(19)
(11) EP 0 238 361 A2

(12) EUROPEAN PATENT APPLICATION

(43) Date of publication:
23.09.1987 Bulletin 1987/39

(21) Application number: 87302464.0

(22) Date of filing: 23.03.1987
(51) International Patent Classification (IPC)4E05B 49/00
(84) Designated Contracting States:
DE FR GB IT

(30) Priority: 21.03.1986 US 842681
10.02.1987 US 13106

(71) Applicant: EMHART INDUSTRIES, INC.
Towson, Maryland 21204 (US)

(72) Inventors:
  • Clarkson, Bruce A.
    Beverly Massachusetts (US)
  • Frere, Ronald Joseph
    Southampton Massachusetts 01703 (US)

(74) Representative: Atkinson, Eric et al
c/o British United Shoe Machinery Limited P.O. Box 88 Ross Walk
Belgrave Leicester LE4 5BX
Belgrave Leicester LE4 5BX (GB)


(56) References cited: : 
   
       


    (54) Electronic locking systems


    (57) Electronic locking system including keys (30) and self-sufficient door locking units (50) both of which carry multiple "zone" codes (F1,F2...). Upon recognition of a key (30) by a door unit (50), the zone codes within the key and door unit are matched against each other so that a match between any one of the key zone codes (FI) and any one of the door unit zone codes (FJ) will result in an "allow access" decision (366). In the "basic zone" function (350), this decision will permit unlocking of the door (368); in other keying system functions or features (330), additional steps may be required for such unlocking, and the coding of either the key or door unit may be altered (340). The keying system architecture, and method of issuing keys, may be defined in terms of a directed acyclic "door group" graph (400) or equivalent data structure, door groups (401,402...) being defined hierarchically as door units, groups of door units, or groups of door groups. Each node of this graph (400) is identified with a given door group and, except for terminal modes (404,405,415,417,422-429) (which are typically identified with given door units), each such node has an associated "choice rule" (450). In issuing keys (30) the key issuing operator, working from a given door group (401) as the starting point, traverses subordinate nodes (402,403...) subject to limitations and decisions imposed by the choice rules (450), until only terminal nodes (404,405....) remain -- thereby defining the coding of a particular key.




    Description


    [0001] The present invention relates to electronic locking systems, and more particularly to a method, for use in an electronic locking system, of a method of keying the door locking units and keys of an installation, said door locking units and keys carrying codes which are electronically processed in a given door locking unit upon insertion of a given key.

    [0002] Electronic security systems have been well known for many years, and in recent years have seen a wide variety of approaches to designing electronically controlled door locking systems. Some of the early commercial systems have required a hard-wired connection between a central processor and the electronics of the locking systems of given doors. A disadvantage of such systems is the need to install connections between the central controller and individual lock assemblies. Another variable of these systems is the ability to "re-key" at the door, i.e. to change the coding of the key where such recoding is required by a given keying system function.

    [0003] A principal concern in the design of such locking systems is the security afforded by the system -- in the sense of the ease with which an unauthorised party can determine keying system information which could be used to open one or more locks, rather than the sense of the mechanical integrity of the locking mechanisms. System specifications relating to such security include the number of possible values of the keying system codes, the ability to update such codes, and the effect on the management system of a given installation if security has been breached. The keying systems of the present invention are used to particular advantage with electronic lock technologies which provide a large number of possible values per code and which permit rekeying at the door locking system.

    [0004] Other significant aspects of such systems are the convenience with which keys may be issued, permitting the use of relatively unskilled personnel as key issuing operators. One also wants sufficient flexibility in designing a keying system for a given installation to afford various levels of key issuing authority, as another aspect of system security.

    [0005] It is the object of the present invention to provide an improved method of keying door locking units and keys of an electronic locking system, which method is flexible and adaptable, facilitates designs suitable for large, complex installations requiring a variety of keying system features, and provides for a reasonably secure locking system.

    [0006] This object is achieved in accordance with the present invention in that, using predetermined design rules,an architecture matrix is defined which logically represents the configuration of door locking units of said installation, and a plurality of zone codes is assigned to various door units and keys of said installation, each zone code representing a feature which is common to all the keys and door locking units carrying it, such that, in using a given key to attempt to unlock a given door locking unit, each of the key zone codes is compared with each of the door zone codes and a positive comparison between any one key zone code and any one door unit zone code results in an "allow access" decision.

    [0007] The invention further provides, in another of its several aspects, an electronic locking system of the type including encoded key members and encoded door locking units wherein, upon recognition of a key member by a door unit, one or more codes on the key member are compared with one or more codes in the door locking unit, such that a positive comparison results in an "allow access" decision, characterised in that each of the key members and each of the door locking units carry a plurality of "zone codes", each of the key zone codes being compared with each of the door unit zone codes, whereby a "zone" comprises a set of key members and door locking units sharing a common zone code.

    [0008] Using the present invention, therefore, it will be appreciated that the keying system architect can define various "zones", each comprising a defined set of keys and door locking units which carry a common zone code, so that any of the keys will open any of the locking units. This keying system provides flexibility, efficient use of key and door unit memory, security advantages, and other benefits.

    [0009] In the "basic zone" embodiment of the invention, an "allow access" decision immediately permits the key user to open the door locking unit. However, the zone coding scheme may be extended to implement various keying system routines, by including in a control logic assembly which processes the zone codes, memory for keying system feature routines. The zone codes (desirably of both key and door unit) may be accompanied by one or more "feature" codes, which may be set to cause the running of an appropriate keying system routine by the control logic assembly. In the preferred embodiment of the invention, wherein the zone codes in both the key and the door unit are stored in recodable memory elements, these keying system routines may include the step of recoding the key, the step of recoding the cylinder, or both.

    [0010] In a preferred embodiment of the invention, one or more of the zone codes is associated with a "key class", such key class identifying a recognised type of key user. Each key class as assigned a set of zone codes which is independent of the zone codes for other key classes, so that if the zone codes have to be recoded for one key class other key classes will not be affected. In a key issuing scheme defined by a given keying system/management system configuration, key issuing operators can be authorised to issue keys of certain key classes only.

    [0011] Other features of the invention will be found set out in the appended sub-claims.

    [0012] The above and additional aspects of the invention are illustrated in the following detailed description of the preferred embodiment, which should be taken in conjunction with the drawings in which:

    Figure 1 is a schematic drawing of an electronic locking system for a given door, in accordance with an illustrative embodiment of the invention;

    Figure 2 is a block schematic diagram of electronic logic circuitry for the door locking system of Figure 1;

    Figure 3 is a flow chart schematic diagram of a basic operating program for the electronic logic of Figure 2;

    Figure 4 is a flow chart schematic diagram of a Basic Zone/One Use Subroutine for the electronic circuitry of Figure 2;

    Figure 5 is a perspective view of an illustrative design of key/door unit initialisation console;

    Figure 6 is a schematic view of a preferred management system configuration for the electronic locking system of Figure 1, embodying the console of Figure 5;

    Figure 7 is a schematic diagram of a door group graph in accordance with the invention; and

    Figure 8 is a partial plan view of a dormitory floor plan, corresponding to the door group graph of Figure 7.



    [0013] It should be understood that the present invention resides in the design of improved keying systems which may be utilised in connection with a wide variety of electromechanical locking system technologies. For the purpose of illustration, the keying system of this invention is illustrated below in connection with an electronic locking system of the recodable key variety (i.e. wherein the "key" is similar to design to a traditional mechanical key), but the invention is easily adapted to card-reader technologies such as so-called "smart cards", to optically based systems, etc. Advantageously, such locking systems should be capable of storing a large volume of data, permit the use of multiple codes within the door locking unit and the "key", and permit the recoding of the key at the door unit when appropriate.

    [0014] Fig. 1 shows highly schematically the principal elements of the electronic locking system, in which a key 30 is inserted into mortise lock cylinder 50 to open the lock. Cylinder control circuitry 100 within cylinder 50 recognises the full insertion of key 30 and extracts electronically encoded information from the key memory 40 via key connectors 45 and cylinder connectors 59. Control circuitry 100 stores and processes keying codes received from key memory 40 as well as resident cylinder codes. The control circuitry 100 can alter not only the codes in key memory 40 based on data transmitted from cylinder 50 but also codes stored within the cylinder based on data from key memory 40.

    [0015] The processing of access codes from the key and cylinder by control circuitry 100 results in a decision to grant or deny access. If an "authorised access" decision is made, release mechanism 70 receives a drive signal from control circuitry 100, causing it to withdraw a radially oriented locking pin 72 from cylinder plug 55. A user may then turn key 30 to rotate cylinder plug 55 as in a mechanical mortise lock, and rotate a cam (not shown) to release a door locking mechanism. Cylinder 50 also houses a key centring and retention device 90, which interacts with a single bit 37 or notch in the key to ensure the proper location of key 30 within keyway 57.

    [0016] The "chip-on-a-key" design of Figure 1, and other recodable-key designs such as smart cards, make use of electronically alterable integrated circuit (IC) technologies.

    [0017] Electronically alterable key memory 40 has the ability to store a substantial number of access codes, each of which will have a much larger range of possible values than found in traditional mechanical locks. This non-volatile integrated circuit technology involves memory which may be read like traditional read-only-memory (ROM) and may be written to after being electronically erased. Such memory devices are commonly known as EEPROM integrated circuits. EEPROM is a medium density memory, which retains adequate key memory within devices in the order of 2-3mm micron geometry. To store data in such devices, the word must be erased and then written. An alternative integrated circuit technology which may be employed for the key memory 40 and cylinder memory 180 is so-called EPROM.

    [0018] Fig. 2 is a block schematic diagram of the logic circuitry constituting the cylinder control circuitry 100, which supervises the various electronic functions of lock cylinder 50. Control circuitry 100 is a microprocessor-based system including central processing unit (CPU) 105 as its central element. Other major components are key serial interface 110, which provides synchronous serial communications of access code data to and from the key memory 40, timing circuitry 120, which provides various timing signals, key sensing circuitry 150, which produces signals indicative of the full insertion of a key in keyway 57, and of the withdrawal of the key, power control circuitry 140, which regulates the delivery of power from battery 68 to the various elements of the control circuitry 100, and release driver 130, which outputs actuating signals to the release mechanism 70 in response to an appropriate command from CPU 105. Under the supervision of power control circuit 140, the control circuitry 100 undergoes various states of power distribution to the various subassemblies with a view to low power consumption.

    [0019] Control circuitry 100 also encompasses various types of memory, including random access memory (RAM) 160, read only memory (ROM) 170, and electronically alterable memory (EEPROM) 180. RAM 160 receives data from key interface 110 and permits high-speed processing of this data by CPU 105. ROM 170 stores the firmware for the control circuitry; certain routines are explained below in the discussion of the lock's keying system. EEPROM 180 comprises non-volatile memory for the access codes resident in cylinder 50 and may take the form of any of a number of commercially available devices.

    [0020] In one embodiment of the invention, timing circuitry 120 also comprises a real time clock to provide a time-of-day signal, i.e. a resolution of some number of minutes. Illustratively, this clock takes the form of a dedicated clock IC. The energy source 68 (Fig. 1) is designed to provide continuous input power to this clock IC. The inclusion of such clock significantly affects the access code memory structure, and keying system firmware, as discussed below.

    [0021] Fig. 3 is a high-level flowchart of the basic operating program 350 for cylinder control circuitry 110, which is resident in ROM 170 (Fig. 2). At 351 the key sensing circuitry 150 detects the valid insertion of a key, causing power control circuitry 140 to provide power to CPU 105 and key 30, at 353. At 354, the logic selects a suitable communication protocol for key serial I/O 110 (Fig. 2); different protocols would typically be required for normal key 30 and for a cylinder recombinating device 355 (shown in Fig. 5 and discussed below). At 356 the key serial I/O reads data from the key memory 40 into RAM 160.

    [0022] As further explained below, the key and cylinder memories are structured in the preferred embodiment in a plurality of "zone code" keying data F1, F2...FN. In the illustrated program, data is read from the key at 356 on a code-by-code basis. At the case block comprised of step 358 and steps 359...361 and 364 the program selects the appropriate function subprogram stored in ROM 170 based upon a function associated with the given zone code and interprets the just-read key codes. Depending on the nature of the particular subprogram, this interpretation process may result in an "authorise access" decision, may yield data which is intended to be delivered to the key or key-like device (such as for recombinating a key 30 or for providing information about cylinder 50 to a clerk console 350), and may result in commands to re-code the cylinder memory 180. Cylinder re-coding, if required, advantageously takes place at this stage. At 362, the CPU tests the key data in RAM 160 to determine whether an "end of data" flag is present, while at 364 the redundant check codes in the key data are analysed to confirm the valid key data had been received. A failure of the latter test causes the re-reading of the invalid key data.

    [0023] At 365 any output codes resulting from the prior processing of the key codes are written to the key or key-like device (e.g. to change one or more zone codes of a key 30). At 366 the CPU determines whether the function processing had resulted in an "authorise access" state, and if such a state is present actuates the release driver 130 to open the lock. In the absence of an "authorise access" flag the system enters a "time out" state at 367, wherein the timing circuitry 120 clocks a predetermined time interval during which the key sensing circuitry 150 is not permitted to output a valid key insertion signal. Time out step 367 limits the frequency with which an unauthorised user can feed a large number of random codes to the control circuitry 100 using a key-like device. The time out state may be effected after a prescribed number of key insertions. At 369 the power control circuitry 140 turns off the supply of power to CPU 105 and release driver 130.

    [0024] Table 1 shows an advantageous memory map for access codes contained within the cylinder or door unit EEPROM 180 (Fig. 2). This memory map schematically illustrates the logical addressing scheme of the lock's control program to sequentially retrieve data from memory cells within EEPROM 180, but does not necessarily depict the physical layout of such memory cells. Memory 180 includes various fixed format fields - fields with a predetermined number of assigned data bits - and a variable format portion for function storage. Fixed format fields includes a "door unit identification" - a serial number that identifies the particular cylinder 50, but has no security function - and the "programming code", a security code which must be transmitted to cylinder control circuitry 100 in order to allow modification of memory 180, as discussed below. Other fixed format fields not shown in Table 1 may be included depending on the requirements of the door unit firmware. The function storage fields contain the data associated with the particular keying system functions programmed into cylinder access code memory 180; this is illustrated below in Tables 2 and 3.

    [0025] Illustratively, key memory 40 is structured similarly to the cylinder code map of Table 1, but omits the programming code field.

    [0026] Table 2 illustrates the record structure of a particular keying system feature - i.e. the zone function. In its basic embodiment, the zone function implements a comparison of each of a set of key zone codes with each of a set of cylinder zone codes, and permits access if any match occurs. The header byte of this memory map gives the number of zone function records (here four). Together with preknowledge of the memory occupied by the records of each function, the header byte enables the addressing routine to scan through logical memory to locate the next function within function storage (Table 1). In each record, the code combination represents the code which must be matched to initiate the corresponding function. The status bits S1-S5 (five are shown for purposes of illustration are associated with specialised zone features, so that the setting of a particular use bit (at most one is set) identifies the code combination with that feature. For example, S1 might be associated with "one use" - which allows keys to be issued for one time use only; and S2 might be identified with "electronic lockout" - permits a special lockout key to prevent access by normal keys, until the lockout key is reused. If no status bit S1-S5 is set, the code combination will be a Basic Zone code which yields an "authorise access" decision upon matching of key and door unit zone codes, without further processing.

    [0027] As explained above, "zones" are the basic data which are matched prior to granting access. Each key and each door unit advantageously contains multiple codes, each code representing one zone. In terms of the keying system, each zone may be defined as a collection of door units and keys which share a common code. Storage is required in door units and keys for each zone in which it participates -- i.e. storage limits correlate with the number of types of access to be granted. This storage scheme is much superior to having each door unit store a list of authorised keys, or conversely having each key store a list of authorised door units, both such schemes being vulnerable to security breaches, and being wasteful of storage capacity.

    [0028] In the key memory 40 and cylinder memory 180, access codes are assigned a given code width (number of binary digits per code) which determines by inverse relationship the total number of available codes in EEPROM. Higher code widths will decrease processing speed, but increase the resistance of the system to fraudulent access attempts by means of random codes electrically fed to the lock; in addition higher-width codes are less likely to be inadvertently duplicated in system management.

    [0029] Tables 3 and 4 give simplified record structures for cylinder and key memory function storage fields for basic zone and one use functions, and should be referenced together with the flow chart schematic diagram of Fig. 4 to illustrate the relationship between the access code memory structures and the associated keying system software routines in ROM 170. The door unit or cylinder record structure includes three zone records with associated "one use" status bits S1 (Table 3), while the key memory structure contains five zone records but no associated status or use bits (Table 4).

    [0030] In the basic system program of Fig. 3, as part of the "select functions" case block, the control firmware includes various subroutines associated with particular keying system features, including the "basic zone/one use subroutine" of Fig. 4. This routine includes nested loops wherein key pointer I (e.g. pointing to a particular record or row: see Table 4) and cylinder pointer J (e.g. pointing to a given cylinder zone record: see Table 3) are each incremented from 1 to the respective "number of records" value. For each pair of values I, J, this routine compares the "code combination" for the relevant cylinder and key zone records at step 335. If a match is found the program determines at 338 whether the CYL.S1 flag for the relevant record J is set. If this "one use" flag is not set, the routine simply returns a "grant access" decision at 341. If the flag is set, however, the routine first updates CYLCODE (J) with a pseudorandom number generated by the management system; this prevents a repeated use of the key to open the same lock cylinder.

    [0031] Were the zone function data structure to take the more complicated form shown in Table 2, the subroutine of Fig. 4 would be modified to determine whether any of the other status or use bits S2-S5 were set, and to include appropriate algorithms to implement these additional keying system features.

    [0032] The locking system of the invention can achieve all of the traditional keying system features found in mechanical mortise cylinders (e.g. great grand master keying, cross-keying, etc.), as well as additional useful functions. Furthermore, the cylinder access code memory 180 can include updating key codes, which may be written to the key memory 40 in implementing certain keying system functions. Specialised keying system functions may be designed to control unauthorised copying of key codes, and in general to selectively update the key memory 40 for enhanced flexibility together with security.

    [0033] It is sometimes necessary to change one or more zone codes by virtue of the nature of a given keying system feature, because of a need to recode door units due to a discovered breach of security, or for other reasons. Advantageously, the keying system associates with each zone code a meaningful zone code identifier based upon the characteristics of the door units and keys which carry such code, in order to facilitate this recoding process. In addition, the keying system may utilise a special code to "prime" given keys and cylinders for recoding.

    [0034] In the embodiment in which the cylinder control circuitry 100 includes a real time clock, the keying system can be extended to include time-of-day control. Time-of-day can be associated with each keying function. For basic zone/single use, a time can be associated with each door unit zone (i.e. set of lock cylinders containing a common zone code). The keying system functions could be modified to include one or more time access windows, to include automatic cylinder recording at a given time of day, and other features. The cylinder memory structure must be supplemented with time-of-day codes, i.e. one byte for each significant time interval within a day. By including a calendar timing device in the timing circuitry 120 (Fig. 3), the principles discussed above can be applied to keying system features tied to particular days, weeks etc.

    [0035] The electronic locking system of the invention may be incorporated in "hard-wired" electronic lock installations, comprising a communication network linking the various lock cylinders and a central management system processor. In the preferred embodiment of the invention, however, the lock cylinder 50 comprises a stand-alone system, with no hard-wired communication. The IC packages 41 (or 42) within each key 30 serve as a substitute for a direct communication link with a central controller, inasmuch as the key can be encoded at a remote station to transmit codes to lock cylinder 50. Key 30 can be encoded with special codes which are recognised by cylinder access code memory 180. As shown in Fig. 5, the management system advantageously includes one or more key/cylinder consoles 250, which may take the form for example of a portable microcomputer with specialised input/output devices. Key receptacle 252 accepts insertion of a key 30, and links the inserted key to internal logic circuitry for initialising or recoding a key. Cylinder recombinating device 255 includes a key blade 256 similar to a normal key blade 33 (Fig. 8), and a plug 257 which mates with an outlet (not shown) at the rear of console 250. Thus, the portable consoles 250 may be carried to given door units 50 for the purpose of initializing or recombinating the door unit memory 180.

    [0036] The management system is advantageously adapted to the requirements of institutional users such as hotels and universities. With reference to Fig. 6, the system might include a plurality of "clerk consoles" 250a-d in accordance with the device of Fig. 5, which communicate with a central controller 260. Controller 260 acts as the central repository of the management system data base for the entire installation and downloads data into the various consoles 250a-d. In particular, controller 260 tracks all zone codes which have been assigned, together with the identities (e.g. door unit identifiers - Table 1) of all keys and door units which carry each zone code. Consoles 250a-d encode keys as required by the keying system data base and records to whom they are issued. A given console 250 can interrogate the central controller 260 to inspect the central database; sensitive information can be protected by features such as passwords and orher techniques (see references below to operator authorisation, key classes, etc.) This preferred management system may be characterised as a distributed processing system, with all real time processing effected at individual lock cylinders 50.

    [0037] Where the timing circuitry 120 includes a real time clock, it will be appreciated that the key/initialisation console 1350 and central controller 1360 must have the ability to keep time-of-day in operating the management system.

    [0038] Preferably, the keying system incorporates a set of rules for logically and efficiently assigning zone codes to door units and keys. In a computer-automatable keying system, the keying system architect establishes a logical structure ("architecture matrix") within the framework of certain design rules, such logical structure being based upon the geographic and functional characteristics of the door units of a given installation. In the preferred embodiment of a computer-automated keying system, the architecture matrix may take the form a multidimensional array including one or more parameters representing the configuration of door locking units. Advantageously, such parameters include "choice rule" limitations governing the key-issuing operator's assignment of door units and features to a key being issued. Finally, the system automatically assigns zone codes to the issued keys in accordance with pre0established assignment rules, based upon the door unit and feature assignments. In the above scheme, the architecture matrix design rules and the rules for interpreting a given architecture map are pre-established, and the keying system architect generates or modifies a given architecture matrix in accordance with the requirements of a given installation.

    [0039] An advantageous methodology for establishing and interpreting architecture matrices is discussed below.

    [0040] In preferred embodiment of the invention, the process of designing a keying system for a given installation, and the issuance of keys and other aspects of the management system, rely upon an architecture matrix based upon "door groups", which in the simplest case may be defined as "a door unit or collection of door units". To permit a hierarchical definition of "door groups", however, this term is broadened to include "groups of door groups". Each door group has an identifier chosen by the keying system architect, most desirably a name related to local geography or function. By contrast, the code assigned to given zones is desirably chosen to have no obvious relationship to its related doors, door groups, and keys, thereby reducing the impact of disclosure of the key data to an unauthorised party.

    [0041] The open-ended definition of "door groups" affords tremendous flexibility in system design -- these may be defined by a keying system architect based only in the requirements of a given installation, unconstrained by the particular keying system employed. Optimal use of this scheme calls for multiple zones in both the door and key.

    [0042] As noted above, the invention provides a logical scheme for designing a keying system architecture matrix for given installations, using the concepts of "door groups". As is illustrated below, the keying system architect defines a "door group graph" in the form of a "directed acyclic network" in which each node represents a door group; in this logical scheme, then, each door group corresponds to a unique node of the graph. A directed acyclic network, as used in this specification means a hierarchial graph or network consisting of nodes with interconnecting edges or branches, each edge having a defined direction; when this graph is traversed from node to node along the defined directions, one never returns to an earlier-encountered node. Such networks typically consist of "trees" in the mathematical sense, i.e. acyclic graphs wherein each node has only one immediately preceding (or predecessor") node, but also include graphs wherein multiple branches may meet at a single "successor" node. In issuing keys using an established keying system architecture matrix (door group graph), the key-issuing operator begins at an authorised starting node, as explained below, and traverse the subordinate nodes according to defined "choice rules" until only terminal nodes -- typically identifying particular door units -- ­remain.

    [0043] "Choice rules" are a set of rules one of which is assigned to each node of a door group graph except terminal nodes, in order to govern the key-issuing operator's decision in selecting none, one or more of the immediate subordinate node(s). An advantageous set of choice rules to be utilised in defining a keying system architecture might include the following:

    (1) All of

    (2) One of

    (3) Each of (this has essentially the same effect as "All of", but has certain advantages discussed below)

    (4) Any of (i.e. none, any one, or more than one)

    (5) At least one of



    [0044] Of the above choice rules, the first two cover most decisions which the keying system architect would need to establish; these impose strict limitations on the key issuing operator's decision (in fact, the first rule requires no decision). The third rule, "each of", has exactly the same effect as "all of" from the perspective of the key-issuing operator, but has certain security advantages discussed below. "Any of" provides the most flexibility in choosing door groups. "At least one of" is similar to "any of", but precludes the possibility of choosing no door groups; ths could be used for example to permit the issuance of one or more locker door keys to a patron of a gymnasium.

    [0045] The "All of" and "Each of" choice rules both have the effect of including all subordinate door groups, but are distinguishable in the assignment of zone values to the immediately subordinate door groups. "All of" typically assigns a common zone value to such door groups, while "Each of" gives each such door group a distinct zone value. The effect of this may be illustrated by considering the issuance of a security master key. If a dormitory resident (for example) were able to determine the zone code for his room's door unit, which door unit could also be opened by the security master key, he would have the zone code for the security zone. This information could possibly be used to help him gain access to all door units accessible by the security master key. However, by using the "choose each of" rule the domain of each zone of the security master would be partitioned, so that the dorm resident would have access only to a known subset of the security master door units, limiting the potential for vandalism etc. Note that "one of", "any of", and "at least one of" all require such partitioning.

    [0046] The key-issuing process may be implemented using a management system such as that illustrated in Figure 6 as an "on-line" system wherein a series of "screens" are displayed at a clerk console 250 to guide the key-issuing operator through relevant portions of the door group graph, presenting the appropriate choices, and possibly reporting the results of the decisions. This graph-traversing process is continued node by node until only terminal nodes remain. At each node encountered in the issuing of a particular key in which a decision is required, a menu would be displayed appropriate for the choice rule for that node, and the door groups for that node and the successor nodes identified using nomenclature created by the keying system architect (desirably according to key function or local geography). The key-issuing operator only implements the decisions previously established by the keying system architect, which decisions may be designed to ensure proper security, completeness, and reasonableness of issued keys.

    [0047] Figure 7 illustrates a given portion of a door group graph for an academic institution, i.e. a graph 400 for issuing keys to dorm residents. In referring to both Figure 7 and the dormitory floor plan of Figure 8, TABLE 5 should be consulted to determine the significance of the various door groups and door units shown in these figures. In Figure 7 the starting point, node 401, represents the door group consisting of all doors of a given dormitory. By virtue of the "all of" rule at node 401, the issuer must branch to both the "Entrances" door group 402 and the "floors" door group 404. At the "Floors" node 4040, the operator must elect between floors 1 and 2 (nodes 408 and 409). By tracing this graph until the terminal nodes, according to the choice rules 450, with reference to dormitory floor plan of Figure 8, it will be seen that the issued key will be coded for both the front and the rear entrances, for one of the floors (including the stair well 511 for a second floor resident), for the entrance and bathroom doors to a given suite, and for one of the rooms of that suite. The key-issuing program might, for example, display screens corresponding to nodes in the sequence 401, 402, 404, 405, 403, 408, 412, 415, 417, 413, 422 -- thereby encoding the key for the front and rear building entrances, the entrance and bath doors for suite 101, and door of room A of that suite.

    [0048] The geometric model of keying system architecture matrices as directed acyclic graphs has equivalent data structures which lend themselves to computer automation of the key-issuing process; as used in the specification and claims, "equivalent data structure" indicates any data organisation of door groups which has an equivalent logical significance as the directed acyclic door groups graphs. TABLE 6 gives an indented list data structure which is equivalent to the door group graph of Figure 7. This is an indented listing wherein each of the door groups represents one element of the list. This list may be ordered according to the "counting index" shown, or any of a variety of other sequences known from graph theory. Each door group is assigned a "level index" representing its level within the keying system architecture hierarchy -- ­this is visually represented by the degree of indentation of the door group name. Each door group has an associate choice rule, except for terminal door groups (i.e. door units). The key-issuing program can process the elements of such listing in the sequence of the counting index, or any of a variety of other sequences known from graph theory, and at each level applies the choice rule to the elements at the successor level. One can therefore define a door group graph using a data structure including the parameters V, the nodes of door groups; E, the directed edges connecting these nodes; V₀, the source node; and R, the choice rules associated with each node.

    [0049] Using the choice rule/zone code assignment scheme described above, the coding in the preceding example (second-to-last paragraph above) would be effected by assigning three zone codes to the key: one encompassing the front and rear entrance doors to the dorm, one including the entrance and both for the suite, and one for the student's bedroom (see TABLE 7). However, it should be noted that the zone concept is an extremely flexible one and that many alternative schemes could be employed for assigning zones to groups of doors and keys. In the above case, for example, the same door units could be assigned to a given key using just two zones, one encompassing the building entrances and one including the individual student's bedroom as well as the entrance and bath door for his suite (see TABLE 8). In the former instance, the common door units for the suite (515, 517) would only hold a single basic zone code shared by all the students, whereas in the latter instance such door units would have to hold separate codes for each student in order to deny access to the other bedrooms of the suite. The choice rules and zone assignment scheme discussed above represents an efficient and flexible approach.

    [0050] In a preferred embodiment of the key-issuing scheme of the invention, key-issuing operators are authorised to commence the process only at defined door groups. Therefore, the access of each such operator is limited to those door groups and door units including his authorised starting door groups and those subordinate thereto. The system will not permit such operator to view the remainder of the door group graph during key issuance. Privileged operators may be given access to a top node or nodes by which they can see the entire structure.

    [0051] Keying system architectures in accordance with the invention advantageously make use of "key classes", which in common sense terms correspond to recognisable types of key users. Taking the example of a college dormitory (Figure 8), key classes might include dorm residents, housekeeper, plumber, security personnel, resident adviser, etc. Each individual key class is associated with a defined starting node for issuing keys to members of such class, and each key class would be assigned an independent set of zone codes. Thus, with reference to Figure 7, if two different key classes were associated with the starting node 401, the keying system would include two sets of zone codes in parallel. Therefore, if the zone codes for one key class were divulged, zone codes of other key classes would not be compromised. In the operator authorisation scheme discussed above, the door groups at which key issuing operators may start are advantageously associated with key classes. Other mechanisms for operator key-issuing authorisation are possible, however.










    Claims

    1. A method of keying the door locking units (50) and keys (30) of an installation, said door locking units (50) and keys (30) carrying codes (F1,F2...) which are electronically processed in a given door locking unit (50) upon insertion of a given key (30), characterised in that, using predetermined design rules, an architecture matrix (400) is defined which logically represents the configuration of door locking units of said installation, and a plurality of zone codes (F1,F2...) is assigned to various door locking units and keys of said installation, each zone code representing a feature which is common to all the keys and door locking units carrying it, such that, in using a given key (30) to attempt to unlock a given door locking unit (50), each of the key zone codes (FI) is compared with each of the door zone codes (FJ) and a positive comparison between any one key zone code (FI) and any one door unit code (FJ) results in an "allow access" decision (366).
     
    A method according to Claim 1, characterised in that each of the zone codes (F1,F2...) in each key member (30) and each door locking system (50) has one or more appurtenant feature flags (S1,S2...), in that each door locking unit (50) includes feature memory (170), by which one or more keying feature routines (330) based upon the zone codes (F1,F2...) and additional parameters can be stored, and a processor (105), and in that the setting of a particular feature flag (S1,S2...) invokes the running of the appropriate keying feature routine (330) by the processor (105).
     
    3. A method according to either one of Claims 1 and 2 characterised in that distinct key classes have distinct sets of zone codes assigned to keys (30) belonging to said key class.
     
    4. A method according to any one of the preceding Claims characterised in that each zone code (F1,F2...) carried by a given key (30) or door locking unit (50) has a zone code identifier, and in that the zone codes (F1,F2...) on the keys and the door locking units are stored in electronical alterable memory means (40,180), any door unit or key carrying a given zone code thus being re-keyable to a different zone code.
     
    5. An electronic locking system of the type including encoded key members (30) and encoded door locking units (50) wherein, upon recognition of a key member (30) by a door unit (50), one of more codes (FI) on the key member are compared with one or more codes (FJ) in the door locking unit, such that a positive comparison results in an "allow access" decision (366),
        characterised in that each of the key members (30) and each of the door locking units (50) carry a plurality of "zone codes" (F1,F2....), each of the key zone codes FI) being compared with each of the door unit zone codes (FJ), whereby a "zone" comprises a set of key members and door locking units sharing a common zone code.
     
    6. An electronic locking system according to Claim 5 characterised in that the "allow access" decision (366) permits the key member user to unlock (368) the door locking unit.
     
    7. An electronic locking system according to either one of Claims 5 and 6 characterised in that each of the zone codes (F1,F2...) in said key member (30) and said door locking unit (50) has one or more appurtenant feature codes (S1,S2...), said door locking unit (50) including feature memory (170), by which one or more keying feature routines (330) based upon the zone codes (F1,F2...) and additional parameters can be stored, and a processor (105), and in that the setting of a particular feature flag (S1,S2...) invokes the running of the appropriate keying feature routine (330) by the processor (105).
     
    8. An electronic locking system according to any one of Claims 5 to 7 characterised in that al least some keys (30) are identified with a key class, such key class identifying a recognised type of key user, and in that distinct key classes have distinct sets of zone codes (F1,F2...) assigned to keys (30) belonging to the respective key class.
     
    9. An electronic locking system according to any one of Claims 5 to 8 characterised in that the key and door unit zone codes are stored in electronically alterable memory means (40,180), and in that means (260) is provided for tracking the keys and door locking units which carry given zone codes.
     
    10. An electronic locking system according to Claim 9 characterised in that the keys (30) and door locking units (50) include unique identifier codes, and in that the tracking means (260) includes means for identifying a given zone recoding to be effected for identified keys and door locking unit.
     




    Drawing