High availability, accuracy and reliability have to be key factors when developing safety and security systems for utilities and energy providers |
All operators of critical infrastructures such as power plants or utilities know that they need to secure their premises against fire, intrusion, vandalism, terrorist attacks etc. Next to a comprehensive security concept, technical systems play a fundamental role in guaranteeing this security. But given the critical nature of their businesses, such operators need to do more than others to make sure that these technical systems are available and functional at all times.
Operators of critical facilities like power plants, wastewater plants or even major internet exchange points have always been in the dilemma to choose the right technique and solution in terms of coverage, flexibility to change, system scalability, usability and operational security. In addition to that, they have much higher requirements than most other operators when it comes to the availability of their security systems. In such critical environments, even short term outages can have severe consequences, as a fire or a bomb can have devastating effect in seconds, just as an intruder does not need much time to gain access once access control or video surveillance have failed - maybe even through manipulation.
Today, designers of complex and highly available security solutions will usually have no choice than turning to the TCP/IP protocol as the underlying technology. Although this protocol, which is the foundation of the internet and also widely used in corporate data networks, was originally designed as a best effort mechanism without any guaranteed quality of service, massive developments over decades have turned into a solid technology for even highest availability requirements such as telephone networks, medical equipment - and security systems.
Critical components of these servers such as hard disk, power supply and network interface should be redundant |
This is why even the markets for fire detection and intrusion systems which have traditionally been driven by EN54 and UL regulations and are based on field buses working on proprietary protocols like the Local Security Network which was introduced by Bosch in the 80s are more and more turning to IP. Large Intrusion applications, for example, can be set up by connecting the individual intrusion panels and the management system via an IP backbone, while an open intrusion interface module using IP enables the operator to control the system remotely and to operate the system by Apps.
Today, IP also plays an important role in connecting fire detection and evacuation systems, which is crucial in case of an emergency. In the past this was realised via relays, resulting in a rather unsafe connection because the status of the connection is not monitored which can easily result in failures.
In general, such failure is imminent to technology. Technical systems just do fail. But given the very critical nature of public as well as private sector utilities and energy providers, such failure is just not an option. Downtimes of the safety and security systems have to be avoided at almost any cost, and no alarm condition must be missed. On the other hand, false alarms are not only annoying, but often very costly, as you may have to evacuate buildings, alarm security personnel and maybe even temporarily shut down production. So high availability, accuracy and reliability have to be key factors when developing safety and security systems for utilities and energy providers.
The more redundancy is designed into the solution, the higher its availability will be |
While accuracy is primarily a function of the individual components such as sensors or cameras, availability is mainly defined by the solution architecture. The more redundancy is designed into the solution, the higher its availability will be. Reliability, finally, depends very much on the vendor's manufacturing processes and quality control, but is also influenced by the design of individual components.
Redundancy is key
So when talking about redundancy, the discussion is about all the different levels of the security solution: the sensor, the system and the network and infrastructure. One of the nice things with the IP protocol is that it is a proven technology for redundant infrastructures, and in very critical environments it is highly suggested to use a redundant IP backbone to network all the different systems and to connect them to the central servers which run the management system. Building such an infrastructure is usually well understood by the IT department as they may use similar constructions for critical IT applications anyway. So this is really not something the security manager will need to design, but this kind of redundancy should certainly be on his mind. In a redundant network architecture, a failed Switch or Router will automatically be bypassed by all or only by important traffic which will still reach its destination. This way you can make sure that an alarm does not get lost on its way from the fire panel to the operator console.
The availability of the network infrastructure can also be improved by implementing so-called Virtual LANs for security applications and prioritising this traffic, enabling fast delivery even in a network operating at capacity. Virtual LANs also improve security as they make it harder for unauthorized persons to sniff and maybe even manipulate the traffic of the safety and security applications. In some environments it may even be advisable to use entirely separate IP networks for IT and security applications. This would of course foil one of the major advantages of using IP for security systems, but this way performance of the security applications cannot be degraded by other systems generating traffic bursts on the joint network.
Secure the servers
What is true for the IP backbone is also true for the servers running the management system and other critical security applications. At the very least, critical components of these servers such as hard disk, power supply and network interface should be redundant, allowing the server to continue working until a failed component can be replaced. If these components are hot swappable, such a replacement can be carried out during operations, avoiding any downtime. An uninterrupted power supply is a must for such critical servers to protect them against power outages.
Downtimes of the safety and security systems have to be avoided at almost any cost |
In very critical environments, the servers should be replicated to an offsite datacenter using a failover option. In such a configuration a secondary server at the offsite datacenter can take over the entire workload within seconds, should the production server fail for any reason. This will also protect the security systems in case of a natural or human made disaster such as flooding or bombing.
Redundancy on the local level
Building redundancy into the servers and the network architecture will guarantee that the security applications will receive any alarm issued by the local controllers which manage the detectors, be it fire detectors, card readers or intrusion detectors. However, high availability of the entire solutions also mandates redundancy within the individual alarm systems. Here, a redundant IP architecture is usually not the solution, as mainly for cost reasons only very few sensors and detectors support IP. Instead, double ring topologies with other technologies such as the Bosch Local Security Network (LSN) are used to connect detectors with each other and the local controller. Should one ring brake, detector messages can still travel on the other ring to reach their destination. To further increase reliability and availability of the transmission paths in LSN environments, Bosch has also developed a family of active end-of-line (EOL) modules. They act as line terminators that continuously test 2- and 4-wire transmission paths for creeping opens and shorts according to the procedures and criteria of acceptance as laid out in the norm EN 54-13.
Bosch Starlight cameras deliver high performance in extreme low-light conditions |
EN54 also mandates that a fire system has to feature a single redundancy concept when connecting multiple fire panels in larger installations. If the connection between two fire systems is broken the communication between the panels should still be kept alive. If, however, the network fails on both sides of a panel, this panel is singled out of the remaining system. Fire alarms can be displayed on that panel only but not relayed to the rest of the system. Here, an additional IP network connection can serve as a backup for the CAN network which is usually used to connect fire panels. This technique renders an extremely high operational security level and increases the functional system stability and reliability significantly.
However, reliably detecting fire starts with the detector itself. Also here, redundancy can help to detect fire and to greatly increase accuracy. For example, you can use dual optics to better distinguish smoke particles from other particles such as dust, water vapour or cigarette smoke, thus greatly reducing false alarm rates. A combination of optical, thermal and chemical sensors with intelligent evaluation electronics is another way to achieve the same goal. Latest developments even take into account electromagnetical radiation which does more and more often trigger false alarms in some environments. Some of the latest detectors constantly measure the electromagnetic exposure of each detector and calculate mid- and long-term averages. These are used to predict the exceeding of threshold values even before possible false alarms can occur.
Redundancy can also be achieved by using layered approaches in solution design. For example, the architecture of Bosch access control solutions is based on 4 such layers. The lowest level is the reader itself. The second level is the AMC (Access Modular Controller) level. An AMC controls 4 readers and communicates and constantly synchronizes the data with the third MAC level (Main Access Controller) which can handle up to 200 AMCs. The AMC supports up to 200.000 card holders and can store up to 20 million events. It has an internal battery buffer to keep the system alive for days in case of a power outage or a broken communication link to the MAC level. In this case, data are stored locally and synchronized with the respective MAC once the network connection is established again. Even in case of failures of the fourth level DMS (Data Management Server) the necessary access control functionalities can be served.
Such a layered approach can also be used in video surveillance. As an example, the Bosch Video Management System (BVMS) features an architecture meant to optimise the embedded resilience. It enables the system to stay up and running even when the management server or the recording server (VRM) fails. This is achieved by the fact that the operator client is running independently from the management server and streams directly from the cameras to the storage. The cameras have an on-edge recording intelligence ensuring continuous recording even when the VRM server fails. This provides an additional security layer without costly additional investments into server redundancy or redundant recording. Further, using BVMS the recording is automatically buffered in the cameras in the event of network failures. Ultimately the recordings are transferred to the central storage when the network is back again.
Central management is primarily responsible for ensuring that such a complex installation can be operated both efficiently and economically |
Another way to introduce redundancy is to combine different safety and security systems to verify or falsify alarms. For example video cameras can be used at doors, gates and other entrance points to verify access requests and alarms. In the same way video can be used to search for smoke and its source in case of a fire alarm or to close in on an intruder that has been reported by the intrusion detection system
Beyond redundancy
Redundancy is probably the most promising way to achieve higher availability and reliability, but there are a few other aspects to consider. Think of a fully operational network that carries all the video images and reliably stores them on your central or distributed servers. But what does this help when the camera does not deliver acceptable quality, which can easily be the case under low-light conditions? In such a situation all the technical systems work alright, but video surveillance is nevertheless unavailable.
With the development of its Starlight technology, Bosch Security Systems has turned to this problem and designed a family of cameras specifically for high performance in extreme low-light conditions. They represent a breakthrough in light sensitivity in cameras; showing colour images where others can show only monochrome, and transmitting monochrome video when others show no image at all. With their high sensitivity in both color (0.017 lux) and monochrome (0.0057 lux) modes, the HD cameras work with minimal ambient light, delivering clear images in a multitude of applications, even where poor lighting is the principle challenge. Such applications include perimeter surveillance without additional illumination as well as control of remote facilities like pump stations, wind generators or solar panels, which are usually located in the middle of nowhere and without any light. To overcome challenging lighting conditions, Content-Based Imaging Technology (CBIT) uses Bosch’s Intelligent Video Analysis (IVA) to enhance image quality. CBIT automatically detects important objects—such as faces, people and vehicles—and dynamically re-tunes the imaging settings to ensure the most useful, highly-detailed video of objects of interest are captured. In addition, intelligent Auto Exposure (iAE) improves the contrast of important objects in the scene in both bright and dark areas.
Intelligent Dynamic Noise Reduction (iDNR) actively analyses the contents of a scene to reduce bandwidth and storage requirements. As a result, the 720p starlight cameras require up to 30 percent less bandwidth than other 720p and SD cameras, while still retaining a high image quality and smooth motion. Compression parameters for up to eight user-definable regions can also be set. This allows uninteresting regions to be highly compressed, while tuning important areas for the best image quality—allowing customers to allocate bandwidth to important parts of the scene.
All is one and one is all
As we have seen, there are different ways to guarantee the availability of safety and security systems in critical environments, redundancy being the main contributor. But there is still another factor that should be considered when designing such systems which greatly enhances both security and efficiency: The integration of all security systems into an overriding management system is appropriate in order to significantly increase the level of security in critical facilities. It opens the possibility to automatically correlate alarms and other information from the individual subsystems. If required, targeted measures can be taken very quickly as well, responding on dangerous situations or incidents. Additionally, central management is primarily responsible for ensuring that such a complex installation can be operated both efficiently and economically. After all, on a daily basis thousands of notifications and alarms from all security areas and technological facilities need to be managed and coordinated.