Skip to main content

Physical Access Control System A&E Spec




Architecture and Engineering Specifications

Physical Access Control System
























BluBØX, Inc.
9 Bartlett Street, Suite 334
Andover, MA 0181
Phone:  (844) 425-8209

© 2017 BluBØX, Inc.  All rights reserved


Product Support

The first lines of support for BluBØX products are the third-party installing/servicing dealer and the online BluBØX Knowledge Base.  Please check the Knowledge Base and/or contact the dealer with any questions or support requests, prior to contacting BluBØX.


This Architectural and Engineering Specifications document utilizes MasterFormat™ April 2016 Edition and SectionFormat™ / PageFormat™ December 2009 Edition standards by the Construction Specifications Institute (CSI). 

This document specifies the architectural/engineering and bid criteria for a Physical Access Control System (PACS) with a cloud-based Hosted Security Management System (HSMS) software that controls and monitors networked intelligent system controllers, card readers and personal identification devices, portal control devices, input/output interface hardware and power supplies.

Notes to Specifier

1.  Where several alternative parameters or specifications exist, or where the Specifier has the option of inserting text, such choices are presented in <bold red text> .

2.  Explanatory notes and comments are presented in red text.  

3.  Delete any item or paragraph that is not applicable to this project, renumber the paragraphs.  Insert additional provisions as required for this project.

Document Disclaimer and Restrictions

Information in this document was current as of the time of publication, and subject to change without notice, Inc.  For the most up-to-date information, visit www.BluBØ





Section  28 10 00


Copyright 2017 BluBØX, Inc– All rights reserved




  1. 1.01.   SUMMARY
    1. Section Includes
      1. Physical Access Control System (PACS) consisting of a cloud-hosted security management system connected by a high-speed electronic data transmission network to field-installed controllers and devices providing security functionality and regulating access through facility portals
    2. Related Requirements
      1. Section 28 14 00 Access Control Hardware
        [SPECIFIER NOTE:  This is a required BluBØX A&E specifications document for related access control hardware requirements.]
      2. Section 28 15 19 Access Control Remote Devices
        [SPECIFIER NOTE:  This is a required BluBØX A&E specifications document for related access control hardware requirements]
      3. Section 28 17 00 – Visitor, Contractor & Vendor Management System
        [SPECIFIER NOTE:  This is a BluBØX A&E specifications document. Delete only if not relevant to the Project.]
    3. Related Sections
      1. Section 08 00 00 Openings (Division 08)
        1. 08 10 10 Doors and Frames
        2. 08 30 00 Specialty Doors and Frames
          1. 08 31 13 Access Doors and Frames
            1. 08 31 13.53 Security Access Doors and Frames
        3. 08 40 00 Entrances, Storefronts, and Curtain Walls
          1. 08 42 00 Entrances
        4. 08 74 00 – Access Control Door Hardware.
      2. Section 27 00 00 Communications (Division 27)
        1. 27 05 28 – Pathways for Communication Systems
        2. 27 10 00 – Structured Cabling
        3. 27 15 00 – Communications Horizontal Cabling
        4. 27 20 00 Data Communications
          1. 27 21 00 Data Communications Network Equipment
          2. 27 22 00 Data Communications Hardware
          3. 27 24 00 Peripheral Data Communications Equipment
      3. Section 28 16 00 – Access Control Interfaces
        1. [SPECIFIER NOTE:  For interfaces to other systems that are included in the Project but are documented separately.]
        2. 28 19 15 Access Control Interfaces to Perimeter Security Systems
        3. 28 16 29 Access Control Interfaces to Parking Equipment
        4. 28 16 25 Access Control Interfaces to Electronic Key Management System
        5. 28 16 23 Access Control Interfaces to Electrical Systems
        6. 28 16 17 Access Control Interfaces to Fire Alarm
        7. Section 28 20 00 – Video Surveillance
  2. 1.03.   REFERENCES
    1. Abbreviations And Acronyms
      1. AES:  Advanced Encryption Standard
      2. ANSI:  American National Standards Institute
      3. API:  Application Programming Interface
      4. AWG:  American Wire Gauge
      5. HSMS:  Hosted Security Management System
      6. IEC:  International Electrotechnical Commission
      7. IEEE:  Institute of Electrical & Electronics Engineers
      8. IP:  Internet Protocol
      9. ITU:  International Telegraph Union
      10. NOC: Network Operations Center.
      11. PACS:  Physical Access Control System
      12. PII:  Personally Identifiable Information
      13. PIN:  Personal Identification Number
      14. OPC:  Open Platform Communication
      15. OSDP:  Open Supervised Device Protocol
      16. SaaS:  Software as a Service
      17. SIP:  Session Initiation Protocol
      18. SNMP:  Simple Network Management Protocol
      19. SSL:  Secure Socket Layer
      20. CP:  Transmission Control Protocol
      21. TIA:  Telecommunications Industry Association
    2. Definitions
      1. Access Control:  A function or a system that restricts access to authorized persons only.
      2. Anti-Passback:  An access control security measure to prevent (by denying access) or discourage (by granting access and generating a Anti-Passback Violation event) a cardholder from allowing another individual to use the cardholder’s card to gain entry to an access-controlled area immediately after the cardholder gains entry, without the cardholder first exiting the area. Enabling Anti-Passback requires that each door providing entry into the restricted area has two readers, one outside the area (referred to as an Entry Reader) and one inside the area (an Exit Reader).
      3. API:  Application Programming Interface, a set of clearly defined methods of communication between various software components.
      4. Authentication:  A process that verifies the origin of information, or determines an entity’s identity.
      5. Authorization:  A process that associates permission to access a resource or asset with a person and the person’s identifier(s) for the purpose of granting or denying access.
      6. Auto-Relock:  Door control feature that automatically relocks the door after access has been granted and the door has opened and closed, regardless of the time allowed for the door to momentarily remain unlocked to allow entry.Biometric:  A biometric is a unique identifying physical or physiological characteristic of an individual that can be used to identify that individualExamples include, but are not limited to DNA, fingerprint, gait, face recognition, hand geometry, iris recognition, palm print, palm veins, retina and voice.
      7. Biometric:  A biometric is a unique identifying physical or physiological characteristic of an individual that can be used to identify that individualExamples include, but are not limited to DNA, fingerprint, gait, face recognition, hand geometry, iris recognition, palm print, palm veins, retina and voice.
      8. Central Station:  A central alarm monitoring station service providing its subscribers with around the clock real-time alarm monitoring and response services by trained operators and alarm investigators.
      9. Credential:  Data assigned to a person or non-person entity (such as security system equipment) and used to identify that person or entity. For a person, the data may be printed on an access/ID card, such as a photograph, name, and other printed data, or stored electronically in the computer chip on a smart card, an RFID chip, or in the memory of a biometric reader. For electronic equipment, the data is securely stored in a digital certificate file, which contains equipment identification information as well as the allowed purposes for which the certificate may be used.
      10. Delegated Point:  Delegating a Portal Reader or an elevator Floor Stop of an access control system to a person (usually an access system Administrator) allows that person to include the Reader or Floor Stop in an Access Level or in an Access Right for assignment to any of the people over whom the person has jurisdiction in BluSKY. A common use is for a Property Manager to delegate certain base-building points (such as main entry, turnstiles and floor stops), to Tenant Administrators so they can assign access to those points to their people as they wish. These are delegate points.
      11. DIY Security Administration:  Do-It-Yourself security administration is achieved by delegating a selection of people, and a selection of access points, to someone with an access control system Administrator role, so that the Administrator can manage the access the selection of people have to the selected access points. This allows delegation of access management for areas of the facility to Administrators working in those areas, who know which people require access through specific access points to perform their jobs.  It is also referred to as distributed Access Management. Management of visitors, photos, credentials can also be distributed. The scope of reporting for DIY Administrators is limited to the specific access points and people assigned to them.
      12. Evolvable Intelligent Infrastructure: Electronic Physical Security Systems networked infrastructure that encompasses the entirety of the computing and security device hardware, server and workstation software, mobile devices and their security apps, including cloud-based services, and which is designed for each of its hardware and software elements to be individually upgradable so that the system’s capabilities can be evolved as the owning organization’s risk management needs and objectives evolve.
      13. Hosted Security Management System: a web-based cloud-hosted security management software application that is provided on a Software-as-a-Service (SaaS) subscription basis. An HSMS is the security management software of a complete Physical Access Control System.
      14. Identifier:  A credential card, keypad personal identification number or code, biometric characteristic, or other unique identification entered as data into the entry-control database for the purpose of identifying an individual. 
      15. Multi-tenant:  a) Multi-tenancy is an architecture in which a single instance of a software application serves multiple customers. Each customer is called a tenant. b) A building or set of buildings whose workspaces are designed to be occupied by different leaseholders.
      16. Multi-site:  A characteristic of a physical access control system that uses a single software application to manage the access control hardware at multiple sites and provide access to personnel to one or more of the sites sites.
      17. Owner: Owner or Owner’s Representative
      18. PACS:  Physical Access Control System, including all of the physical access control equipment and the security management software that is required to set up and manage the physical access control equipment.  
      19. Peripheral Interface Device: An electronic device that provides an interface between a system controller and peripheral equipment, such as a card reader.
      20. REST:  Representational State Transfer (REST) is a software architecture style consisting of guidelines and best practices for creating scalable web services.
      21. RESTful API:  Web service API that adhere to the REST architectural constraints.
      22. TCP/IP:  Transport control protocol/Internet protocol.
      23. Workstation:  An internet connected computer used for performing security system administration and control functions.
    3. Reference Standards
      1. The latest published edition of a reference shall be applicable to this Project unless identified by a specific edition date.
      2. All reference amendments adopted prior to the effective date of this Contract shall be applicable to this Project.
      3. The publications listed below (including amendments, addenda, revisions, supplement, and errata) form a part of this specification to the extent referencedThe publications are referenced in specifications text by their basic designation only.
      4. Department of Justice American Disability Act (ADA)
        1. 28 CFR Part 36   ADA Standards for Accessible Design 2010
      5. Federal Communications Commission (FCC):
        1. FCC Part 15 Radio Frequency Device
        2. FCC Part 68 Connection of Terminal Equipment to the Telephone Network
      6. Federal Information Processing Standards (FIPS):
        1. FIPS 197  Advanced Encryption Standard (AES)
      7. International Organization for Standardization (ISO):
        1. 11801 Generic Cabling Standard
      8. Security Industry Association(SIA):
        1. ANSI/SIA CP-01-2014 False Alarm Reduction Standard
        2. OSDP v2.1.5 Open Supervised Device Protocol
      9. Telecommunications Industry Association (TIA):
        1. ANSI/TIA-568 set of telecommunications standards:
          1. ANSI/TIA-568.0-D Generic Telecommunications Cabling for Customer Premises
          2. ANSI/TIA-568-C.0 Generic Telecommunications Cabling for Customer Premises
          3. ANSI/TIA-568-C.1 Commercial Building Telecommunications Cabling Standard
          4. ANSI/TIA-568-C.2 Balanced Twisted-Pair Telecommunications Cabling and Components Standard
          5. ANSI/TIA-568-C.3 Optical Fiber Cabling Components
        2. ANSI/TIA-569-D Telecommunications Pathways and Spaces
        3. ANSI/TIA-606-B Administration Standard for Telecommunications Infrastructure
        4. ANSI/TIA-607-C Generic Telecommunications Bonding and Grounding (Earthing) for Customer Premises
        5. ANSI/TIA-232-F Interface Between Data Terminal Equipment and Data Circuit-Terminating Equipment Employing Serial Binary Data Interchange
        6. ANSI/TIA-422-B Electrical Characteristics of Balanced Voltage Digital Interface Circuits
        7. ANSI/TIA-485-A, Standard for Electrical Characteristics of Generators and Receivers for Use in Balanced Digital Multipoint Systems
    1.05.   SUBMITTALS
    1. Provide manufacturer product cut-sheets
    2. Provide manufacturer’s standard warranty for the security management system.
    3. Test Plan
      1. At least 30 days prior to commencement of formal testing, provide a Security System Operational Test Plan
      2. Include procedures for operational testing of each component and security subsystem, and performance of an integrated system test.
    4. Drawings
      1. Provide the Owner’s Representative a complete set of "As-Built" drawings in the latest version of AutoCAD drawings unlocked on CD or DVDInclude security device number, security closet connection location, data gathering panel number, and input or output number as applicable on each As-Built drawingSubmit As-Built drawings in editable formats and fully relinquish ownership of drawings to the owner.
    1. Install and test PACS to ensure all components are fully compatible as a system and integrate with all associated security subsystems and HSMS, whether the security system is stand-alone, or partially or fully on a shared Information Technology (IT) computer network.
    2. Qualifications
      1. Manufacturers
        1. Manufacturer shall regularly and presently produce, as one of the manufacturer's principal products, the equipment, services, and material specified for this project.
      2. Contractors/Installers
        1. Contractor or security sub-contractors shall be licensed to perform security installations in the state the work is to be performed.
        2. Contractor or security sub-contractor shall have a minimum of five (5) years’ experience installing and servicing systems of similar scope and complexity
        3. Contractor shall provide four current references from clients with systems of similar scope and complexity which became operational in the past three years
          1. At least three references shall be utilizing the same system components, in a similar configuration as the proposed system. 
          2. References shall include a current point of contact, company or agency name, address, telephone number, complete system description, date of completion, and approximate cost of the project.  The owner reserves the option to visit the reference sites, with the site owner’s permission and representative, to verify the quality of installation and the reference’s level of satisfaction with the system. 
    3. Utilize only factory-trained technicians to install, program, and service PACS equipment and services
      1. Utilize only factory-trained technicians to install, terminate and service controller/field panels and reader modules
      2. Provide copies of system manufacturer certification for all technicians
      3. Ensure technicians have a minimum of five continuous years of technical experience in electronic security systems
    4. A local service facility is required. 
      1. Facility shall be located within 60 miles of the project site
      2. Facility shall maintain sufficient spare parts inventory to support the service requirements associated with this contract
      3. Facility shall include appropriate diagnostic equipment to perform diagnostic procedures
      4. Owner's Representative reserves the option of surveying the company’s facility to verify the service inventory and presence of a local service organization.
    5. Provide evidence that installing service company is an authorized dealer in good standing for HSMS manufacturer, and that it meets the manufacturer’s technical certification requirements.
    1. Deliver materials in manufacturer’s labeled packagesStore and handle in accordance with manufacturer’s requirements
  6. 1.09.   WARRANTY
    1. Manufacturer Warranty
      1. Provide manufacturer warranty that software and hardware products are free from defects in materials and/or workmanship for a period of one year from the date of installation.
      2. Provide periodic software and firmware updates during the warranty period.
    2. Special Warranty
      1. Maintenance & Service
        1. General Requirements
          1. Provide all services required and equipment necessary to maintain the entire integrated electronic security system in an operational state as specified for the duration of the service subscription. 
          2. Provide all necessary material required for performing scheduled adjustments or non-scheduled work. 
          3. Minimize impacts on facility operations when performing scheduled adjustments or non-scheduled work. 
      2. Description of Work
        1. Provide adjustment and repair of the security system, including all software and firmware updates, for computer equipment, communications transmission equipment and data transmission media (DTM), local processors, security system sensors, physical access control equipment, facility interface, signal transmission equipment, and video equipment installed under the project.
      3. Personnel
        1. Ensure service personnel are certified in the maintenance and repair of the selected type of equipment and qualified to accomplish all work promptly and satisfactorily
      4. Schedule of Work
        1. Perform work during regular working hours, Monday through Friday, excluding federal holidays.
      5. Emergency Service
        1. Provide staffed emergency service center service 24 hours a day 365 days a yearProvide emergency service center telephone number for the Owner to request service when system is not functioning properly.  Collaborate with Owner's representative to determine catastrophic and non-catastrophic system failure parameters. Catastrophic system failures are defined as any system failure that Owner determines will place facility at an unacceptable temporary level of increased risk
        2. For catastrophic system failures, provide same day four-hour service response with a defect correction time not to exceed eight hours from [notification] [or] [arrival on site]
        3. For non-catastrophic failures, provide eight-hour service response with a defect correction time not to exceed [24] [or] [48] hours from notification. 
      6. Operation
        1. In performance of scheduled adjustments and repair, verify operation of the system as demonstrated by the applicable portions of the Test Plan.
  7. 1.10.   LICENSING
    1. Provide manufacturer licensing for product installation for one year from date of substantial completion.
    2. Provide on-demand licensing model, with no up-front licensing expense, with monthly billing for each month’s prior usage.
    3. Licensing implementation shall not require hardware dongles.


    [SPECIFIER NOTE:  Use this article to describe owner-furnished products to enable the Contractor to install them correctly, or to ensure compatibility or proper system operation.  Delete if not applicable.]
    1. New Products
      1. <list new products furnished by Owner>.
    2. Existing Products
      1. <list existing products/systems furnished by Owner, for example, existing Mercury hardware and card readers >.
      2. <list dedicated workstation systems being provided by Owner, if any>
  2. 2.02   MANUFACTURER
    1. BluBØX, Inc., 9 Bartlett Street, Suite 334, Andover, MA 01810
      1. Telephone: (844) 425-8209
      2. Website: www.BluBØ
    2. Substitution Limitations:  No Substitutions.
  4. [SPECIFIER NOTE:  The following paragraphs and subparagraphs describe equipment and services that may be used in a PACS project.  Add, modify or delete as required.]
    1. Description: Networked physical access control system for deployment and operation as part of an organization’s overall electronic security system evolvable intelligent infrastructure.
    2. PACS shall consist of:
      1. Hosted Security Management System (HSMS Cloud Platform)
        1. Connections from field-installed access control hardware via a combination of private and public network connections
        2. Web-based cloud-hosted security management system application
        3. Field-installed access control hardware (PACS Hardware)
          1. Access control panels
          2. Card readers
          3. Biometric identification devices
          4. Door locks and sensors
          5. Destination Dispatch Elevator servers
          6. Power supplies
      2. Field-installed system operator workstations (Workstations)
        1. <Central alarm monitoring workstation>
        2. <Administration workstation>
        3. <Reception desk workstation>
        4. Field-installed visitor/contractor self-service kiosks (Self-Service Kiosks)
          1. <Main lobby visitor kiosk>
          2. <Contractor entrance kiosk>
        5. Personal user-owned mobile computing devices (User Devices)
          1. User-owned personal laptops, tablets, and smartphones of Owner personnel, utilized for administrative and operations purposes.
          2. User-owned personal laptops, tablets, and smartphones of Owner tenants, utilized for administration and operation of Owner-delegated control points.
          3. User-owned personal laptops, tablets, and smartphones of the occupants of Owner tenant spaces, utilized for requesting access and hosting visitors.
        6. Interfaces with (Interfaced Systems)
          1. <List interfaced systems, such as a fence intrusion detection system, whether owner-provided or being provided by this project>
        7. Maximum Capacities (Quantities)
          1. Cardholders: unlimited – deployed capacity limited by installed hardware
          2. Access control readers: unlimited – deployed capacity limited by installed hardware
          3. Inputs and Outputs: unlimited – deployed capacity limited by installed hardware
          4. Personal user-owned mobile devices: unlimited
          5. Workstations: unlimited
          6. Self-Service Kiosks: unlimited
          7. Elevator Destination Dispatch System Kiosks: unlimited – deployed capacity limited by installed hardware
    1. Description
      1. Multi-tenant cloud-hosted application delivered via “Software as a Service” (SaaS) model (Application), accessible to system administrators, installing contractors, and authorized manufacturer personnel via a variety of private and public networks; and related web services accessible to managed on-premise equipment via a variety of private and public networks.
      2. BluSKY cloud-hosted application by BluBØX
    2. System Architecture
      1. HSMS cloud application shall have the following elements and characteristics:
        1. Application served from a data center designed and maintained for high-availability (HSMS platform).
        2. Platform designed to utilize a combination of resource management, elasticity, load balancing, replication, and partitioning to eliminate single points of failure, and enable high availability, including:
          1. Load balancers handle HSMS traffic to multiple application servers in geographically distributed data centers.
          2. Application servers communicate with geographically distributed primary and redundant database servers.
          3. Application servers takes over data processing operations upon a failure of an application server in the same or a different location.
          4. Automatic HSMS platform and application backup and recovery actions do not require client intervention.
          5. Demonstrated up-time of 99.95% or greater over the past five years of service.
        3. End-to-End Data Encryption:
          1. PII protected with 128-bit AES encryption for all communications.
          2. HSMS secured communications with site access control equipment using 128-bit SSL encryption, and authentication of the identity of site access control equipment through the exchange of X.509 digital certificates.
          3. Database encryption using Transparent Data Encryption (TDE) or an equivalent published or de facto standard.
        4. Activity Log / Audit
          1. Information about device status changes; administrative data access, configuration and control actions; and user activity are saved to an audit trail logs, for access by authorized users.
          2. User mobile device GPS location information is saved to data files as well as audit trail logs, for system use and for access by authorized users.
        5. Virtual Commissioning
          1. Configuration of system characteristics and functionality, and of device settings, does not require live connection to operational equipment and devices.
          2. Automatic transfer of virtually commissioned device settings occurs upon connection of the installed device.
        6. Port Blocking Avoidance / Outbound Communication
          1. Communication to HSMS initiated by access control infrastructure devices and access control remote devices, not by HSMS.
          2. HSMS authenticates communication requests to from access control infrastructure, keeps connection alive.
          3. Upon loss of connection, access control infrastructure devices and access control remote devices automatically attempt to reconnect.  Upon reconnection, HSMS, access control infrastructure devices, and access control remote devices synchronize buffered communications.
        7. Secure web services connections to third-party applications integrated with HSMS.
    3. Application Functions
      1. HSMS cloud application shall have the following functionality and characteristics:
        1. Multi-tenant, multi-site, Software-as-a-Service platform supporting tens of thousands of remote access control points in a single, geographically redundant application architecture.
        2. Hierarchical and two way access programmable by any combination of Account, Site, Tenant, User, Device, or Alarm Point.
        3. Integrated access control, ID badging, and visitor management.
        4. Immediate provisioning of new devices on demand by the end user.
        5. All access control data managed and maintained through a Web-based interface to the cloud data center.
        6. Communicate using industry standards including:
          1. ONVIF
          2. OPC
          3. OSDP
          4. SIP
        7. Support communication over Ethernet networks and the Internet
        8. Provide secure web services connections to third-party applications integrated with HSMS.
        9. Provide Single Sign-On integration via any of the following within the Microsoft Azure environment:
          1. AuthAnvil Single Sign On 4.5
          2. Azure Active Directory
          3. BIG-IP with Access Policy Manager BIG-IP ver. 11.3x – 11.6x
          4. CA Secure Cloud
          5. CA SiteMinder 12.52
          6. Centrify
          7. Dell One Identity Cloud Access Manager v7.1
          8. IBM Tivoli Federated Identity Manager 6.2.2
          9. IceWall Federation Version 3.0
          10. NetIQ Access Manager 4.0.1
          11. Okta
          12. OneLogin
          13. Optimal IDM Virtual Identity Server Federation Services
          14. PingFederate® 6.11
          15. PingFederate® 7.2
          16. RadiantOne CFS 3.0
          17. SecureAuth IdP 7.2.0
          18. Sign&go 5.3
          19. VMware  Workspace Portal version 2.1 
        10. Provide firmware upgrade capabilities to connected Access Control Panels, Intelligent Controllers, and Peripheral Interface Devices.
        11. Synchronize time across all PACS equipment and services.
        12. Provide PACS health and status monitoring and notification through automatic health checks on hardware, software and communications.
        13. Schedules and Holidays
          1. Define custom schedules for managing facility access and operating auxiliary devices with the following options:
            1. Create and edit a schedule
            2. Associate a schedule with groups, floors, doors and/or devices.
            3. Terminate a schedule’s association with one or more groups, floors, doors or devices.
            4. Delete a schedule.
            5. Create and edit a Holiday.
            6. Edit a Holiday’s start and end date.
            7. Delete a Holiday.
        14. Doors and Devices
          1.  Doors:
            1. Associate one or more doors with each site location.
            2. Manage door records, including permission to create the door, edit its name and manage its security settings, and actuate any door from any location in real time through a browser.
            3. Real time alerts, alarms and notifications regarding any door via SMS or email.
          2. Devices:
            1. Device may have logical or physical inputs and outputs.
            2. Logical input may be a schedule input to a timer.
            3. Physical input is any physical input point on an Access Control Panel board.
            4. Site can have one or more devices associated with it.
            5. Manage devices, including permission to create the device, edit its name and manage its security settings.
            6. Query the real time operational status of any device through a web browser.
        15. Elevators and Floors
          1. Manage elevators and floors including, but not limited to:
            1. Create elevator and floors.
            2. Edit elevator and floor names.
            3. Managing elevator and floor settings.
        16. Credentials: Credential Database and Cards
          1. Credential Data
            1. Multiple credentials per user.
            2. Database of credentials associated with account or sub-account, and the user to whom each is assigned.
            3. Validation that card numbers are unique, numeric and that number value is appropriate for the credential in use.
            4. Customized fields for data storage pertaining to individual credential holders (users) registered in the system.
            5. Creation of biometric data for each user.
            6. Association of a mobile device to serve as a credential.
            7. Creation of PIN credentials that are unique, 4 to 8 digits long, and randomly generated by the system or selected by the user.
            8. Automatic transmission of updated credential information to the appropriate access control panels with no user action required.
          2. Credential Types
            1. Variety of credential types including Bluetooth, NFC, proximity cards, magnetic stripe cards, biometric data and smart cards.
            2. Variety of Wiegand bit patterns.
          3. Cards
            1. Cards may be assigned, revoked or deleted.
            2. Account administrators view all cards associated with an account.
            3. Sub-account administrators view only those cards assigned to users affiliated with the sub-account.
            4. Sub-account administrators may view currently unassigned cards.
            5. Card format is viewable in addition to the name of the user to whom the card is currently assigned.
            6. Cards may be enrolled into the system using a local card reader.
            7. An unlimited number of standard and custom formats may be utilized.
          4. ID Badging
            1. Fully customizable badge templates.
            2. Display images and print badges directly from the operator’s screen.
            3. Two-sided badge printing.
            4. Bulk badge printing.
      2. Antipassback capabilities shall include:
        1. Hard Anti-Passback  
        2. Soft Anti-Passback
      3. Email and Text Message Notifications
        1. Message shall: 
          1. include a link the user may click to open the alarm details in a browser window;
        2. HSMS shall be able to dispatch email and text message notifications to select users when predetermined events occur.
          1. Door Forced Open.
          2. Failed Access by Unknown Person.
          3. Failed access by unknown person due to invalid credential type (card required).
          4. Failed Access by Known Person.
          5. AC Power Loss/Restoration and Battery Status.
          6. Control Panel Communication Failure.
          7. Account administrators shall have the ability to manage email or text message notifications according to functionality listed below:
          8. Create and edit notification rules specifying which administrator will receive email or text message notification of which system events.
          9. Associate a schedule with each notification rule.
          10. Specify the language to be used in notification emails.
          11. Delete notification rules.
      4. System Administration
        1. HSMS shall provide the following system operator roles to facilitate the delegation of system management duties and to support separation of duties policies:
          1. System Setup (hardware installation and configuration)
          2. Triggers (event triggers)
          3. Personnel Administration
          4. Role Administration
          5. Visitor Administration
          6. Access Control Administration (access permissions)
          7. Card Administration (card and credential mobile device enrollment)
          8. Schedule and Holiday Administration
          9. Watch List Administration
          10. Notification Administration
          11. Rule Administration
          12. Video Administration
          13. Occupant Administration
          14. Reporting
      5. Alarm Monitoring and Management
        1. Administrators shall be allowed to manage physical input points, including:
          1. Enable Point – Enables or Re-enables an alarm point to be acted on within an armed alarm zone.
          2. Disable Point – Removes it from an alarm zone.
          3. Bypass Point – Temporarily removes an alarm point from an alarm zone to allow the zone to arm.
          4. Arm Away – Arms perimeter and interior alarm zone or alarm zones providing for delays at egress path doors.
          5. Arm Stay – Arms perimeter alarm zone providing for delays at egress path doors.
          6. Arm Instantly – Arms an alarm zone or alarm zones without providing for delays at egress path doors.
          7. Disarm – Disarms an alarm zone or alarm zones.
      6. Video Management System Integration
        1. Provide Integration with Milestone® XProtect™ Enterprise and Milestone XProtect Expert:
          1. Provide an XProtect camera list from which to call up any camera view.
          2. Record XProtect video events and alarms.
          3. Display XProtect video events and alarms.
          4. Configure XProtect video events and alarms to trigger BluSKY actions.
      7. Central Station Notification
        1. HSMS shall have the ability to dispatch alarm notifications to a third party central station monitoring service.
          [SPECIFIER NOTE:  Dispatching alarm notifications to central station requires specification of Keltron dialer, to be interfaced with an Access Control Panel.]
      8. Reports
        1. HSMS shall permit authorized administrators the ability to execute and print built-in and custom reports including:
        2. Built-in Reports shall include:
          1. Person Access Report:  This report shall provide information regarding all persons who have access to a Portal or Floor.
          2. Person Activity Report:  This report shall provide information regarding all activities by one or more people at the property’s readers or elevators.
          3. Person Status Report:  This report shall provide information regarding all Access granted to a particular person through Portals or through Floors.
          4. Role Report:  This report shall provide information regarding all the Roles that are associated with an Occupant of a Property.
        3. Third Party Integration
          1. HSMS shall provide read-only information to third party products through RESTful API or file drop methodsInformation shall be available as a full or delta record sets.
    4. Web-Based Management Interface
      1. HSMS Web-based Interface shall provide authorized operators the ability to manage the access control system over secured connections using any standard Web browser
      2. Authentication
        1. To gain access to HSMS, users shall be required to enter a username.
        2. Usernames shall be an email address.
        3. Passwords shall meet the following minimum standards:
          1. Minimum 8 alphanumeric characters,
          2. At least one character lowercase,
          3. At least one character uppercase,
          4. At least one special character, and
          5. At least one number.
        4. The password shall be stored by HSMS as a hashed value.
        5. HSMS Web-based Interface shall provide users with a secure method to reset their password
      3. Encryption
        1. All sessions between the browser and HSMS shall be encrypted using 256-bit Secure Sockets Layer (SSL) encryption.
      4. Browser requirements shall include, but not be limited to
        1. The use of cookies should be enabled to preserve session information and allow the interface to function properly.
        2. JavaScript to validate form data, control navigation, and display images.
        3. The use of pop-up windows for functional elements.
        4. HSMS shall support the following web browsers:
          1. Microsoft Internet Explorer 9 & 10
          2. Google Chrome – Latest Version
          3. Mozilla Firefox – Latest Version
          4. Apple Safari for Mac – Latest Version
      5. HSMS Web-based Interface shall follow a structured layout allowing access to all major system categories
        1. The main display shall consist of a home page that shall allow the user log-in access using a pre-determined user name and password, where the user name is an email address, and the password complies with Microsoft security standards.
        2. Access to all major categories of the system shall be through the use of a horizontal navigation bar.
        3. The navigation bar shall be accessible from all category and sub-category views.
        4. Upon log-in, the user shall be redirected to a Dashboard view, which shall provide dynamic activity lists and device status logs displaying the most recent events in reverse chronological order.
        5. All page views shall include:
          1. An icon which shall link the user to Help supported topics.
          2. A method to provide the user with context sensitive help data.
          3. An icon which shall permit the user to Log out of the system in a secure manner.
          4. An icon which places the user back at the landing (home) page.
          5. A method to allow the user to change the displayed language.
      6. HSMS Web-based Interface shall have a responsive design which preserves the standard display presentation by automatically scaling the interface in response to the user’s behavior and interface device’s screen size and orientation
        1. All HSMS functionality shall be accessible regardless if it is accessed through a computer, tablet, or mobile phone that meets the minimum web browser requirements defined by the manufacturer.
      7. HSMS Web-based Interface shall include multiuser multitasking to allow for independent activities and monitoring to occur simultaneously for different users.
      8. HSMS Web-based Interface shall include a category views for the creation and management of:
        1. System activity logs and activity reporting.
        2. System devices and hardware.
        3. User cards, including editing, deleting and formatting.
        4. Users and user groups.
        5. Schedules and holidays.
        6. Account details, email notifications and the creation of custom fields.
        7. Alarm notifications and acknowledgement of alarms.
        8. Configuration and networking details of the ACS.
        9. Role-based permission and access right assignments
        10. Biometric “Person Reader” Enrollment and Management
        11. Real-Time Control and Monitoring of Portals and Elevators
          1. HSMS shall support real-time remote lock, unlock, release, timed release, schedule, credential access and simulated swipe functions.
        12. Access Control Statistics
          1. HSMS shall automatically analyze and track access control statistics including:
          2. People Present
          3. People Flow
          4. Counts, averages, trends, patterns, correlations
          5. Statistics and analysis shall be presented as Predefined and customizable dashlets and dashboards.
          6. HSMS shall deliver statistics and analysis reports automatically based on user subscription to the information.
      9. HSMS web-based Interface shall provide a method to search for user records by specifying a portion of the user’s name, employee number, or card number.
      10. HSMS shall provide multiple methods of authentication and enrollment:
        1. Expiration date check
        2. Biometric check
        3. Digital photo display/check
      11. HSMS System shall provide importing and exporting of data and interfacing with other systems, including: [RB Note: needs expansion]
        1. Automated role assignment for imported personnel records
    5. Access Control Hardware (PACS Hardware)
      1. Description
        1. Open architecture Physical Access Control Hardware provided via “Hardware as a Service” (HaaS) model, whose Intelligent Controllers connect to an HSMS via a variety of private and public networks, and connect to additional security field hardware devices via Ethernet or RS-485 connections
        2. BluCHIP access control hardware by BluBØX
      2. System Architecture
        1. PACS Hardware shall have the following integral elements and characteristics:
          1. Intelligent controllers and peripheral device interface boards
            1. Intelligent access controllers
            2. I/O boards for readers, keypads, dry contact inputs and relay outputs
          2. Communications
            1. 10/100/1000 Mbps Ethernet – for intelligent device communication
            2. RS-485 Bus – for peripheral device communication
          3. Remote Power Management, Status and Control
            1. Real time status and control of power to Intelligent Controllers and Peripheral Interface Devices
            2. Display device status
            3. Remotely control device output relays, LED indicators, and display messages
            4. Remotely power down and power up (hard restart start) a device
      3. System Functionality
        1. For specifications see Section 28 14 00 Access Control Hardware
    6. Administration Workstation
      [SPECIFIER NOTE:  Delete this administration workstation Paragraph if not used.  If used, list basic specifications for each type of workstation, sufficient for identifying qualifying products, or identify make and model and provide a description. Expand the list below as needed.]
      1. Provide a laptop, desktop or tower computer.
      2. For specifications see Section 28 14 00 Access Control Hardware
    7. Monitoring Workstation
      [SPECIFIER NOTE:  Delete this monitoring workstation Paragraph if not used.  If used, list basic specifications for each type of workstation, sufficient for identifying qualifying products, or identify make and model and provide a description. Expand the list below as needed.]
      1. Provide a desktop or tower workstation computer.
      2. For specifications see Section 28 14 00 Access Control Hardware
    8. Badging Workstation
      [SPECIFIER NOTE:  Delete this badging workstation Paragraph if not used.  If used, list basic specifications for each type of workstation, sufficient for identifying qualifying products, or identify make and model and provide a description. Expand the list below as needed.]
      1. Provide a laptop, desktop or tower computer, with photo capture camera, badge printer, and card reader.
      2. For specifications see Section 28 14 00 Access Control Hardware
    9. Self-Service Kiosks (Kiosks)
      [SPECIFIER NOTE:  Delete this Kiosks Paragraph if not used.  If used, list basic specifications for each type of workstation, sufficient for identifying qualifying products, or identify make and model and provide a description. Expand the list below as needed.]
      1. Provide a 27" touch screen Windows-based computer kiosk
      2. For specifications see Section 28 14 00 Access Control Hardware 
    10. Destination Dispatch Elevator (DDE) Appliance
      1. Description
        1. Server-appliance based system providing protocol-level integration with the Destination Dispatch functionality of major elevator manufacturers, utilizing card reader kiosks on each elevator floor.
        2. Specifications and Options: see 28 14 00 ACCESS CONTROL REMOTE DEVICES.
      2. System Architecture
        1. Destination Dispatch Elevator Server-Appliance
          1. Embedded Fanless Server
          2. Dual Processor Kit
          3. Elevator Destination Dispatch Interfaces
          4. Access control system integration
          5. Visitor processing integration
          6. Turnstile system integration
        2. System Functionality
          1. DDE Appliance shall integrate with the following elevator systems:
            1. Otis
            2. Schindler
            3. Thyssen Krupp (TKE)
            4. KONE
            5. Mitsubishi
          2. DDE Appliance shall provide:
            1. DDE override control and status
            2. Automatic entry turnstiles car assignment
            3. DDE special feature support
            4. Diagnostics capabilities:
              1. Diagnostics data logs [?]
              2. Remotely accessible by secure VPN connection
              3. Full display of I/O traffic between DDE Appliance and elevator destination dispatch system, and between DDE Appliance and HSMS
              4. Simulated card swipe for PACS-enrolled cardholders
      3. Power Management
        1.  Description
          1. Remote real-time intelligent power monitoring and management that detects power anomalies on a per-device-power-source basis, notifies the contact list with the details of power loss or other conditions that need attention, including the capability to remotely reboot or reset the affected components.
        2. Specifications and Options: see 28 14 00 ACCESS CONTROL HARDWARE.
        3. System Architecture
          1. Cloud-based power management application
          2. VPN/Remote management gateway
          3. Network Communications Interfaces
          4. Internet capable intelligent power controllers
          5. Power supplies
          6. Power modules
          7. Power distribution modules
        4. System Functionality
          1. Remote power cycle and shutdown
          2. Real time power monitoring, status, diagnostics and events
          3. 40 power analytics and events
          4. Integration with AI situation conditions and response
          5. On screen, Email and SMS notifications
          6. Multiple notifications through distribution lists
          7. Fail/safe or fail/secure egress lock control based on fire alarm interfaces signal
      4. VPN/Remote Management Gateway
        1. Description
          1. Cloud-based management of NOC-based secure VPN connections via site-located VPN/Gateway device, enabling connect-from-anywhere secure remote access to physical security systems.
        2. Specifications and Options: see 28 14 00 ACCESS CONTROL HARDWARE.
        3. System Architecture
          1. Manufacturer’s Network Operations Center
            1. Customer web portal
            2. VPN Servers
          2. Site-located Network Navigator devices
            1. LAN connections to physical security system computers and devices
        4. System Functionality
          1. Provides secure internet VPN connections via manufacturer’s NOC
          2. Customer-managed multiple user access
          3. Option for backup communications via GSM cellular network when primary Internet path is unavailable
          4. Network failures generate an alarm and provide appropriate auto-notifications
          5. Client VPN activity is firewalled and transactions are recorded in logs


  1. 3.01.   Examination
    1. Verification Of Conditions
      1. Coordinate with Verification of Conditions as detailed in 28 14 00 ACCESS CONTROL HARDWARE, Part 3, Examination.
      2. Coordinate with Verification of Conditions as detailed in 28 15 19 ACCESS CONTROL REMOTE DEVICES, Part 3, Examination.
  2. 3.02.   Preparation
    1. Review configurable features of the PACS equipment and services with the Owner’s Representative and document the results of the meeting in the Project planning documentsThe following configuration topics shall be resolved prior to configuring equipment and services:
      1. Internet Service Provider, firewall, and IP schema for PACS devices
      2. Access card levels and door groupings
      3. Alarm priority levels
      4. Schedules and time codes
      5. Holidays and holiday types (priorities)
      6. Action/responses from individual input points
      7. Standard and custom (expanded) reports
      8. Defining alarm messages and standard response messages applicable to site
      9. Routing of alarm points to selected pagers/emails
      10. Routing of alarm points to operator’s workstations, printers, and history files
      11. Coordinate implementation of graphics with OwnerDevelop sample graphic complete with icons and textAlarms to appear on building floor plans depicting the nature and location of alarmsReview and revise graphic layout as required by Owner.
      12. Alarm graphic maps.
      13. User-defined fields.
      14. Security officer guard tours and key control.
      15. Badge layout options; design badges.
      16. Plan for system testing, startup, and demonstration.
      17. Acceptance test concept and, on approval, develop specifics of the test.
      18. List of default user IDs and passwords (factory defaults) for all PACS equipment and services.
    2. Provide a schedule with a list of participants to attend monthly coordination and progress update meeting until job completionAttendees shall include:
      1. Owner representative of Facilities Management, Information Services, Security Management
      2. Contractor Project Manager
      3. Manufacturer(s) Employed Representative
      4. Architect / Engineer / Security Consultant
    3. At all coordination meetings with Owner’s Representative, present Project planning documents and review, adjust, and prepare final setup documentsUse final documents to set up system software.
    4. Work with Owner’s Representative and Owner to establish procedural guidelines and define terminology and conditions unique to the Owner’s operation.
    5. Ensure Owner-provided workstations comply with operating system software and web browser software requirements by HSMS manufacturer
    6. Coordinate application of Owner-managed virus protection practices per requirements and recommendations of HSMS.
    3.03.   Installation
    1. Install and configure all elements of PACS, including but not limited to access control, alarm monitoring, video surveillance, and ID badging system, per manufacturer’s installation instructions
    2. Comply with manufacturer’s written data, including product technical bulletins, product catalog installation instructions and product carton installation instructions.
    3. Controllers and Portal Equipment
      1. Coordinate with 28 15 19 ACCESS CONTROL REMOTE DEVICES, Part 3, Installation.
    4. Install, configure, and test PACS for the complete and proper operation of systems involved.
    5. Systems Integration
      [SPECIFIER NOTE:  Delete this entire paragraph E if not needed.]
      1. Integrate electronic security system with the following systems and equipment:
        [SPECIFIER NOTE:  Retain paragraphs below for network controlled elevator controlsFor hardwired-panel driven elevator controls, delete this item and refer to Elevators Controls in 28 15 19 ACCESS CONTROL REMOTE DEVICES – Installation.]
        1. Elevator Controls.
          [SPECIFIER NOTE:  Delete paragraph below if no standalone IDS is required.]
        2. Intrusion Detection System (IDS)
  4. 3.04.   Site Quality Control
    1. Site Tests and Inspections
      1. Submit documented test plan to Owner at least (14) days in advance of final acceptance test, inspection and check-off.
      2. Perform final acceptance testing in the presence of Owner’s representative, executing a point by point inspection against a documented test plan that demonstrates compliance with system requirements as designed and specified.
      3. Conduct acceptance tests in presence of Owner’s representative, verifying that each device point and sequence is operating correctly and properly reporting back to control panel and control center, and provide the Owner’s Representative with a written report on the results of that test.
      4. PACS shall not be considered accepted until all acceptance test items have been successfully checked-offBeneficial use of part or all of the system shall not be considered as acceptance.
      5. As required to sufficiently demonstrate the PACS functionality, request the console operator on duty and his/her superior to perform certain daily operations using the PACS.
      6. Complete all required training prior to initiation of the final acceptance test.
      7. Following the PACS head-end equipment and console review, inspect the installation of all field devices
        1. Point out the general neatness and quality of installation, test the full functionality of each individual device, and show that mounting, backbox and conduit meet compliance requirements.
      8. Owner’s Representative shall, upon successful completion of the final acceptance test (or subsequent punch list retest), issue a letter of final acceptance.
      9. Owner’s Representative retains the right to suspend and/or terminate testing at any time when the system fails to perform as specified
        1. Collaborate with Owner’s Representative prior to start of testing, to establish criteria pass/fail criteria and classification of test execution problems, such as:
          1. Pass/fail: criteria determining what constitutes a test pass or failure
          2. Suspension and resumption: criteria determining when testing must be suspended and resulted later
          3. Show Stopper: Stop test, fix problem and restart test from beginning
          4. Major Problem: Fix problem before test can be resumed or concluded
          5. Minor Problem: Add problem to “punch list”, complete test
          6. Special Issue: Investigate to determine which problem category above category applies
        2. If it becomes necessary to suspend the test, work diligently to complete/repair all outstanding items to the condition specified in the Specification and as indicated on the security drawings
        3. Supply the Owner’s Representative with a detailed completion schedule outlining phase by phase completion dates and a tentative date for a subsequent punch list retest
        4. During the final acceptance test, make no adjustments, repairs or modifications to the system without the permission of the Owner’s Representative.
  5. 3.05.   Adjusting
    1. Comply with recommendations in ANSI/SIA CP-01, “Control Panel Standard Features for False Alarm Reduction”.
    2. Perform field software changes after the initial programming session to “fine tune” operating parameters and sequence of operations based on any revisions to the Owner’s operating requirements.
    3. Security Hardening Procedures
      1. Installer/Factory User Accounts
        1. Remove all (default, installer, or temporary) user accounts and passwords used during installation that are not part of the End-user’s final operational requirements
      2. Delete factory default user accounts, or establish new account passwords substantially different from factory default passwords
  6. 3.06.   Closeout Activities
    1. Demonstration
      1. As a high-level preview to comprehensive training, demonstrate how an authorized user can gain access to HSMS and:
        1. Make changes to HSMS configuration.
        2. Configure, operate, and diagnose installed devices.
        3. Query information and run reports.
        4. Check the overall status of the system.
    2. Training
      1. General
        1. Submit training plans and instructor qualifications to Owner’s Representative for approval.
        2. Coordinate with Owner’s Representative to accommodate owner shift schedules to reduce impact to regular operations.
      2. Enrollment/HR Training
        1. Provide two sessions of 4 hour enrollment/HR training for up to 8 owner personnel
        2. Enrollment/HR training shall include all aspects of preparing, inputting, and printing credentials, enrolling users and assigning them to permission groups or individual permissions.
      3. Operator / Security Officer Training
        1. Provide two sessions of 4 hour operator / security officer training for up to 8 owner personnel
        2. Operator training shall include all aspects of full operation including operator log in, and reviewing/acknowledging alarms.
        3. Deliver printed reference materials which covers the entire training presentation.
          [SPECIFIER NOTE:  Delete subparagraphs below if integrator will perform all initial system administrationAdjust hours for complexity of the project.]
      4. System Administration
        1. Provide two sessions of 6-hour system administrator training for up to 4 owner personnel.
        2. Include in administration training all aspects of system administration including creation and management of user accounts and permissions, viewing system audit reports and performance metrics, and management of recording profiles.
        3. Exclude from administration training the addition or removal of system components such as card readers.
        4. Deliver printed reference materials covering the entire training presentation
  7. 3.07.   Protection
    1. Maintain strict security during the installation of equipment and softwareRooms housing accessible equipment and workstations that have been powered up shall be locked and secured during periods when a qualified operator in the employ of Contractor is not present.
    2. Protect installed work of other trades when working in the same area.
    3. Protecting all completed work prior to acceptance by owner.
      [SPECIFIER NOTE:  Owner may, at Owner's discretion, relieve the contractor from this burdenFor example, if the site already has onsite security officer service.]
    4. Incremental and As-built Configuration Backup.
      [SPECIFIER NOTE:  Select either “beneficial use” or “substantial completion”.]
      1. Perform a full back-up of all configuration settings and data from HSMS at the completion of critical milestones and immediately prior to system turnover to owner.
      2. Deliver HSMS As-Built backup and instructions for the restoration of the back-up upon substantial completion and prior to testing.
  8. 3.08.   Maintenance
    1. Software updates and upgrades to HSMS application shall be delivered automatically without contractor/installer/Owner intervention.
      1. Maintenance updates shall be delivered monthly by HSMS manufacturer.
      2. Software upgrades shall be delivered quarterly by HSMS manufacturer.






Specifier Notes