Fault Tolerant Controllers

What they are and why we need them

It was the proverbial dark and stormy night. The access control and security system master controller located on the fifth floor of a high rise building just experienced a total failure. It's totally dead to the eight door interface modules for which it is supposed to provide intelligence and monitoring. In a world where security is a concern and system survivability matters, this could be a critical situation. A situation that many building managers have experienced and one for which they routinely lose sleep in anticipation.

In this situation, however, things are different. In fact, even in the morning when a call is placed to the security system service provider there is no excitement, no anxious rush to get a service technician dispatched to replace the dead processor. The dispatcher calmly tells the building manager that they will replace the controller on their next regularly scheduled maintenance call in a few weeks and at their standard labor rate. The building manager is calm and un-frazzled. What is going on here? Is this a story about the indifference of a security system service provider, or something more? In this case, it's a story about how the newest innovation in the access control industry is changing how we look at critical equipment failures.

In the scenario depicted, the errant master controller is part of a Fault Tolerant system. As the name describes, this system is tolerant of equipment failures, in fact, it makes no difference to the performance of the system whether that particular master controller works or not. These new systems use a redundancy methodology that allows any master controller on the system to step up and take the place of any other master controller on the system. You could conceivably lose every master controller on the system except one and the system will continue with little or no perceptible degradation in performance.


Distributed vs. Subservient

There are two primary hardware architectures employed in the access control industry. One is the “distributed” architecture; named this because the intelligence of the system is distributed to each and every control panel in the system. With a distributed architecture, each card reader and its associated input and output points are connected directly to an intelligent controller.

The other common architecture is the master controller/door controller style (or what we used to call master/slave). With this configuration, the master controllers are the only intelligent component of the system and each door is connected to a “dumb,” or at least “dumber,” door interface module.

The advantage of the first type of system described here is that since the intelligence (database storage and decision making ability) is distributed to each panel and the number of doors connected to each panel is limited (commonly only 12 to 16 doors maximum), the risk of losing more than a few doors from the system due to any one hardware failure is very low. Even a catastrophic failure of a controller will result in the loss of only the 12 to 16 doors connected to that panel, while all the other doors on the system would be unaffected. In contrast, the master controller/door controller configuration could conceivably put up to 128 doors in degrade mode if one master controller fails. The advantage of the master controller/door controller schema is the low cost associated with having fewer intelligent (and therefore more costly) controllers on the system.

Each service provider in the security industry has had to evaluate the pros and cons of these two architectures to arrive at the best solution to meet any specific access control application. Both are valid designs, and depending on how critical it is that the system stay up and operating or the size of the end-user's budget, either design could be more appropriate. In large part, manufacturers of access control hardware subscribe to either one or the other of these two architectural philosophies and will defend it vehemently.

This content continues onto the next page...