Access Control Systems

Revision 1 · SynC Standards Team — SynC Platform Team, SynC (SynC Platform Team / Platform Standards) ✓ Official · May 28, 2026 +854 −0

Initial publication
Showing changes from Initial revision to Rev 1 in Access Control Systems.
+---
+title: Access Control Systems
+category: Electrical
+toc_depth: 3
+description: >
+ When to use: Electronic access control systems for managing pedestrian entry into commercial, institutional, and industrial buildings. Covers system architecture (standalone, networked, and cloud-managed), door controllers and panels, credential readers and credentials, electrified door hardware coordination, request-to-exit devices, door position switches, low-voltage power supplies with battery backup, controller and reader cabling, head-end software, user management and audit, fire alarm release interface, cybersecurity, and acceptance testing for swinging pedestrian doors.
+ Not intended for: Video surveillance and intercom systems (separate standards); intrusion detection alarm systems (see UL 1076 burglar alarm systems); parking gate, vehicle barrier, and turnstile control; biometric-only systems without card or mobile credentials; mass notification and emergency communications (see [[sync/fire-alarm-systems]]); the door, frame, and electrified locking hardware itself (see [[sync/doors-frames-and-hardware]]); building automation systems integrated for environmental control (see [[sync/building-automation-system]]); telecommunications cabling backbone beyond the access control horizontal cabling.
+---
+
+# Scope
+
+This specification covers the design, equipment, installation, programming, and testing of an electronic access control system (ACS) for controlling pedestrian entry into and movement within a building. The system shall identify users by credential, validate their access privileges against a rule set maintained by a head-end software platform, and electrically operate door hardware to permit or deny passage at controlled openings. The system shall additionally monitor door position and request-to-exit conditions, log every access event and exception, and interface with the building fire alarm system to release fail-safe locking devices on alarm.
+
+The access control system is a coordinated assembly of electronic head-end software, networked door controllers, credential readers, request-to-exit devices, door position switches, low-voltage power supplies, and the electrified door hardware that physically secures each opening. This standard governs the electronic head-end, the controllers, the reader-side devices, and the wiring; the electrified locking hardware itself — the electric strike, electromagnetic lock, electrified mortise lock, electrified cylindrical lock, or electric exit device — is procured and installed under [[sync/doors-frames-and-hardware]] and shall be coordinated under this standard.
+
+Every controlled opening is a system. The Contractor shall coordinate the access control scope with [[sync/doors-frames-and-hardware]] for lock selection, frame and door preparation, and hardware-set finalization; with [[sync/fire-alarm-systems]] for the release of fail-safe locks on fire alarm; with [[sync/conductors-and-cables]] and [[sync/raceways-and-conduit]] for low-voltage pathways; with [[sync/grounding-and-bonding]] and [[sync/telecommunications-bonding]] for the bonding of the head-end and controller equipment; and with [[sync/equipment-labeling]] for device and circuit identification.
+
+This standard addresses electronic access control of swinging pedestrian doors using card, smart card, or mobile credentials. It does not cover video surveillance, intrusion detection alarms, intercom systems, parking and vehicle access control, automatic pedestrian door operators beyond the lock release interface, or biometric-only systems without a supporting card or mobile credential.
+
+# Referenced Standards
+
+Equipment, materials, software, and installation shall comply with the latest adopted edition of the following standards. Where the contract documents, the adopted building code, or a referenced standard conflict, the more stringent requirement shall govern unless the Engineer of Record directs otherwise in writing.
+
+| Standard | Title |
+|----------|-------|
+| UL 294 | Access Control System Units |
+| UL 1034 | Burglary-Resistant Electric Locking Mechanisms |
+| UL 1076 | Proprietary Burglar Alarm Units and Systems |
+| UL 1981 | Central Station Automation Systems |
+| UL 10C | Positive Pressure Fire Tests of Door Assemblies |
+| UL 10B | Fire Tests of Door Assemblies |
+| NFPA 101 | Life Safety Code (egress at access-controlled openings) |
+| NFPA 80 | Standard for Fire Doors and Other Opening Protectives |
+| NFPA 72 | National Fire Alarm and Signaling Code (interface to ACS) |
+| NFPA 70 | National Electrical Code (Articles 725 and 760) |
+| IBC Chapter 10 | International Building Code — Means of Egress |
+| IFC Chapter 10 | International Fire Code — Means of Egress |
+| ICC A117.1 | Accessible and Usable Buildings and Facilities |
+| ADA Standards for Accessible Design | Federal accessibility requirements |
+| ANSI/SIA AC-01 | Access Control General Requirements |
+| SIA OSDP v2.2 | Open Supervised Device Protocol |
+| ANSI/BICSI 008 | Wireless LAN Best Practices for Cabling Installation |
+| ANSI/TIA-568 | Generic Telecommunications Cabling for Customer Premises |
+| ANSI/TIA-569 | Telecommunications Pathways and Spaces |
+| ANSI/TIA-606 | Administration Standard for Telecommunications Infrastructure |
+| ANSI/TIA-607 | Generic Telecommunications Bonding and Grounding |
+| FIPS 201 | Personal Identity Verification (where federal credential interoperability applies) |
+| NIST SP 800-116 | Use of PIV Credentials in Facility Access |
+| ISO/IEC 14443 | Identification cards — Contactless integrated circuit cards (proximity) |
+| ISO/IEC 7816 | Identification cards — Integrated circuit cards |
+
+# Submittals
+
+## Action Submittals
+
+The Contractor shall submit the following to the Engineer of Record for review prior to procurement and prior to beginning installation. The access control submittal is a complete system-level package; partial or piecemeal submittals shall be returned without review.
+
+- Manufacturer's product data for the head-end server platform, every door controller and panel, every reader, every credential type, every power supply, every request-to-exit device, every door position switch, every input/output module, and every accessory item
+- A system riser diagram showing the head-end server, network switches and segmentation, every controller panel, every reader, every electrified door hardware connection, every REX and DPS input, every power supply with backup battery, and the interface to the fire alarm system
+- A door schedule listing every controlled opening by mark number, cross-referenced to the door schedule in [[sync/doors-frames-and-hardware]], indicating reader type and quantity per opening, electrified hardware type (free-egress vs access-controlled vs delayed egress), fail-safe or fail-secure operation, REX device type, DPS configuration, power supply assignment, and controller and reader address
+- A panel schedule for each controller cabinet listing every door served, the assigned reader address, the assigned input/output points, the panel power budget, and the upstream and downstream power supply
+- A head-end architecture diagram showing the server, redundancy or high-availability arrangement, database storage, backup strategy, network segmentation, directory and SSO integration, and any cloud or remote connectivity
+- A sequence-of-operations matrix listing each input (valid credential, invalid credential, REX, DPS open, DPS forced-open, DPS held-open, fire alarm, tamper) and the resulting outputs (unlock, lock, alarm, audit log, notification) for each door type
+- Battery calculations for every UL 294 listed power supply showing standby and alarm current draw, required standby duration, and selected battery amp-hour capacity
+- OSDP configuration documentation including baud rate, Secure Channel keys management, polling intervals, and address assignments
+- Cybersecurity hardening documentation including the cipher suite, certificate management plan, default-credential change procedure, firmware version baseline, and network segmentation approach
+
+```datasheet
+label: Action Submittals Required
+type: checkbox
+options:
+ - "Product data for head-end, controllers, readers, credentials, power supplies, REX, DPS, modules"
+ - "System riser diagram"
+ - "Door schedule cross-referenced to door, frame, and hardware schedule"
+ - "Controller panel schedules with point assignments"
+ - "Head-end architecture diagram"
+ - "Sequence-of-operations matrix"
+ - "Battery calculations for each power supply"
+ - "OSDP configuration documentation"
+ - "Cybersecurity hardening plan"
+default: "Product data for head-end, controllers, readers, credentials, power supplies, REX, DPS, modules"
+```
+
+## Informational Submittals
+
+- Manufacturer's installation instructions for each component, retained on site during installation
+- Installer qualifications documentation, including factory training certificates for the specific controller platform
+- Proposed acceptance test plan including test procedures, schedule, personnel, and forms
+
+## Closeout Submittals
+
+At substantial completion, prior to system acceptance, the Contractor shall submit:
+
+- Accepted acceptance test report signed by the Contractor and the testing technician
+- As-built system drawings reflecting final device addresses, controller programming, and circuit routing
+- Complete head-end programming record: user roles, access levels, time schedules, door groups, holiday schedules, and event-to-action mappings
+- A keyholder turnover package: head-end administrator account credentials, encryption key custody record, recovery procedures, and an inventory of issued credentials at substantial completion
+- Operation and maintenance manual including normal operations, lockdown procedures, after-hours access procedures, credential enrollment and revocation, backup and restore, battery replacement schedule, and firmware update procedure
+- Warranty documentation
+- Manufacturer service contact list and any service-agreement terms
+
+```datasheet
+label: Closeout Submittals Required
+type: checkbox
+options:
+ - "Accepted acceptance test report"
+ - "As-built system drawings with final addresses"
+ - "Head-end programming record"
+ - "Administrator credentials and encryption key turnover package"
+ - "Operation and maintenance manual"
+ - "Warranty documentation"
+ - "Manufacturer service contact list"
+default: "Accepted acceptance test report"
+```
+
+# Quality Assurance
+
+## Installer Qualifications
+
+The access control system shall be installed by a contractor regularly engaged in the design and installation of electronic access control systems with documented experience on at least three projects of comparable size and complexity within the past five years. The installer-in-charge shall hold factory certification on the specific controller platform being installed and shall be present on site during programming, head-end configuration, and acceptance testing.
+
+Personnel making low-voltage terminations at controllers and readers shall be trained in the manufacturer's wiring methods, in OSDP Secure Channel commissioning, and in the project's cybersecurity hardening procedures. Cabling between controllers, readers, and head-end equipment shall be installed by personnel meeting the qualifications of [[sync/conductors-and-cables]] for low-voltage and structured cabling.
+
+```datasheet
+label: Installer Factory Certification
+type: radio
+options:
+ - "Required for the specific controller platform"
+ - "Required for controller platform and head-end software"
+ - "Not required (installer qualifications by experience only)"
+default: "Required for controller platform and head-end software"
+```
+
+## Single-Source Responsibility
+
+The head-end software, door controllers, reader-to-controller protocol stack, and panel-level firmware shall be furnished by a single manufacturer or by a tightly integrated ecosystem of manufacturers documented to interoperate. Multi-source assemblies in which the controller, the head-end, and the readers are sourced independently and integrated only at the field level shall not be acceptable unless the Engineer specifically approves the integration after review of interoperability test documentation.
+
+Credentials and readers, where sourced from a different manufacturer than the controller, shall be confirmed compatible through OSDP v2.2 Secure Channel testing prior to procurement of credentials in quantity.
+
+## Listing and Labeling
+
+The fire alarm interface point — the relay or supervised input that releases fail-safe locks on fire alarm — shall be UL 864 listed where it forms part of the fire alarm system or shall use a UL 294 listed module driven by a UL 864 listed dry contact from the fire alarm control unit. All access control system units shall be listed and labeled to UL 294 by a Nationally Recognized Testing Laboratory. Power supplies shall be UL 294 listed for access control service.
+
+Electrified locking hardware listed to UL 1034 shall be used where the opening is required to resist burglary; the listing requirements for the hardware itself are addressed in [[sync/doors-frames-and-hardware]] and shall be coordinated.
+
+# Environmental and Service Conditions
+
+Access control equipment installed in indoor, conditioned, occupiable spaces shall be rated for 0 °C to 50 °C ambient operating temperature and 0 to 85 percent non-condensing humidity. Equipment installed in unconditioned spaces, electrical rooms, attics, or telecommunications rooms shall be confirmed against the extreme conditions of the space.
+
+Readers installed at exterior openings shall be rated for the local exterior temperature extremes and shall carry an enclosure rating appropriate to the exposure.
+
+```datasheet
+label: Exterior Reader Environmental Rating
+type: select
+options:
+ - "IP55 / NEMA 3R"
+ - "IP65 / NEMA 4"
+ - "IP66 / NEMA 4X (corrosive or wash-down environments)"
+default: "IP65 / NEMA 4"
+```
+
+Equipment installed in spaces with active sprinkler systems shall be located so that direct sprinkler discharge does not impinge on the equipment, or shall be enclosed against discharge. Equipment installed in plenum spaces shall be plenum-rated or shall be installed in conduit per NEC Article 300.
+
+# System Architecture
+
+The access control system shall be configured as a networked architecture with a central head-end software platform, intermediate door controller panels distributed throughout the building, and reader-side devices at each controlled opening. The head-end shall hold the system of record for users, credentials, and access privileges. Controllers shall hold a cached copy of the rule set sufficient to make access decisions autonomously if the head-end network connection is interrupted.
+
+```datasheet
+label: System Architecture
+type: radio
+options:
+ - "Networked, on-premises head-end (default)"
+ - "Networked, cloud-managed head-end"
+ - "Hybrid (on-premises controllers, cloud-hosted management)"
+ - "Standalone per door (small projects only)"
+default: "Networked, on-premises head-end (default)"
+```
+
+A networked, on-premises head-end is the default for projects of moderate or larger size, for facilities with confidentiality concerns about credential and audit data leaving the premises, and for facilities subject to regulatory or contractual data-residency requirements. Cloud-managed and hybrid architectures are appropriate where the Owner accepts the operational benefits (reduced server administration, automatic updates) in exchange for ongoing subscription cost and external data residency. Standalone, per-door, non-networked systems shall be used only on very small projects with a handful of openings and no requirement for centralized audit.
+
+```datasheet
+label: Controller Topology
+type: radio
+options:
+ - "Multi-door panel (4-, 8-, or 16-reader panels in centralized cabinets)"
+ - "Controller-per-door (edge controller adjacent to each opening)"
+ - "Hybrid (centralized panels for grouped doors, edge controllers where pathway is impractical)"
+default: "Multi-door panel (4-, 8-, or 16-reader panels in centralized cabinets)"
+```
+
+Centralized multi-door panels in a secure equipment closet are the default topology for typical commercial buildings because they consolidate power supplies, simplify battery backup, ease maintenance, and produce a cleaner cabling architecture. Controller-per-door edge devices are appropriate where opening density is low, where the cable run from a central panel is impractical, or where the Owner specifically prefers the topology for redundancy reasons.
+
+```datasheet
+label: Maximum Doors per Centralized Panel
+type: select
+options:
+ - "2-reader panel"
+ - "4-reader panel"
+ - "8-reader panel"
+ - "16-reader panel"
+default: "8-reader panel"
+```
+
+Panel sizing should leave spare capacity for at least 20 percent additional doors beyond initial installation, to accommodate future openings without panel replacement.
+
+The head-end server shall be located in [[drawing: as indicated on the head-end architecture drawing]]. Controllers shall be located in [[drawing: as indicated on the panel location plan]] in secure equipment closets or IT rooms with physical access restricted to authorized personnel.
+
+# Door Controllers
+
+Door controllers (panels) shall be UL 294 listed devices providing autonomous access decision capability, supervised reader and input/output circuits, encrypted communication to the head-end, and a local cache of the rule set sufficient to operate during head-end outage. Controllers shall communicate to the head-end over TCP/IP using TLS 1.2 or higher.
+
+```datasheet
+label: Controller-to-Head-End Communication
+type: radio
+options:
+ - "TCP/IP over Ethernet with TLS 1.2 or higher (default)"
+ - "TCP/IP over Ethernet with TLS 1.3"
+ - "Wireless (802.11) — only where wired pathway is impractical"
+default: "TCP/IP over Ethernet with TLS 1.2 or higher (default)"
+```
+
+Wireless controller-to-head-end communication shall not be used except where a wired pathway is genuinely impractical; wireless controllers introduce reliability and security complications that outweigh the installation savings in nearly all projects.
+
+```datasheet
+label: Reader-to-Controller Protocol
+type: radio
+options:
+ - "OSDP v2.2 with Secure Channel (default)"
+ - "OSDP v2.1 with Secure Channel (where v2.2 not available)"
+ - "Wiegand (legacy only — not for new installations)"
+default: "OSDP v2.2 with Secure Channel (default)"
+```
+
+OSDP v2.2 with Secure Channel shall be the default reader-to-controller protocol. OSDP supersedes Wiegand by providing bidirectional, supervised, encrypted communication; reader status, tamper indication, and firmware updates over the reader cable; and resistance to the credential-replay and signal-injection attacks that have been demonstrated against Wiegand. New installations shall not use Wiegand except where the Owner has a legacy reader infrastructure that cannot be replaced in the project scope.
+
+Each controller shall provide supervised inputs for door position switch, request-to-exit, and tamper, and supervised outputs for lock control. End-of-line resistors shall be installed per the manufacturer's instructions to enable line supervision; cut, shorted, or grounded reader and input wiring shall be detected and reported.
+
+```datasheet
+label: Input and Output Supervision
+type: radio
+options:
+ - "Required on all controller inputs and outputs (default)"
+ - "Required on inputs only"
+ - "Not required (only for non-critical, low-security openings)"
+default: "Required on all controller inputs and outputs (default)"
+```
+
+Controllers shall provide a tamper switch on the enclosure and shall report tamper conditions to the head-end. Tamper events shall be logged and shall generate an operator notification.
+
+# Credential Readers
+
+Readers shall be UL 294 listed and shall communicate to the controller using OSDP v2.2 with Secure Channel as specified above. Readers shall be selected for the credential technology specified below.
+
+```datasheet
+label: Reader Mounting
+type: radio
+options:
+ - "Surface mount on door frame mullion or adjacent wall"
+ - "Flush / mullion mount within frame profile"
+ - "Surface mount on pedestal (parking and exterior gate applications)"
+default: "Surface mount on door frame mullion or adjacent wall"
+```
+
+```datasheet
+label: Reader Form Factor
+type: select
+options:
+ - "Mullion (narrow profile for door frame mounting)"
+ - "Wall switch (single-gang) — interior typical"
+ - "Wall switch (mullion-width) — exterior typical"
+ - "Wall switch (keypad-equipped) — high-security or two-factor"
+default: "Mullion (narrow profile for door frame mounting)"
+```
+
+Reader height above finished floor shall comply with ADA and ICC A117.1 reach-range requirements. The reader's active read zone shall be located between 34 inches and 48 inches above finished floor for unobstructed forward reach, and the reader shall be positioned within the accessible side reach range where applicable.
+
+```datasheet
+label: Reader Height (Centerline Above Finished Floor)
+type: range
+unit: in
+options:
+ min: 34
+ max: 48
+ setpoints: [40, 42, 44, 48]
+default: 42
+```
+
+Readers at exterior openings shall be rated for direct exposure to weather, ultraviolet light, and condensation. Readers at openings subject to vehicle traffic, vandalism, or impact shall be protected by a guard, recessed in a wall, or selected with a vandal-resistant rating.
+
+```datasheet
+label: Two-Factor Authentication at High-Security Openings
+type: radio
+options:
+ - "Not required (single-factor card or mobile credential)"
+ - "Required at designated high-security openings (card + PIN)"
+ - "Required at all openings"
+default: "Not required (single-factor card or mobile credential)"
+```
+
+Two-factor authentication adds a PIN to the credential read for openings serving high-value or sensitive areas (data centers, pharmaceutical storage, executive areas, weapons storage). Two-factor authentication shall not be specified for general circulation openings because it impairs throughput and frustrates users without providing meaningful security benefit at low-risk openings.
+
+# Credentials
+
+```datasheet
+label: Primary Credential Technology
+type: radio
+options:
+ - "13.56 MHz smart card — MIFARE DESFire EV2/EV3 (default)"
+ - "13.56 MHz smart card — iCLASS SEOS"
+ - "Mobile credential — BLE and NFC"
+ - "Combined smart card and mobile credential"
+ - "125 kHz proximity (legacy — not for new installations)"
+default: "13.56 MHz smart card — MIFARE DESFire EV2/EV3 (default)"
+```
+
+The default credential shall be a 13.56 MHz smart card based on MIFARE DESFire EV2 or EV3 technology, with mutual authentication and AES-128 encryption between card and reader. 125 kHz proximity credentials (HID Prox and equivalents) shall not be used for new installations: the technology is trivially clonable, has no cryptographic protection, and is being phased out across the industry. Where the Owner has an existing 125 kHz population, the migration plan to a contemporary credential shall be documented in the closeout package.
+
+Mobile credentials over Bluetooth Low Energy and NFC shall be supported where the Owner intends to issue credentials to smartphones in addition to or in place of physical cards. Mobile credentials reduce credential reissue cost and accelerate enrollment and revocation, but require the Owner to operate a credential management process compatible with the user population's device ecosystem.
+
+```datasheet
+label: Federal Credential Interoperability (FIPS 201 / PIV)
+type: radio
+options:
+ - "Not required"
+ - "Required — PIV credentials honored at designated openings"
+ - "Required — PIV is the primary credential"
+default: "Not required"
+```
+
+Federal facilities and contractors handling federal information shall require FIPS 201 (PIV) credential interoperability per the applicable HSPD-12 mandate. Where PIV is required, readers and head-end shall support the PIV authentication mechanisms specified in NIST SP 800-116.
+
+```datasheet
+label: Initial Credential Quantity
+type: range
+unit: each
+options:
+ min: 50
+ max: 5000
+ setpoints: [100, 250, 500, 1000, 2500]
+default: 250
+```
+
+Credential quantity at substantial completion shall be sufficient to enroll the initial occupant population plus a 25 percent overage for new hires, visitors, and replacements during the first year of operation. The Owner shall provide the initial occupant population to the Contractor at submittal review.
+
+# Electrified Door Hardware
+
+The electrified locking device at each opening — electric strike, electromagnetic lock, electrified mortise lock, electrified cylindrical lock, or electric exit device — is procured and installed under [[sync/doors-frames-and-hardware]]. This section governs the access control system's interface to that hardware: the power supply, the lock control output from the controller, the supervision of the lock state, and the policy governing lock-type selection at each opening.
+
+```datasheet
+label: Default Electrified Locking Device Type
+type: select
+options:
+ - "Electric strike (fail-secure) on standard mechanical lock"
+ - "Electrified cylindrical or mortise lock (free-egress)"
+ - "Electric exit device (free-egress, exit-only or full-feature)"
+ - "Electromagnetic lock (avoid where possible — see policy below)"
+default: "Electrified cylindrical or mortise lock (free-egress)"
+```
+
+The default lock type shall be an electrified cylindrical or mortise lock that preserves free mechanical egress at all times by operating the lever from the egress side without electrical action. The lock secures the latch on the access side and releases the access-side lever or trim on a valid credential or REX signal; the egress-side lever always operates the latch mechanically.
+
+Electromagnetic locks (mag locks) shall be avoided where any other lock type is feasible. Mag locks are inherently fail-safe and require ancillary release devices (REX motion sensor, push-to-exit button, fire alarm release) to comply with NFPA 101 egress requirements at all times. Each ancillary device is a failure point and an enforcement point with the AHJ. Where the door, frame, or operational use case truly requires a mag lock — most commonly on glass-and-aluminum entrance doors with no available latch reinforcement, or on cross-corridor smoke doors — the installation shall comply with NFPA 101 7.2.1.6.2 (Access-Controlled Egress Doors), the AHJ shall accept the arrangement in advance, and the release scheme shall be documented in the sequence of operations.
+
+```datasheet
+label: Default Fail-Safe vs. Fail-Secure Policy
+type: radio
+options:
+ - "Fail-secure default (locked on power loss) for offices, suites, and tenant openings"
+ - "Fail-safe default (unlocked on power loss) for stairwell discharge and life-safety egress"
+ - "Per-door determination by code analysis"
+default: "Per-door determination by code analysis"
+```
+
+Fail-safe vs. fail-secure is determined per opening by the means-of-egress analysis. A stairwell discharge door that must release on a building power failure to permit exit shall be fail-safe; an office suite door that must remain secured on a power failure to protect the contents shall be fail-secure. The Engineer shall determine the policy for each opening; this standard does not establish a single default that overrides the code analysis.
+
+```datasheet
+label: Lock State Monitoring
+type: radio
+options:
+ - "Lock state monitored at controller via supervised contact (default)"
+ - "Door position only (lock state not directly monitored)"
+default: "Lock state monitored at controller via supervised contact (default)"
+```
+
+Lock state monitoring — a supervised contact on the lock confirming the lock is mechanically secured — shall be the default where the hardware supports it. Monitoring only door position (closed vs. open) does not detect a latch that has failed to engage or has been propped; lock state monitoring is the means by which the system detects a door that is closed but unlocked.
+
+# Request to Exit
+
+A request-to-exit (REX) device shall be provided at every controlled opening to indicate that an authorized egress is occurring and to suppress the door-forced-open alarm during egress. REX devices shall be supervised by the controller.
+
+```datasheet
+label: Primary REX Device
+type: radio
+options:
+ - "Passive infrared (PIR) motion sensor over the door (default)"
+ - "Integrated REX switch in the lock or exit device"
+ - "Wall-mounted push-to-exit button (mag lock applications only)"
+ - "Combination PIR + integrated lock REX (high-traffic openings)"
+default: "Passive infrared (PIR) motion sensor over the door (default)"
+```
+
+A PIR motion sensor mounted directly above the door on the egress side, aimed at the floor immediately inside the opening, is the default REX device because it triggers on actual egress traffic without requiring the user to take any action. Integrated lock REX (a switch in the exit device or lever) shall be used as a supplement where the hardware supports it; an integrated REX is a more deterministic indicator that the door is being operated for egress and complements the PIR.
+
+Push-to-exit buttons shall not be used as the primary REX on access-controlled egress doors with free-egress hardware because they require a deliberate user action that adds nothing to a door that is already mechanically free to open. Push-to-exit buttons are required as the legally compliant egress release for mag-lock openings per NFPA 101 7.2.1.6.2, where they shall be wall-mounted, clearly identified, located within 40 to 48 inches above finished floor, and wired so that operation releases the mag lock for a minimum of 30 seconds independent of the access control system.
+
+```datasheet
+label: REX Behavior at Door Position
+type: radio
+options:
+ - "REX suppresses forced-open alarm; lock remains under access control (free-egress hardware, default)"
+ - "REX releases lock; door physically unlocks on REX trigger (mag lock openings)"
+default: "REX suppresses forced-open alarm; lock remains under access control (free-egress hardware, default)"
+```
+
+For free-egress hardware (electrified mortise, cylindrical, or exit device), REX shall suppress the forced-open alarm but shall not unlock the door; the door is already mechanically free to open from the egress side and unlocking it electrically serves no purpose. For mag lock openings, REX or the push-to-exit button shall actually unlock the door because the mag lock has no mechanical bypass.
+
+# Door Position Switches
+
+A door position switch (DPS) shall be provided at every controlled opening to monitor whether the door is closed. DPS contacts shall be supervised by the controller, and the controller shall report and log forced-open, held-open, and propped-open conditions.
+
+```datasheet
+label: Door Position Switch Type
+type: radio
+options:
+ - "Concealed magnetic reed switch in door frame (default)"
+ - "Surface-mounted magnetic switch"
+ - "Door-mounted high-security balanced magnetic switch"
+default: "Concealed magnetic reed switch in door frame (default)"
+```
+
+A concealed magnetic reed switch installed in the head of the door frame with a matching magnet in the top edge of the door is the default for new construction. Surface-mounted switches shall be used only on retrofit projects where concealed installation is not practical. Balanced magnetic switches shall be specified at high-security openings where defeat by an external magnet must be prevented.
+
+```datasheet
+label: Door Held-Open Time
+type: range
+unit: seconds
+options:
+ min: 15
+ max: 120
+ setpoints: [30, 45, 60, 90]
+default: 45
+```
+
+The door held-open timer determines how long the door may remain open after a valid access before a held-open alarm is generated. The default of 45 seconds accommodates normal cart and accessibility usage; high-traffic openings or openings used for material movement may extend the timer with the Engineer's approval. The held-open alarm shall be local at the door (annunciator at the door if specified) and remote at the head-end.
+
+```datasheet
+label: Forced-Open Alarm Routing
+type: radio
+options:
+ - "Head-end notification only"
+ - "Head-end notification plus local annunciator at the door"
+ - "Head-end notification plus security monitoring service"
+default: "Head-end notification only"
+```
+
+# Power Supplies and Battery Backup
+
+Power supplies serving access control equipment shall be UL 294 listed for access control service and shall be sized for the connected load with at least 25 percent spare capacity for future additions. Power supplies shall provide regulated DC output, output supervision, AC fail and low-battery monitoring, and integral battery charging.
+
+```datasheet
+label: Lock Voltage
+type: radio
+options:
+ - "24 VDC (default for runs exceeding 50 ft and for higher-current locks)"
+ - "12 VDC (short runs and low-current locks only)"
+default: "24 VDC (default for runs exceeding 50 ft and for higher-current locks)"
+```
+
+24 VDC is the default lock voltage because the higher voltage reduces conductor sizing and tolerates longer runs without unacceptable voltage drop. 12 VDC may be used only for short runs and low-current devices where the voltage drop calculation confirms adequate voltage at the lock under worst-case current.
+
+```datasheet
+label: Reader and Controller Logic Voltage
+type: radio
+options:
+ - "12 VDC from controller-integrated supply (default)"
+ - "Power over Ethernet (PoE/PoE+) where reader and controller support it"
+ - "Separate 24 VDC supply for readers"
+default: "12 VDC from controller-integrated supply (default)"
+```
+
+Battery backup shall be provided at every power supply serving access control loads. Battery capacity shall be sized to provide a minimum of 4 hours of standby operation at the system's quiescent load. Where the access control system serves life-safety egress functions or is part of a security plan with regulatory standby requirements, the battery shall be sized for a longer duration as required by the applicable standard.
+
+```datasheet
+label: Battery Standby Duration
+type: range
+unit: hours
+options:
+ min: 4
+ max: 24
+ setpoints: [4, 8, 12, 24]
+default: 4
+```
+
+Battery calculations shall be performed for each power supply, documented in the submittals, and the calculations shall account for both quiescent and alarm-condition current draw, the temperature derate factor specified by the battery manufacturer, and a margin above the calculated requirement of at least 25 percent.
+
+Power supply locations shall be coordinated to keep the lock-cable run between supply and lock within the voltage-drop calculation tolerance. Power supplies shall be installed in lockable enclosures and shall be co-located with the door controller cabinet where practical.
+
+# Cabling
+
+All access control system cabling shall comply with NEC Article 725 (Class 2 circuits) for low-voltage portions and with NEC Article 800 and ANSI/TIA-568 for structured cabling portions. Plenum-rated cable shall be used in plenum spaces. Cable in concealed spaces, cable trays, and accessible ceilings shall be supported per NEC and per the cable manufacturer's instructions; cable shall not be supported by ceiling tile grid or other building systems not intended for cable support.
+
+```datasheet
+label: Controller-to-Head-End Cable
+type: select
+options:
+ - "Category 6 UTP, plenum-rated where applicable (default)"
+ - "Category 6A UTP, plenum-rated where applicable"
+ - "Multimode optical fiber for long runs or electrically noisy paths"
+default: "Category 6 UTP, plenum-rated where applicable (default)"
+```
+
+```datasheet
+label: Reader Cable (Controller to Reader)
+type: select
+options:
+ - "Composite 22 AWG/6-conductor shielded with 18 AWG/4-conductor (default for reader + lock + REX)"
+ - "22 AWG/6-conductor overall-shielded twisted pair (reader only; separate lock cable)"
+ - "Category 6 UTP for OSDP (where manufacturer supports it)"
+default: "Composite 22 AWG/6-conductor shielded with 18 AWG/4-conductor (default for reader + lock + REX)"
+```
+
+Composite access control cables that bundle reader, lock, REX, and DPS conductors in a single jacket are the default for door cabling because they install in one pull, reduce conduit fill, and simplify cabling. Where the lock current exceeds the rating of the composite cable's lock conductors, a separate lock cable shall be pulled and the reader cable shall carry only reader, REX, and DPS conductors.
+
+```datasheet
+label: Lock Cable (Power Supply to Lock)
+type: select
+options:
+ - "18 AWG/2-conductor (locks within voltage-drop tolerance at 24 VDC)"
+ - "16 AWG/2-conductor (longer runs or higher-current locks)"
+ - "14 AWG/2-conductor (long runs or magnetic locks)"
+default: "18 AWG/2-conductor (locks within voltage-drop tolerance at 24 VDC)"
+```
+
+```datasheet
+label: REX and DPS Cable
+type: radio
+options:
+ - "22 AWG/2-conductor shielded per device (default within composite)"
+ - "18 AWG/2-conductor shielded (long runs only)"
+default: "22 AWG/2-conductor shielded per device (default within composite)"
+```
+
+```datasheet
+label: Cable Pathways
+type: checkbox
+options:
+ - "Conduit (EMT) in unfinished spaces and where required by code"
+ - "Cable tray in accessible ceilings"
+ - "Bridle rings or J-hooks in accessible ceilings (per TIA-569)"
+ - "Plenum-rated cable in plenums per NEC Article 300"
+default: "Conduit (EMT) in unfinished spaces and where required by code"
+```
+
+Voltage drop on lock cables shall be calculated for the worst-case (longest, highest-current) opening on each power supply and the cable size shall be selected so that the lock voltage at the lock under fault-clearing or maximum-inrush current remains within the manufacturer's operating range. The voltage drop calculation shall be documented in the submittals.
+
+Cable separation from higher-voltage power circuits shall be maintained per NEC Article 725 and per the cable manufacturer's instructions. Where parallel routing is unavoidable, perpendicular crossings shall be used and the minimum separation shall be maintained per code.
+
+# Cybersecurity
+
+Access control systems are network-connected security systems that protect physical assets, and they shall be hardened against the categories of attack that have repeatedly compromised installed systems: default credentials, unencrypted reader-to-controller protocols, unpatched firmware, flat-network exposure, and weak credential technologies.
+
+```datasheet
+label: Network Segmentation
+type: radio
+options:
+ - "Dedicated VLAN, isolated from general user and IT networks (default)"
+ - "Dedicated physical network"
+ - "Shared network segment (not acceptable)"
+default: "Dedicated VLAN, isolated from general user and IT networks (default)"
+```
+
+Access control controllers, the head-end server, and any management workstations shall reside on a dedicated VLAN isolated from general user, guest, and untrusted networks. Firewall rules shall restrict the access control VLAN to the specific protocols and destinations required for operation and management. Remote access to the head-end, where permitted, shall be through an authenticated VPN or a managed gateway provided by the head-end manufacturer.
+
+```datasheet
+label: Default Credentials and Initial Hardening
+type: checkbox
+options:
+ - "All factory default passwords on controllers, readers, and head-end changed before commissioning"
+ - "Administrator accounts use unique passwords meeting Owner's password policy"
+ - "Service and maintenance accounts use distinct credentials from administrators"
+ - "Unused services and ports on controllers disabled"
+ - "Firmware updated to current vendor-supported version at substantial completion"
+default: "All factory default passwords on controllers, readers, and head-end changed before commissioning"
+```
+
+```datasheet
+label: Reader-to-Controller Encryption
+type: radio
+options:
+ - "OSDP Secure Channel enabled with site-specific keys (default)"
+ - "OSDP installation mode keys (not acceptable for production)"
+ - "Unencrypted Wiegand (not acceptable for new installations)"
+default: "OSDP Secure Channel enabled with site-specific keys (default)"
+```
+
+OSDP Secure Channel shall be enabled at commissioning using site-specific keys, not installation-mode default keys. The key management procedure shall be documented and the key custody record turned over to the Owner at substantial completion.
+
+```datasheet
+label: Audit Log Retention
+type: range
+unit: days
+options:
+ min: 90
+ max: 2555
+ setpoints: [90, 365, 730, 1825, 2555]
+default: 365
+```
+
+The head-end shall retain access and exception event logs for a minimum of 365 days; the Owner may extend retention per their security policy or regulatory obligation. Logs shall be exportable in a documented format for review and for archiving to long-term storage.
+
+# Fire Alarm Interface and Egress Release
+
+The access control system shall interface to the fire alarm system as required by NFPA 101 and the AHJ. The interface shall release locks that must be released on fire alarm and shall do so independently of the head-end and independently of the network.
+
+```datasheet
+label: Fire Alarm Release Interface
+type: radio
+options:
+ - "Hardwired dry contact from FACU to dedicated release relay at each lock requiring release (default)"
+ - "Dry contact from FACU to power supply for all locks on that supply"
+ - "Software interface from FACU to access control head-end (not acceptable as sole release path)"
+default: "Hardwired dry contact from FACU to dedicated release relay at each lock requiring release (default)"
+```
+
+Locks requiring release on fire alarm — most commonly electromagnetic locks and any electrified hardware on an opening covered by NFPA 101 7.2.1.6.1 (Access-Controlled Egress Doors) or 7.2.1.6.2 (Delayed Egress) — shall release via a hardwired dry contact from the fire alarm control unit (FACU). The dry contact shall interrupt the lock power circuit through a UL 294 listed release relay or directly at the power supply. The release shall not depend on the access control head-end, the network, or any software function.
+
+Electric strikes and free-egress electrified lever locks generally do not require release on fire alarm because they preserve mechanical egress at all times. Where a code analysis determines that a specific opening's electric strike or electrified lever lock must release on fire alarm, the release shall be implemented in the same hardwired manner as for mag locks.
+
+```datasheet
+label: Delayed-Egress Opening Configuration
+type: radio
+options:
+ - "Not used"
+ - "Used at designated openings per NFPA 101 7.2.1.6.1 with AHJ approval"
+default: "Not used"
+```
+
+Delayed-egress hardware (NFPA 101 7.2.1.6.1) shall not be used unless the building occupancy specifically permits it (typically prohibited in Assembly and Educational occupancies), the AHJ has approved the arrangement, and the required signage, audible alarm, and 15-second (or 30-second where authorized) release time are configured per code. Where delayed egress is used, the release on fire alarm shall be immediate and shall be hardwired from the FACU.
+
+The Contractor shall coordinate the fire alarm interface design with [[sync/fire-alarm-systems]] and shall confirm the release scheme with the AHJ before installation. Final acceptance of any opening with electrified locking hardware shall include a witnessed test of the fire alarm release.
+
+# Software (Head-End)
+
+The head-end software shall be a manufacturer-supported product currently sold and maintained, with documented update and patch cycles. The software shall provide user, credential, access privilege, time schedule, holiday schedule, door, area, and reader management; event logging and audit trail; reporting; system health monitoring and alarms; and an administrator interface with role-based access control over the administrator population.
+
+```datasheet
+label: Directory and SSO Integration
+type: radio
+options:
+ - "LDAP/Active Directory integration for administrator authentication (default for on-prem)"
+ - "SAML 2.0 or OIDC for administrator authentication (default for cloud)"
+ - "Local administrator accounts only (small projects)"
+default: "LDAP/Active Directory integration for administrator authentication (default for on-prem)"
+```
+
+Administrator and operator accounts shall be authenticated through the Owner's directory or identity provider where one exists, so that administrator account lifecycle (provisioning, password rotation, deprovisioning on departure) is managed centrally. Local-only administrator accounts shall be limited to a break-glass account for recovery from directory outage.
+
+```datasheet
+label: Software Deployment
+type: radio
+options:
+ - "On-premises server (Windows or Linux per manufacturer support)"
+ - "Vendor-hosted cloud (SaaS)"
+ - "Owner-hosted cloud (private cloud or Owner's IaaS)"
+default: "On-premises server (Windows or Linux per manufacturer support)"
+```
+
+```datasheet
+label: Backup and Recovery
+type: checkbox
+options:
+ - "Daily automated database backup"
+ - "Weekly off-site backup copy"
+ - "Documented recovery procedure tested at acceptance"
+ - "High-availability configuration with secondary head-end"
+default: "Daily automated database backup"
+```
+
+A documented backup procedure shall be in place before substantial completion. The recovery procedure shall be tested as part of acceptance: a restore from the latest backup to a separate environment shall be demonstrated to recover the full configuration, credential set, and audit log.
+
+# User Management and Audit
+
+The system shall maintain a credential record for every user that includes at minimum the user's identifier, the credential type and serial, the issue and expiration date, the access privilege set assigned, and the status (active, suspended, revoked). Credentials shall expire by default at a date set per the Owner's policy and shall require an affirmative renewal action.
+
+```datasheet
+label: Credential Expiration Default
+type: select
+options:
+ - "1 year"
+ - "2 years"
+ - "3 years"
+ - "5 years"
+ - "Indefinite (set per credential at issue)"
+default: "2 years"
+```
+
+Access privilege assignment shall be by role (door group + time schedule) rather than by direct enumeration of doors. A user assigned a role inherits the role's privileges, and a privilege change at the role propagates to every user with that role. Direct per-user, per-door privilege assignment shall be permitted only where the user's required access does not match any defined role and the exception is documented.
+
+```datasheet
+label: Time Schedules
+type: checkbox
+options:
+ - "Business hours (default)"
+ - "Extended hours (weekdays, longer)"
+ - "24/7"
+ - "Weekend / off-hours only"
+ - "Custom per role or per door"
+default: "Business hours (default)"
+```
+
+Holiday schedules shall be configured to override regular time schedules on dates designated by the Owner. The holiday list shall be reviewed and updated annually by the Owner; the Contractor shall provide the procedure at substantial completion.
+
+The audit log shall record every access attempt (granted and denied), every door state event (forced open, held open, restored), every administrator action (user added, privilege changed, credential issued or revoked, lockdown initiated), and every system event (controller online/offline, AC fail, low battery, tamper). Each log entry shall include the timestamp, the originating device or operator, and the affected user or door where applicable.
+
+# Testing and Commissioning
+
+Acceptance testing shall be performed by the Contractor, witnessed by the Engineer or the Owner's designated representative, and documented on the project test forms. Testing shall not begin until installation is complete and the system has operated under normal conditions for a burn-in period of not less than seven calendar days.
+
+```datasheet
+label: Acceptance Test Scope
+type: checkbox
+options:
+ - "Every controlled opening tested individually (default)"
+ - "Sampling acceptable (large projects, per Engineer)"
+default: "Every controlled opening tested individually (default)"
+```
+
+For each controlled opening, the acceptance test shall verify:
+
+- Valid credential read results in lock release, door opens freely, DPS reports open, REX (if motion-based) suppresses forced-open during egress, lock re-secures on door close
+- Invalid credential is denied and logged with the reason
+- Forced-open condition (door opened without valid credential or REX) generates an alarm at the head-end and logs the event
+- Held-open condition generates an alarm at the configured timer and logs the event
+- Tamper at the controller or reader is detected and logged
+- Loss of head-end connectivity at the controller does not interrupt access decisions for credentials in the controller cache
+- Fire alarm dry contact, when actuated, releases every lock required to release per the sequence of operations, within the time required by the AHJ
+- Battery backup at each power supply maintains the system for the specified standby duration during a simulated AC failure
+- OSDP Secure Channel is confirmed enabled on every reader and the installation-mode keys have been replaced
+
+```datasheet
+label: Burn-In Period Before Acceptance
+type: range
+unit: days
+options:
+ min: 3
+ max: 30
+ setpoints: [7, 14, 30]
+default: 7
+```
+
+Test failures shall be corrected and the affected items re-tested. The acceptance test report shall record the test method, the result, and the corrective action for any failed item. The Owner's representative shall sign the report at acceptance.
+
+# Installation
+
+## Coordination and Sequencing
+
+Access control rough-in shall be coordinated with [[sync/doors-frames-and-hardware]] so that frame preparations, hardware mortise cutouts, electric power transfer hinges or door loops, and lock body conduits are correctly sized and located before frames and doors are delivered to the site. Late discovery of a missed frame preparation typically requires field cutting that compromises the fire rating, the finish, or the structural integrity of the frame.
+
+Cable rough-in shall be completed before finished ceilings are installed and before walls are closed. Controller cabinet and power supply locations shall be confirmed against the head-end architecture drawing before equipment is mounted.
+
+## Mounting
+
+Readers shall be mounted plumb and square, at the height specified above, and secured to a backbox or to the frame with the manufacturer's hardware. Surface-mounted readers shall be installed with weatherstripping or a gasket at exterior openings to prevent water and pest intrusion.
+
+Controllers and power supplies shall be wall-mounted in lockable enclosures in secure equipment closets. Enclosure penetrations shall be made with listed cable connectors or grommets. Conduit stubs into controller enclosures shall be sealed.
+
+DPS magnets and contacts shall be aligned within the manufacturer's tolerance and shall be tested for actuation at the maximum gap before the frame is finished.
+
+## Terminations
+
+Terminations at controllers, readers, and power supplies shall be made by personnel trained in the manufacturer's wiring methods. Conductor jackets shall be stripped to the minimum length required and stranded conductors shall be terminated in approved ferrules or directly under screw terminals per the manufacturer's instructions; bare twisted strands shall not be terminated under screw terminals.
+
+Shields on reader cables shall be terminated at the controller end only, with the shield grounded at a single point per the manufacturer's instructions. Floating both ends or grounding both ends creates ground loops that introduce noise on the OSDP line.
+
+## Protection During Construction
+
+Equipment installed before the building is secure shall be protected against dust, water, and physical damage by other trades. Readers installed at exterior openings before the building envelope is closed shall be temporarily covered. Energization of locks and other electrified hardware shall not occur until acceptance testing is scheduled and the system is ready for commissioning.
+
+# Training
+
+The Contractor shall provide training to the Owner's designated administrators and operators before substantial completion. Training shall include:
+
+- Head-end operation: log in, navigate the user interface, monitor real-time events, respond to alarms
+- User and credential management: enroll a user, issue a credential, assign roles, modify access privileges, suspend and revoke a credential, issue and recover a lost credential
+- Reporting: generate and export audit reports, query events by user, door, time range, and event type
+- Time schedule and holiday management
+- Lockdown and emergency procedures: initiate a building lockdown, release a lockdown, override an individual door
+- Routine system health checks: review system status, check controller and reader online state, review power supply and battery status, review pending firmware updates
+- Backup and recovery: confirm a backup ran, perform a restore drill
+
+```datasheet
+label: Training Hours
+type: range
+unit: hours
+options:
+ min: 4
+ max: 40
+ setpoints: [4, 8, 16, 24, 40]
+default: 8
+```
+
+Training shall be delivered on the installed system, not on a generic demonstration platform, so that the Owner's personnel are trained on the actual configuration, naming conventions, and door schedule of the project. Training materials shall be left with the Owner.
+
+# Delivery, Storage, and Handling
+
+Access control equipment shall be delivered in the manufacturer's original packaging with listing marks and serial numbers intact. Equipment shall be stored indoors in a clean, dry, conditioned space until installation. Credentials shall be stored in a locked container with controlled access; the credential inventory log shall be maintained from receipt through issuance.
+
+Batteries shall be stored at the manufacturer's recommended temperature and shall not be installed in equipment until commissioning is imminent. Batteries shall not be allowed to discharge below the manufacturer's storage voltage during construction.
+
+# Warranty
+
+The Contractor shall warrant the system installation, including all wiring, terminations, programming, and integration, for a minimum of 1 year from substantial completion. Manufacturer warranties on individual products (controllers, readers, power supplies, batteries) shall be passed through to the Owner.
+
+```datasheet
+label: Installation Warranty Period
+type: select
+options:
+ - "1 year from substantial completion"
+ - "2 years from substantial completion"
+ - "3 years from substantial completion"
+default: "1 year from substantial completion"
+```
+
+```datasheet
+label: Software Support and Maintenance Agreement
+type: radio
+options:
+ - "Manufacturer software maintenance for 1 year (default; includes firmware updates and security patches)"
+ - "Manufacturer software maintenance for 3 years"
+ - "Owner self-maintains after substantial completion (perpetual license only)"
+default: "Manufacturer software maintenance for 1 year (default; includes firmware updates and security patches)"
+```
+
+The software maintenance term shall include firmware updates for controllers and readers, security patches for the head-end, and access to technical support. Lapsed maintenance has been the cause of unresolved vulnerabilities on installed systems; the Owner shall be advised at turnover of the renewal schedule.
+
+# Spare Parts
+
+The Contractor shall deliver to the Owner at substantial completion the spare parts inventory below. Spare parts shall be of the same manufacturer and model as the installed equipment and shall be packaged and labeled for storage.
+
+```datasheet
+label: Spare Parts Inventory
+type: checkbox
+options:
+ - "One reader per installed reader model (minimum one)"
+ - "One door position switch (concealed and surface, as installed)"
+ - "One REX device per installed type"
+ - "One power supply per installed model"
+ - "One battery per installed power supply"
+ - "10 percent overage on credentials (minimum 25)"
+ - "One controller per installed model (large projects)"
+default: "One reader per installed reader model (minimum one)"
+```
+
+Spare parts shall be stored by the Owner in the equipment room or designated storage area with the system documentation. The spare parts list shall be included in the closeout package.

View current revision