Access control system

Description

Field

[0001] The invention relates to the field of access control systems.

Background

[0002] The field of access control systems encompasses conventional mechanical locks with keys mechanically adapted to operate such locks and electronic lock systems where keys interact with electronic locks by utilizing electric signals transferred between a lock and a key. If the key contains correct electronic information, it will control the lock to open and grant access. On the other hand, incorrect electronic information keeps the lock closed.

[0003] The prior art even teaches using an electronic key adapted to communicate with a cellular phone carried by a user over a Bluetooth connection. When the user wishes to open a lock on a door, for example, the user inserts the key into the lock and controls his/her cellular phone to launch an appropriate application. The application controls the cellular phone to access a server controlling access rights. If the user may access the door, the server provides authorization to open the lock, and the authorization is delivered to the lock through the cellular phone and the electronic key. A problem with this approach is that while the user may obtain authorization to access on-the-fly, the access itself is complicated because the user has to operate both the key and the cellular phone.

[0004] EP 1 324 276 discloses an electronic security system with an electronic key and an electronic locking apparatus. The electronic key includes an identification data registry for storing one or more identification data for locking and unlocking. The electronic locking apparatus includes a key data registry for storing a key data having a predetermined relationship with an identification data of an electronic key corresponding to the electronic locking apparatus. The system is provided with a reader/writer for reading and writing the identification data in and from the identification data registry. This system ensures an improved convenience by making a single key compatible with a plurality of objects.

[0005] US 2003/117260 discloses an access control system that includes a tag carried by a user which communicates over a short range wireless link to door lock controller to provide to the controller a security access code and actuate door release means. In the event the correct access code is not known by the tag, the tag communicates with access code repository and requests a valid access code. When requesting the valid access code, the tag also communicates to the repository an identity provided by the door release means and an identity of the tag itself. A decision may then be taken whether to provide the tag with a valid access code for that particular door release means. The door release means may provide the tag with a telephone number to call when making the request to the repository.

[0006] EP 1 336 937 discloses a mobile communication terminal transmits access rights data comprising an access control device identification to access control devices. An access control module checks the data received from the mobile communication terminal, with the predetermined access rights data, based on which user's access right is approved. Independent claims are also included for the following: access control method; computer program product for performing access control; and access control device.

[0007] EP 1 024 239 discloses an approach for managing physical security in an electronic lock-and-key system. The approach does away with cabling or other direct connecting between locks and a system management center. The keys serve to disseminate access control and other information within the system in a snowball-like way, using an adapted, but simple networking protocol. Whenever appropriate, cryptographic schemes are applied to protect the system.

[0008] EP 1 321 901 discloses a method for controlling access to an object in which a mobile object or key is used to undo or release a lock when the key is authorized. Prior to contact between key and lock the key is issued a certificate by a central unit that contains a specific identify code. When the key is connected to or inserted in the lock offline authentication is based on the specific identity code in the certificate.

[0009] WO 2004/092514 A1 discloses an access control system to allow real-time access monitoring of locked premises.

[0010] US 2004/189471 A1 discloses a system for monitoring a facility wherein signals from monitoring tags are relayed to monitoring stations which identify possible events based on the received signals and alert staff members of those events.

Brief description

[0011] According to the present invention, there is provided an access control system as specified in claim 1.

[0012] An embodiment of the invention is defined in the dependent claim 2. Embodiments and examples not falling within the scope of the appended claims do not form part of the invention.

List of drawings

[0013] Embodiments of the present invention are described below, by way of example only, with reference to the accompanying drawings, in which

Figure 1 illustrates a general concept of an access control system according to an embodiment of the invention;

Figure 2 illustrates a structure of an electromechanical key and an electromechanical lock according to embodiments of the invention; and

Figure 3 is a flow diagram illustrating a method for use in the access control system according to an embodiment of the invention.

Description of embodiments

[0014] The following embodiments are exemplary. Although the specification may refer to "an", "one", or "some" embodiment(s) in several locations, this does not necessarily mean that each such reference is to the same embodiment(s), or that the feature only applies to a single embodiment. Single features of different embodiments may also be combined to provide other embodiments.

[0015] In an embodiment of the invention, an electromechanical key is utilized for operating an electromechanical lock. The key may be a personal key carried by a person. Figure 1 shows an embodiment of an electromechanical locking system. A user 105 is about to open a door 115. The user carries an electromechanical key 106. In Figure 1, the electromechanical key 106 is illustrated as a box but in a preferred embodiment the physical dimensions are similar to those of a conventional mechanical key having a protrusion which is inserted into a receptable in a lock so as to implement a mechanical connection between the lock and the key.

[0016] The electromechanical key 106 according to an embodiment of the present invention comprises an electromechanical interface matching a counterpart interface 112 provided in an electromechanical lock 116 the electromechanical key 106 is adapted to open when the electromechanical interface of the electromechanical key 106 is brought into contact with the counterpart interface 112 of the electromechanical lock. The contact may be a physical contact, i.e. the interfaces touch each other. In another embodiment, the contact is short range electromagnetic contact based on electromagnetic induction, short range radio communication, etc. In this embodiment, the interfaces are electromagnetic interfaces. Other embodiments utilize other electronic interfaces and, in general, the electromechanical key may be considered in such embodiments where no mechanical contact between the lock and key is necessary as an electronic key. An electronic connection 110 is established between the electromechanical key 106 and the electromechanical lock 116 when the interfaces are brought into contact with one another, i.e. when the key is inserted into the lock. The electromechanical key further comprises a communication circuitry configured to establish a radio connection, and a memory for storing access codes used for opening access-controlled locks and other information enabling the operation of the electromechanical key. The electromechanical key 106 further comprises a control circuitry configured to control the communication circuitry to establish an end-to-end communication connection with a server 101 managing access rights, to communicate with the server 101 so as to receive an access code granting access to at least one electromechanical lock, and to communicate an appropriate access code received from the server to the electromechanical lock through the electronic connection between the electromechanical key and the electromechanical lock so as to open the electromechanical lock.

[0017] The communication connection between the electromechanical key 106 and the server 101 may comprise at least one wireless communication link, wherein a wireless communication link is established at least between the electromechanical key and another radio device communicating directly with the electromechanical key. The electromechanical key 106 may have a wireless network channel 104 connection to a wireless network 102 or to a cellular phone carried by the user 105 (not shown). The wireless channel 104 and the wireless network 102 may be implemented according to the Bluetooth, Zigbee, or any other suitable standard/non-standard short-range wireless communication means. It may also be foreseen that the electromechanical key has medium or even long range communication capabilities, thereby comprising terminal device equipment for cellular network communications according to GSM, CDMA, or UMTS (or another cellular network) specifications.

[0018] The wireless network 102 may establish a pico network, realized by a network of private base stations distributed to cover the area where the location tracking is being carried out. The private base station network may establish a wireless mesh network based on the Bluetooth technology, for example, and configured to route signals through a plurality of base stations between a plurality of user equipment and the server. One or more of the base stations may be connected to a wired network, e.g. Ethernet, so as to connect to the server. If the server is located in a remote location, the connection between the base station network and the server may be routed through the Internet. Other embodiments may utilize other communication technologies to implement the mesh network, such as IEEE 802.11x (WiFi). Modern cellular telecommunication systems, e.g. UMTS, allow for employing private networks and utilizing the UMTS specifications in the private networks. The private networks operate in parallel with public UMTS networks and may even utilize the same frequency bands. The wireless network 102 may thus employ the UMTS radio access specifications. The server may be a computer installed in the same local network as the wireless network or it may be a remote computer accessible through the Internet. The physical structure of the server 101 may be similar to other corresponding servers, i.e. it may comprise one or more processors, network interface for providing communication functionality and network access, and a memory (for example hard drive(s)) for storing the access rights database and other data.

[0019] The electromechanical lock 116 comprises the counterpart interface 112 where the key is inserted to make the electromechanical connection, a lock mechanism 108 and a lock bolt 114. When the user approaches the door he/she wishes to open, the user inserts the electromechanical interface of the key 106 into contact with the counterpart interface 112 of the door. Next, the user operates the lock mechanism 108 provided in the lock. The operating may comprise turning a doorknob or turning the key in the lock. The operation activates the lock and provides operating power for the lock to perform the authentication. In the authentication, the key transfers the access data into the lock, and the lock reads the access data. If the access data is correct, the lock is set to an openable state and allows the user to operate the lock bolt.

[0020] Any suitable authentication technique may be used in connection with the embodiments of the present invention. The selection of the authentication technique depends on the desired security level of the access control system and possibly also on the permitted consumption of electricity for the authentication (especially in user-powered electromechanical locks).

[0021] In an embodiment, the authentication is performed with a SHA-1 (Secure Hash Algorithm) function, designed by the National Security Agency (NSA). In SHA-1, a condensed digital representation (known as a message digest) is computed from a given input data sequence (known as the message). The message digest is to a high degree of probability unique for the message. SHA-1 is called "secure" because, for a given algorithm, it is computationally infeasible to find a message that corresponds to a given message digest, or to find two different messages that produce the same message digest. Any change to a message will, with a very high probability, result in a different message digest. If the security level needs to be increased, other hash functions (SHA-224, SHA-256, SHA-384 and SHA-512) in the SHA family, each with longer digests, collectively known as SHA-2 may be used. In an embodiment, the electromechanical key receives from the server message digests of one or more locks as the access codes, and transfers the message digest to the lock when the electric connection between the lock and the key has been established. The lock then compares the received message digest with a reference message digest computed from a message stored in a memory of the lock. If the received message digest corresponds with the computed reference message digest, the lock is opened.

[0022] Figure 2 shows a more detailed example of the electromechanical lock 116 and the electromechanical key 106. An electromechanical interface 140 of the electromechanical key 106 and the corresponding interface 112 in the electromechanical lock 116 are counterparts, as described above, and establish the electronic connection between the lock and the key when brought into contact with each other. The electronic connection may be realized by a wired bus through bus connectors in both interfaces 140, 112. The wired bus may be a one-wire bus.

[0023] The lock 116 further comprises an electronic circuitry configured to receive the access code from the key 106 upon establishment of the electronic connection through the interfaces 140, 112 and to control the opening of the lock in response to the reception of a correct access code. The electronic circuitry 142 may be implemented as one or more integrated circuits, such as application-specific integrated circuits ASIC. Other embodiments are also feasible, such as a circuit built of separate logic components, or memory units and one or more processors with software. A hybrid of these different embodiments is also feasible. When selecting the method of implementation, a person skilled in the art will consider the requirements set on the power consumption of the device, production costs, and production volumes, for example. The electronic circuitry 142 may be configured to execute computer program instructions for executing computer processes.

[0024] In the embodiment of Fig. 2, the electronic circuitry 142 is realized with two circuits. The electronic circuitry 142 comprises a communication circuitry 126 and an authentication circuitry 120 which are connected to each other with a communication channel 118. The communication circuitry communicates with the key, receives an electric signal comprising the access data, extracts the access data, and forwards the access data to the authentication circuitry 120. The authentication circuitry 120 analyzes the received access data by comparing the received access data with reference access data stored in a memory (not shown). If the received access data matches the reference access data, the authentication circuitry 120 controls the lock to open. The communication channel 118 may be a logical communication channel between two computer processes executed by the same processor, for example, but it may alternatively be a physical channel between two physically separate circuitries. In an embodiment, the authentication circuit 120 is realized with a microcontroller and a memory unit, and the communication circuit is ASIC. However, other embodiments utilize different physical structures for the electronic circuitry 142.

[0025] The lock further comprises an actuator 124 which controls the lock bolt 114. After a successful authentication, the authentication circuitry configures the actuator 124 to set the lock in a mechanically openable state. The actuator 124 may be powered by electric power produced by a generator 122 configured to convert mechanical motion into electric signals, when the user applies the mechanical motion to the lock by turning the knob 108, by turning the key in the lock, or by inserting the key into the lock. In the embodiment of Figure 2, the generator 122 is connected only to the authentication circuitry, but it may also be connected to the communication circuitry 126 and receive the mechanical motion through the interface 112. Instead of using the generator transforming the mechanical motion into electric energy, a battery may be utilized, or the lock may be connected to a power source, e.g. an electric outlet. In another embodiment where the key is provided with battery, the lock may acquire its electric energy from the key through the interface and electric connection between the lock and the key. The actual implementation of the power supply of the lock depends on the implementation, and the skilled person designing the system takes into account the location of the lock, availability of different power sources, the physical dimensions of the lock, the design of the interfaces of the lock and the key, etc.

[0026] The actuator 124 may be set to a locked state mechanically, but a detailed discussion thereon is not necessary to illuminate the present embodiments. When the actuator 124 has set the lock in a mechanically openable state, the bolt mechanism 114 can be moved by operating the lock mechanism (knob) 108, for example. Alternatively, the actuator 124 may in response to the command from the authentication circuitry 120 mechanically move the bolt mechanism 114 so that the door may be opened without any specific action by the user. In the latter embodiment, the user only needs to insert the key into contact with the lock so that the connection between the lock and the key is established and the lock will be opened, provided that the user has access rights to the door.

[0027] Additionally, the electromechanical key comprises an electronic circuitry 107 comprising a memory 130, a control circuitry 132, a rechargeable battery 136, and a communication circuitry 134. Obviously, instead of using rechargeable battery (secondary cell), disposable (primary cell) batteries may be used. The communication circuitry 134 may comprise analog and digital components enabling establishment of a radio connection according to any radio access technology listed above. In the following description, a Bluetooth radio access is described. It should be noted that other embodiments utilize other radio access schemes, and the structure and the operation of the communication circuitry 134 is configured according to the supported radio access scheme. The control circuitry 132 controls the operation of the key by controlling the communication with the server and the cellular phone or wireless network and by controlling the transfer of access codes between the locks and the key. The control circuitry 132 may also be configured to carry out other procedures, as will be described in greater detail. The control circuitry 132 may be implemented by ASIC, micro controller, or another processor, depending on the required computational capacity, power consumption requirements, etc. The memory 130 stores the access codes received from the processor as being linked to corresponding locks which each code is arranged to open. The memory 130 may also store instructions of a computer program configuring the operation of the control circuitry 132 and/or communication circuitry 134 when they are software-defined processors. The memory 130 may comprise a non-volatile memory part storing the computer program(s), and a volatile memory (e.g. RAM) for storing the access codes and temporary data needed in the operation of the control circuitry. Optionally, the access codes may be stored in the non-volatile memory so that they will not be erased in an uncontrolled manner.

[0028] The battery 136 is rechargeable, and the electromagnetic interface 140 functions also as an interface for charging the battery 136. The interface 140 may comprise a separate wire for charging the battery or the same wiring used for transferring the access codes may be used for charging the battery. In an embodiment where the structure of the electromechanical key resembles a conventional key, i.e. it has a protrusion which is inserted into the lock when opening the lock, a charging device may include a slot (or receptable) structurally similar to the interface 112 of the lock. When the key is inserted into the charging device, the control circuitry may be configured to detect that the electronic connection is now with the charging device and switch the electric signals received from the charging device through the electromechanical interface to the battery so as to charge the battery.

[0029] As used in this application, the term 'circuitry' refers to all of the following: (a) hardware-only circuit implementations, such as implementations in only analog and/or digital circuitry, and (b) combinations of circuits and software (and/or firmware), such as (as applicable): (i) a combination of processor(s) or (ii) portions of processor(s)/software including digital signal processor(s), software, and memory(ies) that work together to cause an apparatus to perform various functions, and (c) circuits, such as a microprocessor(s) or a portion of a microprocessor(s), that require software or firmware for operation, even if the software or firmware is not physically present. This definition of "circuitry" applies to all uses of this term in this application. As a further example, as used in this application, the term "circuitry" would also cover an implementation of merely a processor (or multiple processors) or a portion of a processor and its (or their) accompanying software and/or firmware.

[0030] Let us now consider the operation of the electromechanical key according to embodiments of the invention in greater detail. The electromechanical key is associated with a given user carrying the key. The user may also carry a cellular phone. Figure 3 is a flow diagram illustrating a process for updating access rights and accessing locks according to an embodiment of the invention. The process is carried out in the electromechanical key, but the following description describes also operations carried out by the server, the electromechanical lock, and the cellular phone / wireless network. The process may be defined by a computer program comprising instructions configuring a processor of the electromechanical key to carry out the steps of the process, when the processor executes the computer program. The process starts in block 300.

[0031] In block 302, the key is paired with the cell phone carried by the user. In another embodiment, the pairing is carried out between the key and a wireless network realized by a network of base stations installed in the premises where the access control system is used. When both the electromechanical key and the cellular phone or the wireless network support Bluetooth communication technology, the pairing may be a conventional Bluetooth pairing. The Bluetooth specification version may be Bluetooth 2.1 + EDR (Enhanced Data Rate) class 1 but other specification versions may alternatively be used, depending on the required data transfer capacity, required operational range, and power consumption requirements. Step 302 may be executed when the key is given to the user, and no pairing is necessarily needed again unless the user acquires a new cellular phone or a key.

[0032] In block 304, the control circuitry of the key controls the communication circuitry to establish a communication connection with an ASP (Application Service Provider) server managing the access rights. The communication connection may be a TCP/IP connection, and an IP address of the ASP server may be stored in the memory of the key or in the memory of the cellular phone. In the latter case, the IP address of the ASP server may be read in connection with the pairing in block 302. The TCP/IP connection between the key and the ASP server is routed through the cellular phone or wireless network with which the pairing was performed in block 302. The cellular phone may route the TCP/IP connection through the public cellular telecommunication system and through the Internet, and the wireless network may route the TCP/IP connection through the private network installed in the premises of the access control system. Since the connection is used for transferring the sensitive access codes, the TCP/IP connection may be encrypted with a cryptographic protocol, such as SSL (Secure Sockets Layer) or TLS (Transport Layer Security). In other words, the whole end-to-end connection between the key and the server is encrypted, ensuring reliable transmission of the access codes from the server to the key. Due to the nature of such encryption protocols, acquiring the access codes from any intermediate point in the route of the TSP/IP connection is virtually impossible.

[0033] The connection in block 304 is established automatically without any user intervention. The control circuitry of the key is configured to autonomously utilize the Bluetooth dial-up networking profile (or a corresponding profile of another radio access scheme) so as to configure the cellular phone / wireless network to establish the TCP/IP connection. In other words, the cellular phone is used merely as a modem or a bridge for routing the connection, and such operation is invisible to the user in that the user does not have to operate the cellular phone after the initial, one-time pairing in block 302. The establishment of the connection may include transmission of encrypted key identification data enabling the ASP server to identify the key (and the user of the key). Upon establishment of the connection with the ASP server in block 304, the control circuitry transmits a request for up-to-date access codes to the ASP server in block 306. The ASP server receives the request, checks a database storing the access rights for each key/user of the access control system in order to acquire access codes currently linked to the key (or the user of the key) requesting the access codes. The database may store identifiers of all the locks in the access control system as being associated with an access code which opens the particular lock. Upon acquiring the access codes and corresponding door identifiers from the database, the ASP server transmits the access codes and corresponding door identifiers over the encrypted TCP/IP connection to the key. The key receives the access codes and corresponding door identifiers and stores them in the memory. Then, the TCP/IP connection may be terminated or, alternatively, it may be maintained so that the establishment of a new connection in connection with the next access right update may be omitted. The key may be configured to update the access rights, i.e. to request the ASP server to send up-to-date access codes, at predetermined intervals. In other words, blocks 304 and 306 may be carried out at the predetermined time intervals to ensure that the key has up-to-date access codes all the time. The predetermined interval may be a one-minute interval, for example. If the TCP/IP connection is maintained, the key may omit block 304, and block 304 may be carried out when the key enters the premises of the access control system and the TCP/IP connection is newly created, or when the TCP/IP connection breaks down for some reason, e.g. a time out.

[0034] Next, let us consider the operation of the electromechanical key when the key is used to open a lock of the access control system. When the user brings the counterpart interfaces provided in the lock and the key into contact with each other, the electrical connection between the lock and the key is detected in the control circuitry of the key in block 308, and the process proceeds to block 310 or 312. Block 310 is optionally executed, when the key is configured to retrieve up-to-date access codes every time a lock is being accessed. Block 310 includes the retrieval of the up-to-date access codes from the ASP server, i.e. execution of block 306 and optionally block 304 (if the connection has not been maintained). The embodiment including the execution of block 310 is advantageous when the access rights of the user has just been modified by adding new access rights to a given lock. The user may simply try to access the lock, and the key retrieves the updated access codes automatically with no need to wait for the next periodic check. In an embodiment, the periodic retrieval of the access codes is omitted, and the key is configured to access the ASP server only in connection with an access event, e.g. when the user tries to access a lock of the access control system. The key may identify the access event when a given lock, with which the electric connection is detected in block 308, by successfully retrieving an identifier of the lock through the electric connection, i.e. from the fact that the lock and the key are able to communicate with each other.

[0035] In block 312, the control circuitry reads the lock's identifier received through the electromagnetic interface over the electric connection between the lock and the key. If the execution of block 310 is dependent on the correct reading of the lock's identifier, block 312 may be executed before block 310. In block 314, the control circuitry accesses the memory to check whether or not the memory includes an entry for the lock identifier read in block 312. If the memory includes the entry for the lock identifier, the control circuitry retrieves an access code linked to the lock identifier. In block 316, the control circuitry transfers the access code to the lock through the electromechanical interface over the electric connection between the lock and the key. Upon verifying the correct access code, the authentication circuitry of the lock may be configured to transmit an acknowledgment message to the key over the electric connection so that the control circuitry of the key obtains information on the successful entry. The authentication circuitry may also control the actuator to open the lock, as described above. If the memory of the key contains no entry for the lock identifier, the lock access procedure ends. The control circuitry may also send an error message to the lock, and the lock may indicate an erroneous entry to the user by flashing a red light or by providing another visual or audiovisual indication that the access has been denied. In connection with a failed access, the control circuitry of the key may be configured to transmit a message indicating the failed access to the server. The message may include the identifier of the lock so that the failed access is linked to the appropriate lock and optionally time information indicating the time when the entry was attempted. The time may, however, be determined implicitly from the time when the message is transferred to the ASP server. The ASP server may check whether or not the key had rights to access that door at the time the entry was made so as to verify whether the user has tried to access a lock which he/she has no rights to access or whether there has been an operational error in the lock, key, server, or in the communication between them. Thus, the system may record operational failures so as to detect faulty components in the access control system, and the system may also record information that the user has tried to access a lock to which (s)he has no access rights.

[0036] The control circuitry of the key may be configured to transfer a message of a successful entry to a given lock to the ASP server for location tracking purposes. Such a message may comprise an indication of the successful entry and an identifier of the lock which has been successfully opened. The transfer of such a message may be triggered by the acknowledgment message received from the lock as a result of the successful entry. On the basis of the information received from the key, the server may record the locks the user of the key has accessed successfully and times when the locks have been accessed so as to track the movement of the user in the premises of the access control system. The server stores a layout of the premises of the access control system where physical locations of the electromechanical locks have been stored. When the server receives information on the lock a given key has accessed, it maps the key to a given location when the server knows the physical location of that lock.

[0037] The location tracking may also be used for tracking working time of the user when the access control system is installed in a working place. The ASP server is further configured to count a time of presence of a given personal electronic device from access information received from the keys of the staff. The location tracking may be used for monitoring and storing the working time of each member of the staff on the basis of the time duration the staff member is detected to have been in the premises of the area where the location tracking is carried out. The start time is the time when the staff member accesses an entry/exit door of the premises for the first time, i.e. when the key of the staff member indicates entry through that door. The end time is the time when the key indicates exit through the entry/exit door or another corresponding entry/exit door. The working time may be stored in the user record on a daily basis. The server may each day store a time when a given key is detected in the area and a time when the key is assumed to have left the area. From these stored times, a duration of the personal radio communication device in the area may be calculated by applying simple mathematics, and the thus obtained working hours per day may be stored in the user record.

[0038] The location tracking may be utilized for other purposes as well. For example, the user's cellular phone (or another communication device or devices) may be linked to the location tracking system and to the ASP server. This enables a given user to establish a voice connection to a selected place, instead of a selected phone number. The user may establish a call which is routed to the ASP server, wherein the call establishment includes transfer of a message comprising an identifier of a location to which the caller wishes to give call. Then, the ASP server checks the location tracking records in order to find out another user closest to the desired location and, upon finding such a user, the ASP server routes the call connection to that user's cellular phone (or another communication device).

[0039] According to the invention, the location tracking is used for routing alarm messages to the nearest persons. The key, cellular phone, or another device carried by the user may be used for transmitting an alarm message to the server. According to the invention, the key comprises an alarm button which, when pressed, configures the control circuitry to transmit the alarm message to the ASP server. The alarm message is an indication that help is needed in the location where the user requesting for help resides. Upon reception of such a message, the server checks the location tracking records in order to find out another user closest to the desired location and, upon finding such a user, the ASP server routes the alarm to that user's cellular phone (or another communication device) in connection with the location where the help is needed (the most recent location of the user/key requesting the help). This may be particularly useful in a hospital or other health care institutions where emergencies occur. Other location tracking means for monitoring the location of the users in the premises are used in other embodiments.

[0040] The database of the ASP server stores key or user identifiers indicating the locks that each key or user is allowed to open. A particular key may thus be configured to open a plurality of locks, rather than having a dedicated key for every lock. Additionally, the set of locks to which a certain key/user has access rights may be updated in real time simply by editing the database. When detecting a change in the access rights of a given user/key, the ASP server may be triggered to transmit the updated access codes to the key immediately so that the updated access rights are put to use immediately. In this embodiment, the periodic update check and/or block 310 described above in connection with Figure 3 may even be omitted, although it is not necessary. The key may still verify that it has appropriate access rights periodically or when a lock is being accessed. Upon reception of the updated access codes from the server, the key modifies the stored access codes so as to make them up-to-date. The transfer of the updated access codes and lock identifiers from the server to the key may include all the key identifiers and corresponding access codes to which access is granted every time the access rights update is carried out. If the update includes addition of one or more new access rights, only new access codes and lock identifiers may be sent to the key and no old access rights which have already been transferred need to be sent again. Similarly, if the update includes deletion of access rights, the ASP server may send a message indicating which access rights (access code and lock identifier) need to be deleted. This reduces the amount of data traffic, since transfer of redundant information is reduced.

[0041] If the TCP/IP connection between the ASP server and the key is disconnected unexpectedly, the key may be configured to attempt reestablishment of the connection. If the reestablishment is not successful within a determined duration or number of attempts, the control circuitry of the key may be configured to irrevocably erase the access rights from the memory. The control circuitry may alternatively erase the access rights immediately upon losing TCP/IP connection with the server. As a consequence, the access codes will be deleted immediately if the user's key is stolen and the connection to the cellular phone or wireless network is lost or if the connection to the ASP server is otherwise lost. This improves the security of the system.

[0042] As described above, the whole operation for retrieving the access rights and communicating with the lock so as to enter the access code is carried out automatically without any user interaction. The user only has to bring the counterpart interfaces provided in the electromechanical key and the lock into connection with one another, and then open the door, latch, or another element the lock protects. As a consequence, the user convenience and speed of opening the lock is improved, as the complexity of the procedure is reduced.

[0043] As mentioned above, the process or method described in Figure 3 may also be carried out in the form of a computer process defined by a computer program. The computer program may be in source code form, object code form, or in some intermediate form, and it may be stored in some sort of carrier, which may be any entity or device capable of carrying the program. Such carriers include a record medium, computer memory, read-only memory, electrical carrier signal, telecommunications signal, and software distribution package, for example. Depending on the processing power needed, the computer program may be executed in a single electronic digital processing unit or it may be distributed amongst a number of processing units.

[0044] The present invention is applicable to any access control system utilizing electromechanical locks. The electromechanical locks require no connection with the server, and in some embodiment they do not even require batteries as the energy needed for the authentication and opening the lock is provided by the user with mechanical motion. This facilitates the installation of the system. Otherwise, the installation is very simple. The database of the server is constructed to contain the access rights for the users/keys. The keys are preconfigured to carry out the operations described above. When taken into use, a key may be paired with the user's cellular phone or the wireless network, and after the pairing the key automatically acquires the access rights. Depending on the radio access protocol the keys are configured to use, even the pairing may be omitted. The radio access protocols used, the specifications of such communication systems, their network elements and user devices, develop rapidly. Such development may require extra changes to the described embodiments. Therefore, all words and expressions should be interpreted broadly and they are intended to illustrate, not to restrict, the embodiment.

[0045] It will be obvious to a person skilled in the art that, as technology advances, the inventive concept can be implemented in various ways. The invention and its embodiments are not limited to the examples described above but may vary within the scope of the claims.

Claims

1. An access control system comprising:
an electromechanical key (106) associated with a first user, comprising:

an electronic interface (140) comprising a protrusion matching a receptable in a counterpart interface (112) provided in an electromechanical lock (116) that the electromechanical key is adapted to open when the protrusion is inserted into the receptable so as to implement a mechanical connection and an electronic connection between the lock and the key;

a communication circuitry (134) configured to establish a radio connection;

a memory (130) for storing access codes; and

a control circuitry (132) configured to control the communication circuitry (134) to establish, autonomously without user intervention, an end-to-end communication connection with a server (101) managing access rights, to communicate with the server (101) so as to receive an access code granting access to at least one electromechanical lock, and to communicate an appropriate access code received from the server to the electromechanical lock (116) through the electronic connection (110) between the electromechanical key (106) and the electromechanical lock (116) so as to open the electromechanical lock (116);

the system further comprising said at least one electromechanical lock (116) comprising an electronic interface (112) functioning as the counterpart interface, the electronic interface comprising the receptable, an actuator (124) for opening the lock, and an authentication circuitry (142) configured to control the actuator to open the lock in response to a correct access code obtained from the electromechanical key through the electronic interface (112); and

the system further comprising a server (101) configured to manage access rights of a plurality of electromechanical keys suitable for opening the at least one electromechanical lock, the plurality of electromechanical keys including the electromechanical key, and to communicate with the plurality of electromechanical keys so as to transmit access codes to the electromechanical keys, wherein the server is configured to transmit to each electromechanical key only access codes to those electromechanical locks for which each electromechanical key is arranged to have access rights,

the system further comprising location tracking means for monitoring locations of users in the premises of the access control system; wherein the electromechanical key is configured to transmit to the server a message indicating an attempted access after it has attempted to open an electromechanical lock, wherein the transmitted message includes at least an identifier of the lock that has been accessed,

characterized in that the electromechanical key comprises an alarm button, and wherein the control circuitry is configured to transmit, in response to depression of the alarm button, an alarm message to the server;

wherein the server is configured to store a layout of the premises of the access control system where physical locations of the electromechanical locks have been stored, to track the location of the electromechanical key by mapping, upon receiving the message comprising information on the electromechanical lock the electromechanical key has accessed, the electromechanical key to a physical location of the electromechanical lock and, in response to reception of the alarm message, to check location tracking records in order to find out a second user closest to the location of the electromechanical key and, upon finding such a second user, to route an alarm to the second user's communication device in connection with the physical location of the electromechanical key.

2. An access control system of claim 1, wherein the server is configured to store the access codes of the at least one electromechanical key in a database, to detect modification of the access codes of a given electromechanical key in the database, and to communicate the modified access codes to the corresponding electromechanical key in response to the detection of the modification of the access codes, and wherein the electromechanical key is configured to receive the modified access codes and update the previous access codes according to the received access codes.

Ansprüche

1. Zugangskontrollsystem, umfassend:
einen elektromechanischen Schlüssel (106), der mit einem ersten Benutzer assoziiert ist, umfassend:

eine elektronische Schnittstelle (140), die einen Vorsprung umfasst, der mit einer Aufnahme in einem Schnittstellenpendant (112) zusammenpasst, die in einem elektromechanischen Schloss (116) vorgesehen ist, das der elektromechanische Schlüssel öffnen kann, wenn der Vorsprung in die Aufnahme eingeführt wird, um eine mechanische Verbindung und eine elektronische Verbindung zwischen dem Schloss und dem Schlüssel zu implementieren;

eine Kommunikationsschaltungsanordnung (134), die zum Herstellen einer Funkverbindung konfiguriert ist;

einen Speicher (130) zum Speichern von Zugriffscodes; und

eine Steuerschaltungsanordnung (132), die so konfiguriert ist, dass sie die Kommunikationsschaltungsanordnung (134) so steuert, dass sie ohne Benutzereingriff autonom eine Ende-zu-Ende-Verbindung mit einem Server (101) herstellt, der Zugriffsrechte verwaltet, mit dem Server (101) kommuniziert, um einen Zugriffscode zu empfangen, der Zugriff auf mindestens ein elektromechanisches Schloss gewährt, und einen entsprechenden Zugriffscode, der vom Server empfangen wird, durch die elektronische Verbindung (110) zwischen dem elektromechanischen Schlüssel (106) und dem elektromechanischem Schloss (116) an das elektromechanische Schloss (116) kommuniziert, um das elektromechanische Schloss (116) zu öffnen;

wobei das System ferner mindestens ein elektromechanisches Schloss (116) umfasst, das eine elektronische Schnittstelle (112) umfasst, die als das Schnittstellenpendant fungiert, wobei die elektronische Schnittstelle die Aufnahme, ein Betätigungselement (124) zum Öffnen des Schlosses und eine Authentisierungsschaltungsanordnung (142) umfasst, die so konfiguriert ist, dass sie das Betätigungselement in Reaktion auf einen korrekten Zugriffscode, der vom elektromechanischen Schlüssel durch die elektronische Schnittstelle (112) erhalten wird, zum Öffnen des Schlosses steuert; und

wobei das System ferner einen Server (101) umfasst, der so konfiguriert ist, dass er Zugriffsrechte einer Mehrzahl von elektromechanischen Schlüsseln verwaltet, die zum Öffnen des mindestens einen elektromechanischen Schlosses geeignet sind, wobei die Mehrzahl von elektromechanischen Schlüsseln den elektromechanischen Schlüssel umfasst, und mit der Mehrzahl von elektromechanischen Schlüsseln kommuniziert, um Zugriffscodes an die elektromechanischen Schlüssel zu senden, wobei der Server so konfiguriert ist, dass er an jeden elektromechanischen Schlüssel nur Zugriffscodes für jene elektromechanischen Schlösser sendet, für welche jeder elektromechanische Schlüssel mit Zugriffsrechten ausgelegt ist,

wobei das System ferner Positionsverfolgungsmittel zum Überwachen von Positionen von Benutzern in den Räumlichkeiten des Zugangskontrollsystems umfasst; wobei der elektromechanische Schlüssel so konfiguriert ist, dass er eine Nachricht an den Server sendet, die einen Zugangsversuch angibt, nachdem er ein elektromechanisches Schloss zu öffnen versucht hat, wobei die gesendete Nachricht mindestens eine Kennung des Schlosses umfasst, auf das zugegriffen wurde,

dadurch gekennzeichnet, dass der elektromechanische Schlüssel einen Alarmknopf umfasst,

und wobei die Steuerschaltungsanordnung so konfiguriert ist, dass sie in Reaktion auf ein Drücken des Alarmknopfs eine Alarmnachricht an den Server sendet;

wobei der Server so konfiguriert ist, dass er einen Lageplan der Räumlichkeiten des Zugangskontrollsystems speichert, auf dem physische Positionen der elektromechanischen Schlösser gespeichert wurden, bei Empfang der Nachricht mit Informationen über das elektromechanische Schloss, auf das der elektromechanische Schlüssel zugegriffen hat, die Position des elektromechanischen Schlüssels durch Zuordnen des elektromechanischen Schlüssels zu einer physischen Position des elektromechanischen Schlosses verfolgt und in Reaktion auf den Empfang der Alarmnachricht Positionsverfolgungsaufzeichnungen überprüft, um einen zweiten Benutzer zu ermitteln, der zur Position des elektromechanischen Schlüssels am nächsten ist, und bei Auffinden solch eines zweiten Benutzers einen Alarm in Verbindung mit der physischen Position des elektromechanischen Schlüssels an die Kommunikationsvorrichtung des zweiten Benutzers leitet.

2. Zugangskontrollsystem nach Anspruch 1, wobei der Server so konfiguriert ist, dass er die Zugriffscodes des mindestens einen elektromechanischen Schlüssels in einer Datenbank speichert, eine Modifikation der Zugriffscodes eines bestimmten elektromechanischen Schlüssels in der Datenbank erkennt und in Reaktion auf die Erkennung der Modifikation der Zugriffscodes die modifizierten Zugriffscodes an den entsprechenden elektromechanischen Schlüssel kommuniziert, und wobei der elektromechanische Schlüssel zum Empfangen der modifizierten Zugriffscodes und Aktualisieren der vorherigen Zugriffscodes gemäß den empfangenen Zugriffscodes konfiguriert ist.

Revendications

1. Système de contrôle d'accès comprenant :
une clé électromécanique (106) associée à un premier utilisateur, comprenant :

une interface électronique (140) comprenant une protubérance correspondant à un réceptacle dans une interface de contrepartie (112) prévue dans un verrou électromécanique (116) que la clé électromécanique est conçue pour ouvrir lorsque la protubérance est insérée dans le réceptacle de manière à effectuer une liaison mécanique et une connexion électronique entre le verrou et la clé ;

des éléments de circuit de communication (134) configurés pour établir une connexion radio ;

une mémoire (130) pour mémoriser des codes d'accès ; et

des éléments de circuit de commande (132) configurés pour commander les éléments de circuit de communication (134) pour établir, de manière autonome sans l'intervention de l'utilisateur, une connexion de communication de bout en bout avec un serveur (101) qui gère les droits d'accès, pour communiquer avec le serveur (101) de manière à recevoir un code d'accès qui accorde l'accès à au moins un verrou électromécanique, et pour communiquer un code d'accès approprié reçu du serveur au verrou électromécanique (116) par l'intermédiaire de la connexion électronique (110) entre la clé électromécanique (106) et le verrou électromécanique (116) de manière à ouvrir le verrou électromécanique (116) ;

le système comprenant en outre ledit au moins un verrou électromécanique (116) comprenant une interface électronique (112) fonctionnant en tant qu'interface de contrepartie, l'interface électronique comprenant le réceptacle, un actionneur (124) pour ouvrir le verrou, et des éléments de circuit d'authentification (142) configurés pour commander l'actionneur pour ouvrir le verrou en réponse à un code d'accès correct obtenu à partir de la clé électromécanique par l'intermédiaire de l'interface électronique (112) ; et

le système comprenant en outre un serveur (101) configuré pour gérer les droits d'accès d'une pluralité de clés électromécaniques appropriées pour ouvrir ledit au moins un verrou électromécanique, la pluralité de clés électromécaniques comprenant la clé électromécanique, et pour communiquer avec la pluralité de clés électromécaniques de manière à transmettre les codes d'accès aux clés électromécaniques, dans lequel le serveur est configuré pour transmettre à chaque clé électromécanique uniquement les codes d'accès aux verrous électromécaniques pour lesquels chaque clé électromécanique est agencée pour avoir des droits d'accès,

le système comprenant en outre des moyens de suivi d'emplacement pour surveiller les emplacements des utilisateurs dans les locaux du système de contrôle d'accès ; dans lequel la clé électromécanique est configurée pour transmettre au serveur un message qui indique une tentative d'accès après qu'elle a tenté d'ouvrir un verrou électromécanique, dans lequel le message transmis comprend au moins un identifiant du verrou auquel un accès a été effectué,

caractérisé en ce que la clé électromécanique comprend un bouton d'alarme,

et dans lequel les éléments de circuit de commande sont configurés pour transmettre, en réponse à l'enfoncement du bouton d'alarme, un message d'alarme au serveur ;

dans lequel le serveur est configuré pour mémoriser un agencement des locaux du système de contrôle d'accès où les emplacements physiques des verrous électromécaniques ont été mémorisés, pour suivre l'emplacement de la clé électromécanique en mappant, lors de la réception du message qui comprend des informations concernant le verrou électromécanique auquel la clé électromécanique a eu accès, la clé électromécanique vers un emplacement physique du verrou électromécanique et, en réponse à la réception du message d'alarme, pour vérifier les enregistrements de suivi d'emplacement afin de trouver un deuxième utilisateur le plus proche de l'emplacement de la clé électromécanique et, lors de la découverte d'un tel deuxième utilisateur, pour acheminer une alarme vers le dispositif de communication du deuxième utilisateur en relation avec l'emplacement physique de la clé électromécanique.

2. Système de contrôle d'accès selon la revendication 1, dans lequel le serveur est configuré pour mémoriser les codes d'accès de ladite au moins une clé électromécanique dans une base de données, pour détecter une modification des codes d'accès d'une clé électromécanique donnée dans la base de données, et pour communiquer les codes d'accès modifiés à la clé électromécanique correspondante en réponse à la détection de la modification des codes d'accès, et dans lequel la clé électromécanique est configurée pour recevoir les codes d'accès modifiés et mettre à jour les codes d'accès précédents conformément aux codes d'accès reçus.

Drawing