Improved Building Access Control in the UK with dedicated standards for access control systems.
Building security for both commercial and multi-unit residential buildings comes in many forms and remains a top area of focus for building designers, contractors and managers alike. The first line of security for any building often begins with basic physical attributes, including aspects such as low shrub lines, high fencing and well-lit parking lots and property grounds, but the first line of defense for electronic security is typically a building’s access control system.
By limiting building access based on a specific set of physical or electronically recognized and restricted credentials, access control systems help ensure easy access for those who need it (residents, employees, etc.) while also helping to prevent potential from gaining unauthorized access. Though many of the basic principles of electronic access control apply regardless of region, some specific countries and regions have unique requirements or take an enhanced focus on building security, requiring a more dedicated approach to ensure the proper operation of these devices. Such was the scenario in the United Kingdom (UK) when the UK Police Authorities, through its Secured By Design (SBD) initiative, sought a dedicated standard for access control systems and equipment in the UK.
To accomplish this goal and work to ensure a dedicated focus, SBD sought the partnership of UL (Underwriters Laboratories), a global safety company with a rich history of safety-science experience. Together, a dedicated UK standard – UL 293, Outline of Investigation for Access Control System Units Intended for Use in the UK – was developed to cover England, Scotland, Wales and Northern Ireland to provide reliable guidelines to the industry.
Understanding the Basics of Access Control
Access control systems provide electronic building security by using appropriate credentials – including access codes, security cards and biometric scanners – to control and authorize access. At the discretion of the authority having jurisdiction, the systems support unrestricted egress from the building/dwelling to help ensure easy escape in the event of an emergency. [In the case of facilities, such as certain healthcare facilities, the relevant occupancy codes apply. ]Additionally, best practice typically requires the support of battery backup power so as to not inconveniently restrict access during power outages.
As these systems rely on electronic components, such as keypads, card readers or biometric scanners, extra consideration must be given to both the functionality of the system and the physical and electronic security of the various components. Security is typically a tiered approach, involving several layers that work together to keep premises secure. The implementation of an access control system is a critical initial security layer.
Addressing the Unique Requirements of SBD
Secured by Design is focused on the design and security of new and refurbished residential dwellings, commercial buildings and car parks. Through close collaboration with the industry and applicable test houses, SBD works to create and maintain high level security standards by responding to crime trends in the UK. This focus and attention to the country’s specific security needs is what led SBD to engage with UL on the development of a dedicated standard.
With a century long history and depth of knowledge as a standards development organization (SDO), testing organization (TO), and certification organization (CO), UL’s experience complemented the efforts of SBD. Additionally, SBD was familiar with the benefits of the existing standard, UL 294, Standard for Access Control System Unit. The dedicated standard that resulted from this joint effort – UL 293 – was designed to complement “Secured by Design HOMES 2016” (published 2016), a crime prevention initiative specifically applied to the UK.
To help ensure recognition of and compliance with the UL 293 Standard, “HOMES 2016” references the Standard directly, noting, “The technology by which the access control system operates is outlined within UL 293.” Additionally, the document outlines several requirements that access control systems must meet to be found suitable.
More specifically, “HOMES 2016” requires more than the use of a restricted electronic key fob, card or other credential. The external door entry panel must be resistant to vandalism and, as an extra deterrent, should include an integral camera. Further, for resident security and convenience, the restricted access door must be connected to a remote release within the dwelling and audio/visual communication between the occupant and the visitor is recommended. Finally, color images of those using the access system should be captured and all panel activities, visitor and resident, should be recorded and maintained for 30 days.
Covered by UL 293
Testing to UL 293 must be completed by an authorized test lab and UL is the first test lab to offer such service. The Standard is a performance only document that covers equipment as it is meant to be used, but it does not contain the same safety-related tests or construction requirements found in UL 294. In the EU, self-declaration is very common and the goal was to align with locally acceptable conformity assessment practices. Self-certification to IEC/UL 60950-1, Information Technology Equipment – Safety – Part 1: General Requirements, is acceptable in the UK as most products fall under the Low Voltage Directive and IEC 60839-11-1, International Standard for Alarm and Electronic Security Systems, is considered a recommendation. Just as the “HOME 2016” document references UL 293, the standard also requires that installation of the access control system must be completed in accordance with the requirements set forth in “HOMES 2016.”
Attack resistance is assessed based on attack performance in accordance with BS EN 1627/1630, Resistance Class 2 (RC2). Within these requirements, the product must be able to withstand a physical attack for a minimum of three minutes and a maximum of 23 different tools can be used during various attacks. For outdoor use equipment, water spray is addressed as part of the required ingress tests to help ensure the system can withstand a 6.3 mm spray nozzle test in accordance with IEC 60529 and will not grant access as a result of ingress. Further, the Standard adds requirements to address “door forced” and “door held open” trouble conditions along with the annunciation of loss of primary power to indicate the equipment is operating on standby power.
Assuming normal operating conditions, requirements are also in place to address the use of industry de-facto interface protocols such as Wiegand and Open Supervised Device Protocol (OSDP) formats. An overview of some additional requirements that align with international norms can be found below:
- Supply-line Transients – Test performed in accordance to IEC 61000-4-12, with IEEE C62.41 noted as an alternate
- Input/Output Circuit Transients – Test performed in accordance to IEC 61000-4-5, with the legacy UL 294 access control system test noted as an alternate test method
- Variable Ambient Temperature – Products must withstand temperature exposure to 45°C, rather than 49°C as outlined in UL 294, to better reflect typical environmental conditions in the UK
Finally, encrypted communication and line security requirements are detailed in the Standard, but software cybersecurity is an ever-evolving challenge that is offered as a separate element of service through the UL 2900 series of Standards. As the world becomes increasingly connected, with more products joining the Internet of things (IoT) every day, guarding again a cyberattack is just as important as seeking to prevent access gained through physical means. In addition to UL 293, a third-party evaluation to a Standard such as UL 2900-2-3, Outline of Investigation for Software Cybersecurity for Network-Connectable Products, Part 2-3: Particular Requirements for Security and Life Safety Signaling Systems, can work in complement to assess software vulnerabilities that may be present in an access control system.
Ensuring the reliable performance of an access control system is only a part of SBD’s larger focus, but it is a critical component of building security. As an element of tiered security of a building, access control panels provide much needed security and peace of mind to building owners and residents. Combining the dedicated, UK focus maintained by SBD with the standards development, testing, and certification services of UL proved to be the ideal solution to enhancing building security in a way that works to complement the efforts of the UK Police Authorities.
Lou Chavez is UL’s Principal Engineer, responsible for the technical oversight of physical and electronic security categories and the technical relevance of UL’s related security standards. Lou has 30 years of experience with national and international standards development, regulatory, code development and conformity assessment areas.