(19)
(11)EP 3 492 414 B1

(12)EUROPEAN PATENT SPECIFICATION

(45)Mention of the grant of the patent:
24.02.2021 Bulletin 2021/08

(21)Application number: 18197681.2

(22)Date of filing:  28.09.2018
(51)Int. Cl.: 
B66B 1/46  (2006.01)
B66B 1/34  (2006.01)

(54)

ELEVATOR REQUEST AUTHORIZATION SYSTEM FOR A THIRD PARTY

AUFZUGSANFORDERUNGSBERECHTIGUNGSSYSTEM FÜR EINE DRITTE PARTEI

SYSTÈME D'AUTORISATION DE REQUÊTE D'ASCENSEUR POUR UN TIERS


(84)Designated Contracting States:
AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

(30)Priority: 29.09.2017 US 201715721360

(43)Date of publication of application:
05.06.2019 Bulletin 2019/23

(73)Proprietors:
  • Otis Elevator Company
    Farmington, Connecticut 06032 (US)
  • Aguilar, Cesar
    Brooklyn, NY 11211 (US)
  • Yousoufov, Simantov
    Brooklyn, NY 11211 (US)

(72)Inventors:
  • SCOVILLE, Bradley Armand
    Farmington, CT 06032 (US)
  • LEONG, Yew
    Farmington, CT 06032 (US)
  • KUENZI, Adam
    Salem, OR 97302-1142 (US)
  • AGUILAR, Cesar
    Brooklyn, NY 11211 (US)
  • YOUSOUFOV, Simantov
    Brooklyn, NY 11211 (US)
  • NOVOZHENETS, Yuri
    Pittsford, NY 14534 (US)
  • HIGLEY, Jason
    Pittsford, NY 14534 (US)

(74)Representative: Schmitt-Nilson Schraud Waibel Wohlfrom Patentanwälte Partnerschaft mbB 
Pelkovenstraße 143
80992 München
80992 München (DE)


(56)References cited: : 
JP-A- 2007 131 434
US-A1- 2017 243 417
  
      
    Note: Within nine months from the publication of the mention of the grant of the European patent, any person may give notice to the European Patent Office of opposition to the European patent granted. Notice of opposition shall be filed in a written reasoned statement. It shall not be deemed to have been filed until the opposition fee has been paid. (Art. 99(1) European Patent Convention).


    Description

    BACKGROUND



    [0001] The following description relates to elevator systems and, more specifically, to a mobile elevator request floor authorization system of an elevator system for a third party.

    [0002] In the fields of physical security and information security, access control (AC) is the selective restriction of access to a place or other resource. The act of accessing may mean consuming, entering or using. Permission to access a resource is called authorization.

    [0003] In a building, AC is employed to permit or prevent access to certain areas or floors by various personnel. For example, in a hotel, hotel guests may be permitted to have access to their guestrooms and public areas but not to other guestrooms or hotel offices. On the other hand, cleaning services may have access to all the guestrooms.

    [0004] In any case, movement between floors in a building is often provided by way of an elevator system that is responsive to elevator requests made in elevator bays. Those elevator requests may be improper, however, as in a case in which a hotel guest or cleaning person requests travel to a floor in the hotel to which he does not have access.

    [0005] US 2017/243417 A1 discloses a system and method for authorising a user securing an elevator call in a buildin, wherein a mobile device receives a secure authorisation token that includes an expiration time, the mobile device is connected to a backend system using the secure authorisation token, using the backend system, an authenticity of the secure authorisation token from the mobile device is verified based on at least the expiration time, generating, a secure access token a random number is generated at the backend system in response to the authenticity of the secure authorization token being verified, and the secure access token and the random number for use making elevator call requests is received at the mobile device.

    BRIEF DESCRIPTION



    [0006] The present invention relates to an elevator request authorization system according to the appended claims.

    [0007] According to the invention, an elevator request authorization system is provided and includes a second server configured to grant an elevator use token upon request from a first server registerable with the second server for establishing secure communications between the second server and the first server. The first server is configured to be receptive of an elevator request relating to elevator usage by a user, to authenticate the user, to authorize the elevator usage by the user to which the elevator request relates, to request the elevator use token from the second server via the secure communications upon authentication and authorization and to deliver the elevator use token to the user upon receipt, wherein the elevator use token is valid for a predefined sequence of elevator usages.

    [0008] In accordance with further embodiment, the elevator request is initiated via a mobile device.

    [0009] In accordance with further embodiment, the first server has an administration key for supporting the secure communications. The administration key is receivable from the second server upon registration of the first server.

    [0010] In accordance with further embodiment, the elevator request includes user identification information and source and destination floor identification.

    [0011] In accordance with further embodiment, authentication and authorization by the first server include confirmation of user validity and confirmation of elevator request permissibility, respectively.

    [0012] According to further embodiment, the elevator request authorization system includes an elevator system including at least one elevator servicing a plurality of floors in a building. The elevator system is receptive of the elevator use token from the user and configured to issue to the user a notification responsive to elevator use token reception.

    [0013] In accordance with further embodiment, the user initiates the elevator request with a mobile device.

    [0014] In accordance with further embodiment, the notification includes at least one of elevator assignment, position and arrival information.

    [0015] In accordance with further embodiment, the elevator use token includes at least one of a temporarily valid elevator use token and an elevator use token that is valid at certain times.

    [0016] These and other advantages and features will become more apparent from the following description taken in conjunction with the drawings.

    BRIEF DESCRIPTION OF THE DRAWINGS



    [0017] The subject matter, which is regarded as the disclosure, is particularly pointed out and distinctly claimed in the claims at the conclusion of the specification. The foregoing and other features, and advantages of the disclosure are apparent from the following detailed description taken in conjunction with the accompanying drawings in which:

    FIG. 1 is a schematic illustration of a building in accordance with embodiments;

    FIG. 2 is a schematic diagram illustrating an elevator request authorization system of the building of FIG. 1 in accordance with embodiments; and

    FIG. 3 is a schematic diagram of a computing device of the elevator request authorization system of FIG. 2 in accordance with embodiments.


    DETAILED DESCRIPTION



    [0018] As will be described below, a method for authorizing elevator requests to specific floors is provided. An administration key is issued to a trusted third party enabling the trusted third party to request elevator use tokens for certain users. One such user then places an elevator request to the trusted third party and the trusted third party authenticates the user (i.e., by making sure the user is himself trusted, authentic or pre-registered with the trusted third party), inspects the elevator request, and determines if the user is authorized to use a corresponding elevator system in accordance with the elevator request. Authorization logic is thus the responsibility of the trusted third party and it is expected that the trusted third party will inspect, for example, the source floor and the destination floor as part of the authorization. Once the trusted third party has authenticated and authorized the user, the trusted third party requests the elevator use token over a secured link to the elevator server, the elevator server responds by issuing such elevator use token, and the trusted third party provides the elevator use token to the user. The user then uses the elevator use token to make an elevator request to the elevator server.

    [0019] With reference to FIG. 1, a building 10 is provided. The building 10 may be a hotel, an office building, an apartment building or any other type of building and includes a plurality of floors 11 and an access control system 100. The access control system 100 is generally configured to prevent or permit access to areas in the building 10 and includes or communicates with an elevator system 13. The elevator system 13 includes one or more elevator cars 130 that travel through hoistways 14 to service the plurality of the floors 11 and a dispatcher unit 15. The dispatcher unit 15 is configured to dispatch the one or more elevator cars 130 in response to elevator requests. The elevator requests may be generated at each of the plurality of floors 11 by users placing an RFID card or other secure identification in front of readers 16 that are distributed throughout the building 10 or by way of mobile devices as will be described below and then entering an elevator request into a keyboard, keypad or kiosk associated with the nearby reader 16.

    [0020] With continued reference to FIG. 1 and with additional reference to FIG. 2, the elevator system 13 is deployed in concert with an elevator request authorization system 20 that authorizes elevator requests to certain or specific floors. The elevator request authorization system 20 includes a remote, third party, trusted third party or first server (hereinafter referred to as a "first server") 21, which may be but is not required to be remote from the building 10 and which is accessible by a mobile or portable computing device (hereinafter referred to as a "mobile device") 22 of the user and an elevator or second server (hereinafter referred to as a "second server") 23 that may be remote from or local to the building 10.

    [0021] The mobile device 22 of the user may be provided as a smartphone, a tablet, a laptop computer, a smart watch, etc. In any case, the mobile device 22 may have an application, such as an elevator request application, stored thereon for facilitating an interface between the user and the elevator system 13 and the elevator request authorization system 20 of the building 10. The user initially uses the application to register himself and the mobile device 22 with the first server 21. For purposes of clarity and brevity, the following description will relate to the case of the mobile device 22 being a smartphone.

    [0022] The second server 23 is configured to grant an elevator use token upon request. In accordance with embodiments, the elevator use token may be provided as a hard-to-guess identifier that is used in a matching operation against the request. In an exemplary case, the elevator use token may be provided as a globally unique identifier (GUID), a really big number or a digital certificate including an elevator request and any restrictions about the elevator request so that the elevator system 13 can simply use the certificate to determine the limitations associated with the elevator request.

    [0023] The first server 21 is registerable with the second server 23 as a trusted entity for establishing secure communications between the second server 23 and the first server 21. Such registration may be conducted prior to the registration of the user with the first server 21 and, if successful, results in the second server 23 issuing an administration key to the first server 21. The administration key could be an encryption key, a digital certificate that is used to validate any hypertext transfer protocol within a connection encrypted by transport layer security (HTTPS) request going from the first server 21 to the second server 23, a token that is included with an application programming interface (API) call to the second server 23 or any other such method of authenticating and validating that a client is trusted by a service. The administration key is subsequently held by the first server 21 and is operable for establishing and supporting secure communications between the first server 21 and the second server 23.

    [0024] The first server 21 is configured to be receptive of an elevator request relating to usage of the elevator cars 130. This elevator request may be initiated by a user through the application of the mobile device 22 and may include user identification information and source and destination floor identification. The first server 21 is also configured to authenticate the user by confirmation of user validity (i.e., by making sure the user is himself trusted, authentic or pre-registered with the first server 21 via a user name and password, a self-registration mechanism by receipt of an email with a confirmation link that when clicked activates a mobile application with a token that provides for a connection to the first server 21, or by other well-known processes of validating a user account on a mobile application with the first server 21.) and to inspect and review the elevator request to determine by confirmation of elevator request permissibility whether the elevator request can be authorized for the user (i.e., by determining whether the user is authorized or permitted to travel by elevator from the source floor to the destination floor of or as identified in the elevator request). To this end, the first server 21 will maintain a logic and a database that can be used to check against which floors the user is permitted access to. Such logic and database may be unique on a building-to-building basis.

    [0025] The first server 21 is further configured to either authorize the usage of the elevator cars 130 by the user to which the elevator request relates or to refuse such authorization in accordance with a result of the inspection and review. That is, the first server 21 may authorize the usage of the elevator cars 130 by the user to which the elevator request relates in an event the usage is consistent with access rights of the user as determined by the first server 21. On the other hand, the first server 21 may refuse such authorization in event the usage is inconsistent with the access rights of the user as determined by the first server 21. In addition, the first server 21 is configured to request the elevator use token from the second server 23 upon completion and affirmation of the authentication and authorization processes via the secure communications established between the second server 23 and the first server 21. As yet another feature, the first server 21 is configured to deliver the elevator use token to the user upon receipt of the elevator use token from the second server 23.

    [0026] The elevator system 13 is then receptive of the elevator use token from the user and is configured to respond to the user accordingly. The response of the elevator system 13 may include issuance of a notification to the user in response to elevator use token reception. The notification may include at least one of elevator assignment, position and arrival information.

    [0027] In accordance with embodiments, the elevator use token may be a one-time elevator use token. As such, in a case in which the first server 21 is operated by a cleaning service of a hotel and the user is an employee of the cleaning service, for example, the user/cleaning service employee may be able to obtain the elevator use token to move from a source floor to only a single destination floor in the hotel in an elevator car 130. If the user/cleaning service employee wishes to move from that destination floor to a second destination floor, it would be necessary for him to obtain a new elevator use token by way of a secondary elevator request in which the original destination floor is re-defined as a source floor and the second destination floor is defined as a destination floor.

    [0028] In accordance with the invention, the elevator use token is valid for a predefined number of sequential or intermittent elevator usages. As such, in the example given above, the user/cleaning service employee could move from the first floor to the second floor, from the second floor to the third floor, from the third floor to the seventh floor, etc., using the same elevator use token valid for the predefined number of sequential or intermittent elevator usages as long as he did not exceed that predefined number.

    [0029] In accordance with the invention, the elevator use token is valid for one or more predefined sequences of elevator usages. As such, in the example given above, the user/cleaning service employee could move from the first floor to the second floor, from the second floor to the third floor, from the third floor to the fourth floor, etc., using the same elevator use token valid for the one or more predefined sequences of elevator usages. He could not use this token, however, for moving from the first floor to an out-of-sequence floor and would need to obtain a new elevator use token to do so.

    [0030] In accordance with additional embodiments, the elevator use token may be temporarily valid for a predefined period of time or to be valid only during certain times (e.g., for five minutes from a time of the issuance of the elevator use token or from 9:00 AM to 10:00 AM on one or more days). As such, in the example given above, the user/cleaning service employee could move between any pair of floors using the same elevator use token being valid for the predefined period of time. He could not use this token, however, once the predefined period of time expires and would need to obtain a new elevator use token once expiration occurs.

    [0031] With reference to FIG. 3, each computing device described herein (e.g., the mobile device 22, the first server 21, the second server 23 and any computing devices included in the elevator system 13 and the dispatching unit 15) may generally include a central processing unit 301, a memory unit 302 and a networking unit 303 by which the central processing unit 301 of each computing device communicates with other computing devices. The memory unit 302 has executable instructions stored thereon and which are executable by the central processing unit 301 to execute various methods, processes and algorithms. At least some of these method, processes and algorithms are described above and below.

    [0032] With reference back to FIG. 2, a method of executing elevator request authorization is provided and includes registering a first server 21 with a second server 23 as a trusted entity for establishing secure communications between the second server 23 and the first server 21 (201), receiving, at the first server 21, an elevator request relating to elevator usage by a user (202), authenticating and authorizing, at the first server, the user and the elevator usage by the user to which the elevator request relates, respectively (203), requesting via the secure communications, by the first server 21, an elevator use token from the second server 23 upon completion of the authenticating and authorizing (204), issuing, by the second server 23, the elevator use token to the first server 21 responsive to the requesting (205) and delivering or forwarding the elevator use token to the user (206). Subsequently, the method may include issuing the elevator request along with the elevator use token from the user to the elevator system 13 (207) and issuing, from the elevator system 13 to the user, a notification in response to the issuance of operation 207 (208).

    [0033] While the disclosure is provided in detail in connection with only a limited number of embodiments, it should be readily understood that the disclosure is not limited to such disclosed embodiments. Accordingly, the disclosure is not to be seen as limited by the foregoing description, but is only limited by the scope of the appended claims.


    Claims

    1. An elevator request authorization system (20), comprising:

    a second server (23) configured to grant an elevator use token upon request from a first server (21) registerable with the second server (23) for establishing secure communications between the second server (23) and the first server (21),

    the first server (21) being configured to be receptive of an elevator request relating to elevator usage by a user, to authenticate the user, to authorize the elevator usage by the user to which the elevator request relates, to request the elevator use token from the second server (23) via the secure communications upon authentication and authorization and to deliver the elevator use token to the user upon receipt,

    characterized in that the elevator use token is valid for a predefined sequence of elevator usages.


     
    2. The elevator request authorization system according to claim 1, wherein the elevator request is initiated via a mobile device (23).
     
    3. The elevator request authorization system according to claim 1 or 2, wherein the first server (21) has an administration key for supporting the secure communications, the administration key being receivable from the second server (23) upon registration of the first server (21).
     
    4. The elevator request authorization system according to any of the preceding claims, wherein the elevator request comprises user identification information and source and destination floor identification.
     
    5. The elevator request authorization system according to any of the preceding claims, wherein authentication and authorization by the first server (21) comprise confirmation of user validity and confirmation of elevator request permissibility, respectively.
     
    6. The elevator request authorization system according to any of preceding claims, further comprising:

    an elevator system (13) comprising at least one elevator servicing a plurality of floors in a building,

    the elevator system (13) being receptive of the elevator use token from the user and configured to issue to the user a notification responsive to elevator use token reception.


     
    7. The elevator request authorization system according to claim 6, further comprising a mobile device (22) by which the user initiates the elevator request.
     
    8. The elevator request authorization system according to claim 6 or 7, wherein the notification comprises at least one of elevator assignment, position and arrival information.
     
    9. The elevator request authorization system according to claim 8, wherein the elevator use token comprises a temporarily valid elevator use token.
     
    10. The elevator request authorization system according to any of claims 8 to 9, wherein the elevator use token comprises an elevator use token that is valid at certain times.
     


    Ansprüche

    1. Aufzugsanforderungsberechtigungssystem (20), umfassend:

    einen zweiten Server (23), der konfiguriert ist, um bei Anforderung von einem ersten Server (21), der bei dem zweiten Server (23) registrierbar ist, einen Aufzugsverwendungstoken zu gewähren, um sichere Kommunikation zwischen dem zweiten Server (23) und dem ersten Server (21) herzustellen,

    wobei der erste Server (21) konfiguriert ist, um eine Aufzugsanforderung zu empfangen, die sich auf Aufzugsverwendung durch einen Benutzer bezieht, um den Benutzer zu authentifizieren, um die Aufzugsverwendung durch den Benutzer, auf den sich die Aufzugsanforderung bezieht, zu autorisieren, um den Aufzugsverwendungstoken von dem zweiten Server (23) über die sichere Kommunikation bei Authentifizierung und Autorisierung anzufordern und um den Aufzugsverwendungstoken bei Empfang an den Benutzer zu liefern,

    dadurch gekennzeichnet, dass der Aufzugsverwendungstoken für eine vordefinierte Sequenz an Aufzugsverwendungen gültig ist.


     
    2. Aufzugsanforderungsberechtigungssystem nach Anspruch 1, wobei die Aufzugsanforderung über eine mobile Vorrichtung (23) initiiert wird.
     
    3. Aufzugsanforderungsberechtigungssystem nach Anspruch 1 oder 2, wobei der erste Server (21) einen Verwaltungsschlüssel zum Unterstützen der sicheren Kommunikation aufweist, wobei der Verwaltungsschlüssel von dem zweiten Server (23) bei Registrierung des ersten Servers (21) empfangen werden kann.
     
    4. Aufzugsanforderungsberechtigungssystem nach einem der vorhergehenden Ansprüche, wobei die Aufzugsanforderung Benutzeridentifizierungsinformationen und Start- und Zielstockwerksidentifizierung umfasst.
     
    5. Aufzugsanforderungsberechtigungssystem nach einem der vorhergehenden Ansprüche, wobei Authentifizierung und Autorisierung durch den ersten Server (21) jeweils Bestätigung von Benutzergültigkeit und Bestätigung von Aufzugsanforderungszulässigkeit umfasst.
     
    6. Aufzugsanforderungsberechtigungssystem nach einem der vorhergehenden Ansprüche, ferner umfassend:

    ein Aufzugssystem (13), das zumindest einen Aufzug umfasst, der eine Vielzahl von Stockwerken in einem Gebäude bedient,

    wobei das Aufzugssystem (13) den Aufzugsverwendungstoken von dem Benutzer empfängt und konfiguriert ist, um als Reaktion auf Aufzugsverwendungstokenempfang eine Benachrichtigung an den Benutzer auszugeben.


     
    7. Aufzugsanforderungsberechtigungssystem nach Anspruch 6, ferner umfassend eine mobile Vorrichtung (22), durch die der Benutzer die Aufzugsanforderung initiiert.
     
    8. Aufzugsanforderungsberechtigungssystem nach Anspruch 6 oder 7, wobei die Benachrichtigung zumindest eines von Informationen zur Zuweisung, Position und Ankunft des Aufzugs umfasst.
     
    9. Aufzugsanforderungsberechtigungssystem nach Anspruch 8, wobei der Aufzugsverwendungstoken einen temporär gültigen Aufzugsverwendungstoken umfasst.
     
    10. Aufzugsanforderungsberechtigungssystem nach einem der Ansprüche 8 bis 9, wobei der Aufzugsverwendungstoken einen Aufzugsverwendungstoken umfasst, der zu bestimmten Zeiten gültig ist.
     


    Revendications

    1. Système d'autorisation de requête d'ascenseur (20), comprenant :

    un second serveur (23) configuré pour accorder un jeton d'utilisation d'ascenseur lors de la requête d'un premier serveur (21) enregistrable auprès du second serveur (23) pour établir des communications sécurisées entre le second serveur (23) et le premier serveur (21),

    le premier serveur (21) étant configuré pour recevoir une requête d'ascenseur relative à l'utilisation d'ascenseur par un utilisateur, pour authentifier l'utilisateur, pour autoriser l'utilisation d'ascenseur par l'utilisateur auquel la requête d'ascenseur se rapporte, pour demander le jeton d'utilisation d'ascenseur depuis le second serveur (23) via les communications sécurisées lors de l'authentification et de l'autorisation et pour délivrer le jeton d'utilisation d'ascenseur à l'utilisateur lors de sa réception,

    caractérisé en ce que le jeton d'utilisation d'ascenseur est valide pour une séquence prédéfinie d'utilisations d'ascenseur.


     
    2. Système d'autorisation de requête d'ascenseur selon la revendication 1, dans lequel la requête d'ascenseur est initiée via un dispositif mobile (23).
     
    3. Système d'autorisation de requête d'ascenseur selon la revendication 1 ou 2, dans lequel le premier serveur (21) a une clé d'administration pour prendre en charge les communications sécurisées, la clé d'administration pouvant être reçue par le second serveur (23) lors de l'enregistrement du premier serveur (21).
     
    4. Système d'autorisation de requête d'ascenseur selon l'une quelconque des revendications précédentes, dans lequel la requête d'ascenseur comprend des informations d'identification d'utilisateur et une identification d'étage source et de destination.
     
    5. Système d'autorisation de requête d'ascenseur selon l'une quelconque des revendications précédentes, dans lequel l'authentification et l'autorisation par le premier serveur (21) comprennent la confirmation de la validité de l'utilisateur et la confirmation de l'autorisation de la requête d'ascenseur, respectivement.
     
    6. Système d'autorisation de requête d'ascenseur selon l'une quelconque des revendications précédentes, comprenant en outre :

    un système d'ascenseur (13) comprenant au moins un ascenseur desservant une pluralité d'étages dans un bâtiment,

    le système d'ascenseur (13) pouvant recevoir le jeton d'utilisation d'ascenseur de l'utilisateur et configuré pour émettre à l'utilisateur une notification en réponse à la réception de jeton d'utilisation d'ascenseur.


     
    7. Système d'autorisation de requête d'ascenseur selon la revendication 6, comprenant en outre un dispositif mobile (22) par lequel l'utilisateur initie la requête d'ascenseur.
     
    8. Système d'autorisation de requête d'ascenseur selon la revendication 6 ou 7, dans lequel la notification comprend au moins l'une des informations d'affectation, de position et d'arrivée d'ascenseur.
     
    9. Système d'autorisation de requête d'ascenseur selon la revendication 8, dans lequel le jeton d'utilisation d'ascenseur comprend un jeton d'utilisation d'ascenseur temporairement valide.
     
    10. Système d'autorisation de requête d'ascenseur selon l'une quelconque des revendications 8 à 9, dans lequel le jeton d'utilisation d'ascenseur comprend un jeton d'utilisation d'ascenseur qui est valide à certains moments.
     




    Drawing









    REFERENCES CITED IN THE DESCRIPTION



    This list of references cited by the applicant is for the reader's convenience only. It does not form part of the European patent document. Even though great care has been taken in compiling the references, errors or omissions cannot be excluded and the EPO disclaims all liability in this regard.

    Patent documents cited in the description