter under their access control card, or if a receptionist allows a vendor to deliver flowers to an employee’s desk without signing in, or if a visitor is allowed to use the restroom for just a few minutes without logging the visit into the system, then the evacuation report is compromised,” says Sheila Stromberg, access control manager for Fargo Electronics.
As mustering becomes a more popular method of using access control to keep track of building occupants’ whereabouts, facility executives will discover other ways of using the strategy.
One natural progression of mustering is strategically placing access control devices at doors so that different facility zones are created. With that approach, it would be possible to tell approximately where in the building a person is at any given time, or if the person is in the building at all. CCTV cameras could then help pinpoint the person’s exact location.
Evacuation plans must address who, when, where and how — and what role building elements must play
When a fire strikes, the top priority for facility executives is making sure occupants are safe. Achieving that goal is a multifaceted task. But at the core of any emergency plan for responding to a fire is an evacuation strategy that addresses questions such as which occupants should be evacuated under what circumstances and what building systems are needed to support the evacuation plan.
Three principal evacuation concepts are used in buildings today: complete evacuation of the entire building at one time; phased (or staged) evacuation, under which only a portion of the building’s occupants are evacuated or relocated within the building; and no evacuation (also referred to as defend-in-place). The latter strategy is used in buildings such as hospitals and nursing homes, where it is difficult to move or evacuate some occupants in an emergency; instead, an increased level of protection is built into the building so that occupants can be moved to a protected location within the building rather than being evacuated.
Evacuation strategy should be considered early in the design of a building. For example, in extremely tall buildings, a floor is sometimes designated as an area of refuge; that should be identified early in the process, because going back to add a story that was not programmed will not be well received by the owner. Where defend-in-place strategies are employed, building construction features need to be considered during design to justify the approach.
In a full-building evacuation (also known as complete evacuation), occupants in all areas of a building are notified simultaneously that an emergency exists. The notification throughout the building is uniform, and occupants understand from the notification signal that they are to evacuate the building. There is no potential for confusion that may result from initiating different evacuation signals in adjacent fire zones.
One disadvantage of a full building evacuation is that there may be a large number of people using the exits at the same time. Even though exits are properly sized per the building code, there may be a point when the evacuation seems to have stalled. Movement through the egress system will be limited to the slowest occupant using an egress element. Not all occupants of a building are equally able-bodied. Consider the difficulties a full-term pregnant woman will have negotiating exit stairs for more than a few stories.
A full evacuation may also restrict fire department deployment once firefighters arrive. Occupants in stairs, occupants using entrance/exits at the building main level and the large number of occupants milling around outside — all could hamper fire department access to the building.
Horns, chimes or bells, in combination with strobe devices, are generally used to notify occupants of a full-building evacuation. However, a voice communication system can also be used to transmit a full-building evacuation message. In general, the building will need a fire detection and alarm system to notify occupants automatically. In some jurisdictions and occupancies, occupant notification systems are only manually activated. Typically, however, full-building evacuation is initiated based on detection of water flow in a sprinkler system, activation of a manual alarm station, or activation of smoke or heat detectors, all of which would be connected to and monitored by the fire detection and alarm system.
Full-building evacuation is normally used in low-rise buildings of a variety of occupancies (i.e., business, residential, mercantile, etc.). This approach may also be used in buildings that have a low occupant load, regardless of the building height.
In a phased (staged) evacuation, occupants from the zone of fire origin may be moved to another area of the building that is protected from the fire zone. This allows occupants an opportunity to stage — that is, be relocated — within the building, offering an extended period of time to evacuate a building completely, if the fire department ultimately determines complete evacuation is needed. Phased evacuation is most often associated with high-rise buildings, particularly extremely tall structures. Other occupancies that may use this approach include health care and detention/correctional facilities, where occupants may not be capable of evacuating the building on their own.
The premise of phased evacuation is that occupants do not have many options for egress, and that it could take more than an hour to effect a full evacuation, depending upon the circumstances. Ultimately, it may not be necessary to fully evacuate the building, provided the building is constructed to withstand and contain fires of typical origin. This reasoning is the basis for modern-day high-rise evacuation strategies, developed through task forces in the 1970s assembled to address this issue.
Phased evacuation is implemented using multiple notification messages or signals. The best approach is to use a voice alarm system where specific instruction can be issued to building occupants. Occupants in the zone of fire origin — and perhaps immediately adjacent zones depending on their proximity to the fire, which varies based on local jurisdiction/code — are given a signal or message to evacuate. Occupants in other zones are given a signal to notify them that an incident has been reported elsewhere in the building, that occupants from the zone of fire origin may be coming to their part of the building, and that they should remain alert and wait for further instruction.
Phased evacuation is only effective if the occupants being removed from the zone of origin can be moved to another area of the building that is protected and properly separated from the zone of fire origin. At a minimum, the building must be of fire-resistive construction (structural frame, floor and vertical openings), allowing the building to withstand a fire long enough for the fire department to begin suppression activities. Additionally, the building should be provided with smoke or fire compartmentation — that is, the building is subdivided into distinct zones (compartments) that are separated from other zones in the building by construction that will delay or minimize the movement of fire and smoke through the building. Most of the compartmentation is achieved through fire-resistive building construction.
The building should be fully protected with sprinklers. Sprinklers offer an automatic ability to control or suppress a fire early in its growth, and they are an effective means of detecting a fire automatically. Thus, they are also an effective means of initiating the occupant notification system. Ideally, sprinkler systems will be zoned to coincide with fire or smoke compartment boundaries, although this is not always practical.
If phased evacuation is to be used, it is imperative that fire zone boundaries are identical to occupant notification zone boundaries. In other words, the entire fire zone must be a single zone for occupant notification, so that all occupants within the fire zone receive the same message. That objective is not well documented in today’s building codes. If occupant notification zones (i.e., horn or speaker circuits) do not correspond precisely with fire zone boundaries, occupants in the fire zone may not get the appropriate evacuation notification signal.
Phased evacuation gives evacuation priority to occupants closer to the emergency. In addition, fewer people are using stairs and exits, thus providing greater building access for the fire department.
The concept of phased evacuation is often difficult to understand. When this strategy is used, a potentially large number of occupants will remain inside a building where an emergency is occurring. Phased evacuation also assumes that zones removed from the zone of origin remain tenable. The most difficult obstacle to overcome is the complexity of the occupant notification system, which must be aligned with building construction features. If occupant notification and fire compartmentation zones aren’t identical, there is a risk of panic setting in among occupants who remain in the building because they are given inappropriate information or instructions. This could result in potential liability to the owner and building management.
This evacuation concept is similar to phased evacuation, except that the movement of the occupants is principally horizontal, if there is any movement at all. Health care and detention/correctional facilities are among the occupancies using this type of evacuation. In both of these occupancies, the occupants are constrained in some manner from being able to exit the building. As a result, it is important that the building have features to protect occupants while limiting the need for them to evacuate.
Current codes require that these occupancies provide fire-resistive construction, smoke and fire containment through compartmentation, fire detection and alarm systems, and sprinkler systems for control of fires early in their growth. As with phased evacuation, it is imperative that alarm, detection and sprinkler zoning be aligned with smoke compartmentation, even though this is not specifically required by code. And voice alarm systems capable of making multiple, simultaneous announcements are most effective for a defend-in-place strategy, although, once again, current codes do not specifically require this feature.
Smoke management systems may also be employed, especially where occupants are unable to evacuate the zone of fire origin, as may happen in a detention facility. Zoning of these systems must be aligned with the building compartmentation and the zoning of other fire protection systems. This objective is also not well defined within current codes.
Like phased evacuation, a defend-in-place strategy gives occupants closer to the emergency situation priority for evacuation. It also provides greater freedom for fire department deployment because stairs and entrances are not congested with occupants whose ability to move may be hampered.
As with phased evacuation, a defend-in-place approach means that a potentially large number of building occupants, if not all of them, remain in a building where an emergency is occurring. It also assumes that zones removed from the zone of origin remain tenable. The most difficult obstacle to overcome is the complexity of coordinating the occupant notification system with building construction features.
Choosing a strategy
What is the best evacuation strategy in the event of a fire? There is no single answer to that question. The most appropriate strategy for a specific building depends on a range of factors, including proximity of the building to prompt, reliable emergency response services; nature of the operations conducted in the building; fire protection features built into the building; the occupancy or use of the building; and the ability of occupants to evacuate the building on their own, as well as their ability to do so promptly. Research into human behavior also is beginning to have an impact on the design of evacuation systems.
In new construction, building use and occupancy should determine which evacuation concept is selected. The fire protection systems and features required for that strategy should then be identified and designed into the building.
In a renovation, it is necessary to assess the fire protection features existing in the building, especially the passive and complex mechanical systems that are difficult to retrofit into a building. That assessment should be a primary factor in determining the potential use of the existing structure. Other fire protection systems — like fire detection, alarm and sprinkler systems — can be retrofit as required by the evacuation strategy appropriate for the existing building features and the planned occupancy.
It is important to recognize that an emergency other than a fire may call for an evacuation strategy different than the one adopted for a fire.
Any evacuation strategy can be useless if the occupants are not aware of how the building systems are intended to function in an emergency and if occupants have not practiced evacuation. Occupants must be trained in and must practice using the evacuation systems provided in the buildings where they live or work. Otherwise, the time spent in designing effective fire and life safety systems and procedures may be in vain.
Jeff Harper is vice president and engineering manager for the Chicago office of Rolf Jensen & Associates Inc. Josh Greene is the associate engineering manager for the office.
Future NIST report could lead to more full-evacuation designs
More than 14,000 people would have died in the collapse of the World Trade Center buildings on Sept. 11 had the buildings been fully occupied, says a draft report from National Institute of Standards and Technology (NIST).
That draft was one of 15 draft reports released by NIST last month. The drafts are expected to lead NIST to recommend improvements to building and fire codes, particularly for high-rise buildings.
The report concludes that the Sept. 11 evacuation of the twin towers was significantly faster than the evacuation that occurred during the 1993 bombing of the buildings. But the evacuation was still slower than industry standards —occupants descended the stairwells at about half the rate expected during a non-emergency evacuation.
The twin towers were designed for phased evacuation, not the full evacuation that occurred following the attack. Had WTC 1 been fully occupied prior to the attack, the building would have taken more than four hours to fully evacuate 25,000 people under the circumstances, the report states.
Shyam Sunder, lead investigator for NIST, suggests the report could lead to more full-scale evacuation plans for high-rise buildings, which traditionally rely on phased evacuation plans.
“The recommendations will be released in June, but I think it really points to the fact that full evacuation of buildings needs to be within the framework of the design for buildings,” says Sunder. “They do happen.”
Tenants evacuated the World Trade Center at an average rate of 1.3 floors per minute, slower than normal because of obstacles and stairwell crowding.
Slightly more people reported overcrowding problems in WTC 1 than in WTC 2, probably because some people in WTC 2 used elevators to evacuate in the 16 minutes before the second tower was struck. The rate of evacuation slowed in the final 20 minutes before each tower collapsed, which means most survivors who were able to make it to a stairwell were able to evacuate, the report states.
Sunder says phased evacuation has worked well for most high-rise emergencies. But building egress capacity and evacuation time become key when considering the full evacuation that is needed during worst-case scenarios, Sunder says.
“Once we start thinking about questions in that context, you realize it becomes very important to consider the performance objectives for that building,” says Sunder.
Some buildings are at higher risk because they have an iconic nature or they house critical functions. Having a full evacuation plan and sufficient capacity should be a priority for such buildings, says Sunder.
“Each strategy — defend-in-place, phased and full evacuation — has a role depending on the type of incident,” Sunder says. “Full evacuation is something someone would plan for as a not unreasonable incident over the life of a building. Maybe a handful of times it would happen.”
—Brandon Lorenz, senior editor