By Robin Suttell
Security Article Use Policy
Imagine a company that has grown through acquisitions and now has facilities in 10 states. Half of those facilities have a common access control system, but there are four separate systems for the other five facilities. That’s a hassle for top executives who may have to carry five different access control cards or other credentials. It’s also a hassle for other employees who make regular visits. And it’s a hassle for facility executives who know there’s a better way.
It’s not just corporations that face that problem. A university or health care organization may have installed different access control systems on different buildings over the years. No matter what kind of organization, the result is the same: multiple access control systems that cause inconvenience to users, raise costs and jeopardize reliability.
“It’s a problem more building owners and managers run into than you can imagine,” says Roy Bordes, president and CEO of The Bordes Group, a security design and engineering firm. “They come in and take over a complex or campus and find they have a total hodgepodge of equipment that they need to make work together.”
Consolidating those systems is a big job, but in many cases it’s a smart one to undertake both logistically and financially, especially if streamlined operations will boost efficiency in the long run.
No two organizations have the same reasons for consolidating multiple access control systems, says Robert J. Lomb, associate security consultant with Schirmer Engineering. Facility executives need to ask themselves what objective they want to achieve. One question to ask is whether it makes financial sense for the organization to consolidate.
“When you look at bringing all of these systems together, it might cost too much money,” Lomb says. “It depends on the systems involved and why an organization might want to consolidate them.”
Cost is the real question, he says. The organization has to decide how much it wants to spend. “Sometimes it’s as simple as changing the cards or the readers,” he says. “Other times you have to change out hardware and software.”
Access control systems can range from a simple card-based system, such as magnetic stripe, proximity or smart card, used by employees to unlock a single door independently; to a multidoor system using hard-wired components and a dedicated PC or server; to a Web-based system which uses biometrics for access and controls the entire building, including lighting, HVAC and more.
The standard configuration of a typical hard-wired component access control system that’s tied to a dedicated server has a setup something like this: A card reader activates a lock and door contact. This hardware connects to a door access panel, which then communicates with the access control panel that links back to the server where the software and database needed to operate the system are housed.
“The panel and software typically are the two most expensive pieces of the puzzle,” says security consultant Frank Pisciotta, president and founder of Business Protection Specialists Inc. “If you have panels on your various systems that can talk to multiple software programs, you simply swap out the software and you can still be in business with your existing infrastructure.” If any of the panels are proprietary, however, facility executives have to replace more, he says. “You would be able to keep the lock, the reader and the door contact, but you would have to remove the control panels at every entrance, as well as the software.”
A company might own one facility and then buy another one and decide to integrate the access control system and run operations from one location. This can be done by replacing the controller at only one location so that both controllers will then be the same. However, employees at each location might carry different cards because the card readers are not the same.
“Down the road, you might decide you want to change readers or change to a card that has multiple reader technology so everyone is carrying the same card,” says Kurt Schwalbe, a life safety, security and IT infrastructure engineer at CUH2A. “Interoperability makes it easy for people to use the system, not only for the card holder but the people who maintain the database. If you have six different offices in the same city, you don’t want to have six different people handling enrollments.”
In one case, a large manufacturing firm had several campuses in one state running on different access control systems. After dealing with multiple systems that were compatible between some buildings, but not all, the company decided to investigate the feasibility of consolidating all systems to a single platform.
“They were able to tie in a central security monitoring center to manage multiple sites from one center,” says Ed Taraba, security specialist with CUH2A. “The control room staff was reduced. Administrative overhead from managing the systems was reduced, and human resources didn’t have to issue multiple cards.”
Such centrally managed systems can be partitioned to provide widespread access to some areas of a campus or office complex and more restricted access to others.
“Sometimes we come across facilities that want to have separate identities even on a common campus, such as research organizations that want to keep tight control on people who get into the ‘inner sanctum,’” Schwalbe says. “They might have their own separate system of controls for their restricted areas but also want to carry the same card through the main entrance. Partitioning allows you to do this.”
That’s how it works at a large federal research facility, which has multiple layers of security operating out of a central database. Workers enter on card access only. The main entrance runs on a proximity card reader. Security becomes increasingly tight when moving into areas where highly sensitive research is performed. In some areas, access is gained through a fingerprint reader. In even more restricted zones, access can be gained only through use of iris scanners.
Many times, the first step in the consolidation process is to assess the system with the assistance of a third-party consultant well versed in access control design and interoperability issues.
“Have someone technically competent come in and inventory the systems,” Bordes says. “Let’s say you have three different systems. A consultant can come in and tell you if they will work together or not, what needs to be replaced to make them work and also determine the cost savings of making them work together, as opposed to having three separate systems. An inventory of the systems lets you see exactly what you have and will reveal what you need to do.”
Many times, an inventory will show that it isn’t necessary to tear out the entire system and start from scratch.
“Once you inventory you can decide what you can keep and toss, based on how you want the system to operate,” Bordes says.
Depending on the outcome of the system inventory, there are several options to consider when it’s time to start the actual consolidation.
First, determine if access control panels can communicate with other software packages. For example, some access control panel manufacturers produce panels that work across a variety of systems, independent of the manufacturer.
“This option probably yields the lowest cost because only the access control software needs to be replaced,” Pisciotta says.
A second option would be to install firmware in the panels so they can be adapted to communicate with different access control software packages.
A third option focuses on consolidating everything to one access control system that best meets the facility’s needs. In the best case scenario, all panels and software would need to be replaced but the locks, readers, door contacts and request-to-exit devices could likely be retained. If there is unusual wiring protocol, the situation could be worse, Pisciotta says.
One thing to remember about consolidation is that newer systems will have greater ability to achieve interoperability. Newer systems are more likely to have a common database and the ability to partition access to it. An inventory of all systems involved will reveal which system is the most interoperable and should therefore serve as the standard for the other systems in the consolidation process.
“See which ones are closer to obsolescence,” Schwalbe says. “Usually the most recent one is better.” That isn’t always the case, he says. For example, an immediate need may leave no choice but to do a quick and dirty project. “But you still will want to assess all present systems and their good and bad points, as well as their age and physical installation.”
Another question to ask is whether any of the systems are proprietary. A system where functional old components can be kept and new ones can be easily integrated is preferable.
“Be sure you’re working with an open platform and not one that is proprietary,” Pisciotta notes. “You don’t want to be enslaved to a single manufacturing company. You can’t get out of that once you get past a certain point.”
Even with all these consolidation options, sometimes a facility is best served by starting off with a clean installation of a new access control system and building from that. Consolidating multiple existing access control systems typically can be an efficient and cost-effective way to streamline security operations. It does, however, need to be approached methodically and with a plan in mind.
“There are many different levels of consolidation, and sometimes it can be a long, drawn out process,” says Lomb. “You need to evaluate what you want to accomplish and make sure you maintain it throughout the entire process so the consolidation achieves what you want. When you have a clear path defined, everything flows better. To tear everything out without a plan can cause more harm than good.”
Once a system is consolidated, all doors should undergo operational testing to make sure the system communicates without gaps.
Frank Pisciotta, president and founder of Business Protection Specialists Inc. recommends reviewing the door’s operation in each of the following nine conditions to ensure that the proper level of security is provided:
“It’s all about performance and how it can affect safety and security,” Pisciotta says. “You need to understand how the system performs once it is consolidated and identify the weaknesses if the system isn’t programmed and operating correctly.”
— Robin Suttell
Robin Suttell is a freelance writer who has written extensively about building design, construction and operations issues.