Quality control

Richard Jenkins, Chief Executive at the National Security Inspectorate (NSI), offers advice on finding the right suppliers to help manage access to your buildings

Access control reduces risk and increases the safety of those working in or visiting a building. Whether introduced retrospectively to enhance security measures or as part of a new construction project, a comprehensive access control system can improve overall security.

According to a 2017 Memoori report, ‘Market size and major trends in the access control market 2017 to 2022’, the global access control market is set to grow by a compound annual growth rate of over eight per cent until 2022, driven by high adoption of access control solutions as a result of deploying increased safety measures. Following introduction of the General Data Protection Regulation (GDPR), identity management and technological advancements, such as increasingly reliable wireless technology and adoption of IoT-based security systems with cloud computing platforms, are fuelling growth and enhancing performance.

Various product designs and levels of sophistication are available. Requirements vary depending on whether a building is single occupancy or multi-tenanted, and it’s important to specify system needs thoroughly and precisely. Whatever the environment, the same questions of need and operability apply. It’s not just hardware elements that need to be fit for purpose – system design must also address specific applications and planned use.

For example, different credentials or recognition technologies can be deployed for users to gain access to controlled areas of a building. Recognition technologies fall into three categories: something known to the user, such as a Pin code; something carried by the user, such as a token, fob or card; and a unique identifier, perhaps a biometric such as fingerprint or retina recognition.

Door controller software at the heart of a system may be set to determine access rights for individuals at any given time. Parameters can vary dependent on the sophistication and scale of the system, including the number of readers and zones being controlled from any one point.

Some of the options include:

• A single standalone door controller linked to a single door with no software
• Multiple door controllers networked to a single PC controlling a single zone or site
• Multiple zone configurations networked over a wide network area (could be appropriate for larger, more complex environments such as hospitals or schools).

CERTIFIED PROVIDERS
It is natural to focus on hardware elements, but intelligent software design delivering fit-for-purpose installations is equally important. So where should those responsible for a building’s security look for their access control solution, or the maintenance of an existing system?

Buyers need to be confident that their providers are working to the highest industry standards, with the capability to assess risks and interpret the buyer’s specific requirements. When selecting a provider, it’s useful to consider prospective suppliers’ third-party certification or approval credentials.

As a certification body specialising in the security and fire safety sector, NSI has an active register of over 1,800 approved companies, all of whom have been rigorously audited for compliance against a wide variety of scopes and codes of practice. For installers of systems this means taking into account British standards as well as other industry best practice.

For example, NSI’s code of practice NCP 109 for the design, installation and maintenance of access control systems draws on the Equality Act 2010, the Disability Discrimination Act 2005, BS 7273-4 for fire protection (activation of release mechanisms for doors) and BS 7671 for electrical installations. It requires access control installers to assign each system access point with a risk classification according to the level of security required: class I (low risk), class II (low to medium risk), class III (medium to high risk), and class IV (high risk).

All NSI Nacoss Gold and Systems Silver-approved companies working to this code of practice are equipped to advise on the most appropriate system given the needs of the building being managed.

As part of the design and specification process, NSI-approved installers undertake a risk assessment. This is a review of the assessed threat, points of higher exposure and expected people flows. It considers means of escape in the event of a fire or security incident, and the most suitable type of recognition technology.

Along with identified risks and recognition needs, the number of access points to be secured and monitored – including by video surveillance and remote monitoring – are factored in to the design. This includes the need to manage variation in risk classification for access points, which may vary between daylight hours and hours of darkness, weekdays and weekends, or during other critical periods where the risk factors may be different.

NSI-approved installers issue for each new access control system a certificate of compliance that affirms the installation has been delivered in accordance with NSI code of practice 109.

It’s normal for the components of any access control system to deteriorate with time. Doors, latches, card readers, closing devices and proximity cards all become worn at some point and could create a loophole in the security and, indeed, fire safety systems. NSI-approved companies share a log of activity that demonstrate the system has been comprehensively maintained, not dissimilar in concept to a vehicle MOT.

RISK MANAGEMENT
Record-keeping and data security are also considered. Typically, individuals log in, which means permissions are a point of risk. Failsafe system controls and procedures can ensure recognition log-ins are up to date, with permissions for employees added and withdrawn in a timely fashion. This is basic risk management. Access control systems store personal data which must be held securely. Data protection requirements (including GDPR) must be embraced by the data controller and data processor(s).

Well-recognised codes of practice, such as NSI’s NCP 109, are designed to demonstrate the credentials of specialist security providers to buyers and users, helping to ensure good practice by providers and operators in managing security risk. They provide a framework to assist specifiers, installers and users in establishing risk, needs and requirements, and help specifiers and users to determine the appropriate level of security and sophistication required for a given application. They also assist system designers in meeting specifier or user requirements.

The successful operation of access control systems is built on clear collaboration between specifiers, users and installers. Security can only be achieved with carefully developed and clearly understood specifications and usability in practice. Design must consider hardware components, take account of a dynamic risk assessment, and be based on knowledge of preferred modes of operation, management and maintenance. Working with approved installers competent in end-to-end delivery of a solution means peace of mind for specifier and user alike in delivering secure environments.

From the facilities manager’s perspective, choosing an NSI-approved company provides confidence that their provider is subject to ongoing independent inspection of its competence, business practice and communications with clients, including sample inspections of installations.

NSI Nacoss Gold approval includes certification to BS EN ISO 9001 (for a company’s quality management system) as well as adherence to the relevant standards detailed in the NCP 109. Companies that benchmark themselves against NSI approval schemes demonstrate commitment to the highest standards of competence in the design, delivery, operation, management and maintenance of access control systems.

NSI’s independent approval provides assurance to facilities managers that installers, operators and the management of access control systems deliver consistent best practice in helping keep people safe.