ACS in hazardous industries.
Access control systems play a dual role in hazardous industries.
Firstly, it is an element of the security system (protection against criminals), designed to protect against unauthorized persons from entering the facility. Moreover, in the case of hazardous industries, the entire spectrum must be considered as a potential intruder — from terrorists to petty thieves, whose actions can also lead to emergency consequences (Chekhov described a thief who stole a nut from the railroad tracks).
Secondly, it is an element of safety engineering (labor protection). Access control systems should, in the event of an accident, ensure the counting of all people at the facility (roughly speaking, to know how many more people there are and where to look). Sometimes a more detailed count is required, for example, counting the time spent by each employee of the enterprise in the danger zone, or monitoring the non-proliferation of radioactive dust (blocking the exit if the boots «glow»).
At first glance, the presence control functions seem simple. However, there are almost no systems that allow you to quickly print out a list of all people on site without the intervention of a qualified administrator. And in practice, there are still many difficulties: large sites often have dormitories for business travelers inside, and people can be on site for weeks or even months, which means that the ACS system must have a failure rate of at least a year. And many people enter on foot and leave by bus or diesel locomotive, and this applies not only to the driver assigned to a given dump truck, but also to the team of electricians who left on a technical vehicle for the power line. And some entered with a temporary pass and then left with a permanent one, or their data was simply edited while the person was on site. Many systems after editing can easily forget that this person had already entered.
In addition, in the event of an emergency, it is necessary not only to quickly print out and give the rescuers a list of people at the site, but also to continue registering everyone who leaves there, including those who are evacuated not through a regular checkpoint, but through fire roads, or through a destroyed fence, or even in ambulances. Of course, in an emergency, it is impossible to strictly adhere to the usual procedures (control of repeated passage, access according to the rule of three, limiting the minimum presence, etc.). The system should not interfere with the evacuation. But it should nevertheless continue to work and register those leaving (and restrict those entering, too). It is advisable to additionally implement the registration of evacuees on portable (mobile) terminals, including those evacuees who have lost their passes, and therefore they can only be identified by biometric data, such as a photograph. 
Let's return to the features of the ACS as an integral part of the anti-terrorist and anti-criminal protection system for hazardous industries. The importance of such protection is undeniable. For many industries, there are many regulatory documents at both the industry (departmental) and federal levels, and sometimes even international (for example, the IAEA). These documents sometimes make it easier to design a system, since they describe in sufficient detail how it should be arranged, but sometimes it turns out that they are partly contradictory or only declare the need for particularly reliable protection of particularly hazardous facilities, without specifying how. I must say that we are lucky in this regard. In our country, the oldest laws in force date back only to the 1920s. English colleagues complained that sometimes (especially at particularly hazardous facilities) it is necessary to take into account laws from the 1600s regarding, for example, the procedure for admitting naval officers or the royal guard.The basis for protecting hazardous facilities is the concept of layered or zonal protection. Thousands and even tens of thousands of people may work at a hazardous facility. All of them have the right to pass through the checkpoint in the outer perimeter. However, only hundreds have access to buildings with hazardous technological installations. And only a few dozen people have the right to access critical premises for the safety of the technological process. Multi-stage layered authorization checks allow you to effectively protect the heart of the enterprise.
At the same time, the access procedure itself is subject to a number of requirements that make unauthorized access difficult and, most importantly, that exclude accidental or intentional harm on the part of authorized personnel. For example, instructions often require compliance with the so-called commission. This means that at least three people (or no one at all) must always be in a critical room.
Of course, it is unacceptable to restrict access without reference to time at dangerous enterprises. Different people can come at different times. In production, this is complicated by the fact that when someone can go is sometimes described by complex shift work schedules. I have seen only a few access control systems that implemented arbitrary shift schedules, and in most cases they were implemented in software, on computers connected to the access equipment, as a kind of «patch». However, often, even if the equipment supports such a possibility, the enterprise's security service is unable to use it to the fullest extent. After all, setting up all these shifts and then carefully monitoring all the changes made to them due to technological necessity, monitoring all vacations, all replacements due to illness is an extremely difficult task.
Special hardware solutions are used to strictly enforce access procedures. The most important are turnstiles or even airlocks, which guarantee that only one person can pass through with one pass. There is also a solution such as readers spaced several meters apart, to which you must simultaneously present your cards. This guarantees that, for example, disarming a room is really carried out by two different people. Biometric readers are widely used, which ensure that the authority of the person, not the card, is verified (the card can be stolen or counterfeited). In addition to purely hardware solutions, special organizational ones are also used, for example, the participation in the algorithms of a remote operator, who must confirm the right to perform certain actions from the central post. The operator sits in a secure room, he cannot be forced at gunpoint. In addition, the operator is impersonal, even in the case of collusion, the criminal cannot be sure that at the moment the security officer with whom he agreed in advance is at the control panel.To ensure the implementation of all algorithms, it is necessary to strictly suppress any attempts to violate them, even accidental or due to negligence. Even the simplest requirement for control of repeated passage (anti-passback) causes a lot of inconvenience in everyday use. But all procedures lose their meaning if they can be ignored. Often a rule is introduced that the card (pass) with which an attempt was made to violate the rules is blocked until clarification.
The pass is unlocked only after the security service arrives at the scene and reports the results of the showdown. And the owner of such a card stands in front of the locked door all this time and prepares to explain «why he tried to go in the wrong turn or to the wrong room.» By the way, the hardware and software of the ACS for implementing such a rule must support not only blocking the card after an error, but also its quick unlocking upon a command transmitted by the patrol group by radio or even entered into the system locally, on a special remote control. And not just unlocking, but, for example, correcting the area of a person's location (if he mistakenly went through the door with someone else), a temporary correction of the schedule, if a person, say, was delayed after a shift due to production needs (otherwise he will not be allowed out and all the following doors). When establishing strict rules for employees, the procedures for admitting visitors are of particular importance. At a large enterprise (and a small enterprise is rarely dangerous), dozens or even hundreds of business travelers, subcontractors, representatives of suppliers and buyers, and other visitors (for example, a sanitary and epidemiological inspector who has come to inspect the canteen) come daily. All of them need to be issued a temporary pass very quickly, and this procedure should not be a security hole. It should not be possible to “accidentally” issue an all-terrain pass to a visitor. As a rule, visitors are allowed to enter critical areas only when accompanied by an assigned escort.
In addition to visitors, among the thousands of employees of the enterprise every day there are those who have forgotten their pass. They also need to be issued a temporary pass with their real powers, but with a limited validity period, fairly quickly.
In conclusion, I would like to note that in hazardous industries, specific requirements are often imposed on ACS equipment, such as explosion-proofness or protection from chemically active substances. In this regard, contactless (proximity) readers and magnetic (including solenoid) locks, which can be manufactured in a fully sealed version (filled with compound), are ideal.
And, of course, the ACS at hazardous facilities must be particularly reliable (fault-tolerant). If at civilian facilities temporary inoperability of the ACS will only lead to some inconvenience or at most some losses, then at hazardous production facilities an ACS failure in itself, without the help of terrorists, can lead to disastrous consequences. Therefore, the equipment must provide broad self-monitoring capabilities, have some redundancy so that in the event of a partial failure of operability, the functioning of the facility is not completely disrupted. In particularly critical places, it is necessary to maintain a hot standby mode for the main elements.
But no matter how reliable the equipment is, its failures are possible. This means that it is necessary to provide options for the system to function in the event of a failure of this or that equipment, emergency settings that the duty operator must immediately put into effect. As a rule, in such a case, a temporary armed guard post is provided for near the site that has failed. If the automation does not work, then people will temporarily check the authority in this area. Options for temporary access control schemes should also be provided in case of emergency situations. For example, during repairs or reconfiguration of equipment, process gates that are usually not intended for personnel passage may be wide open. As a result, all algorithms will be violated and the security service will only be engaged in confirming the admissibility of the violations that occurred, unless a temporary simplified scheme is introduced for the duration of the work.In general, the ACS is the most important element of the security system at especially important facilities. And the most important thing is that for success it is not enough to use wonderful equipment, but, most importantly, careful planning and strict implementation of algorithms, procedures, organizational measures are necessary.