MN RFID System

From makernexuswiki
Jump to navigation Jump to search

The System

The RFID system was build in-house by Maker Nexus volunteers. We are proud of what we have created. If you'd like to know more about the system—or even join the development team—let us know. The project is open source, get it on GitHub.

Our system uses cards and other RFID tags that are MIFARE Classic 1K Card, 13.56MHz, 1K Bytes Memory, ISO14443A, Read/Write protect by password. Such as these.

What is the RFID system for?

You will find RFID badge stations in several locations around the shop. The RFID badge system serves several purposes:

  1. Who is in the shop?
  2. Do they have sign-off to use certain equipment?
  3. What equipment is being used over time?
  4. Help build community

Front Desk

It is important to know who is in the shop at any time. If there were an emergency situation, the RFID check-in system will help us account for everyone. When you enter the facility, tap your badge to the station at the front desk. It will read your card, check your membership status, then beep twice and display "welcome". Any other outcome should be discussed with the Manager on Duty. When you leave the facility, tap your badge again and the system will beep three times and display "goodbye".

Shop Area Sign-offs

Other badge stations are associated with sub areas of the shop. You may find a badge station at the 3D printers, textile area, laser cutters, etc. If you use equipment in one of these areas, please tap your badge on the reader. There is no need to badge-out of these areas.

If there is a sign-off required to use the equipment (such as for the laser cutters) the system will check that you have the required sign-off. For areas that don't have a sign-off (such as the electronics bench) the system will just log member usage.

Shop Area Usage

This logging is important for us. Not all equipment usage is in the reservation system. By tapping in to an area you let us know that the area is being used. This helps us prioritize investment.

Community Building

When you have checked-in to the facility your photo and name are shown on the monitor at the front desk. This lets other members know who is in the facility and helps them remember your name. We have found that this makes for a much friendlier and congenial atmosphere. It makes it easier for members to approach each other and get to know them.

About the Data

Sensitive member data is kept in our commercial cloud service, EZ Facility. This company maintains standards of data governance that protect sensitive data. Only Maker Nexus personnel have access to EZ Facility and they are required to have unique log on credentials using strong passwords.

Less sensitive data on machine usage is stored in a Maker Nexus controlled database. It is used for activity reporting and analysis. While this database has lower security barriers on it, the only sensitive information it stores is names. Access to this database is only provided to the Maker Nexus IT staff.

Door Unlock

How it works

Our system is used to unlock the front door. It requires two things:

  1. power from the 7/24 timer
  2. a valid MN Member RFID card

The power comes from a 7 day / 24 hour timer that is set to correspond to our business hours. Without this AC power the door will not unlock.

When an RFID card is presented, the system will decrypt the card and read a string burned in the card. This string is validated against data in our CRM system. If the card is validated, the unlock sequence begins.

To unlock, the RFID door read station publishes an encrypted unlock command on a secure wireless connection that can be subscribed to by any number of "RFID lock" devices. One such RFID lock device is located with the rest of our IT equipment. When the RFID lock device receives the unlock command, it activates the building infrastructure that controls the dual-solenoid door mechanism. We can add another RFID door read station or lock device anywhere where there is power for it.

RFID lock devices have a relay in them that can handle up to 30 VDC and up to 2 amps of current -- plenty for bright lights, loud sirens, or whatever.

The RFID door read station itself could be placed on the outside of the building, albeit it would need to be weather proofed and physically secured and, of course, need a source of power.

The activator that is in the door system today is by Command Access. It is not externally powered and must charge up a large capacitor for some seconds (current limited, to meet low voltage building wiring standards) before it can activate the dual door solenoid system.

How to speed it up

The Command Access Activator can be replaced by an Adams-Rite "Power Supply". The latter costs a few hundred dollars and needs a licensed electrician to install it. The Adams-Rite Power Supply is powered off of AC and does not need any extra time to charge up a large capacitor to activate the pull-in coil of the dual coil solenoid in these doors.

Replacing Command Access with Adams Rite would save this extra 1-2 seconds and is likely what is in industrial door systems in most of these Silicon Valley tilt-up buildings (and one more reason why their response time is fast).

A little technical background

How the software works

With the small green light lit, a card is presented to the device. Once the card is sensed we verify the encryption keys (takes no time) and read the data from the card. The display prompts to remove the card.

We wait for the card to be removed; holding your card there longer than necessary does nothing. A full tap is the best way to go. The small light goes out and the big green light blinks once.

Now the time is spent talking to the CRM system. Once the RFID box decides to let you in it sends a message to the lock control device and the big green light comes on for 2 seconds, but the RFID box is done and the little green light comes on again.

While the big green light is on, the message is bouncing through the cloud to the lock control. When it gets the message it powers the lock solenoid device in the door. When that device does its thing you'll hear the lock solenoid activate.

In our experience, most of the delay is between the big green light flash and the big green light coming on - that is all cloud. If you are a careful observer of the overly long response time events we might learn something.


How the hardware works

So the capacitor in the Command Access Activator can't hold a charge?

It's not a matter of the capacitor holding a charge. Standard building signaling wiring is basically telephone cable -- 22 awg jacketed twisted pair. Building codes and standards limit the amount of current that such cable can handle, based upon distance. Due to this, the Command Access device limits the current supplied to it to about 1.5 amps (24 VDC). They say that this is good for 700 feet of wire. That's what it is designed for.

The pull-in coil of the dual coil relay draws about 12 - 14 amps (24 VDC), but only for a brief instant (the coil would overheat and burn out pretty quickly if such a large current were sustained; there is no heat sinking or anything around it). The capacitor supplies this current for a brief time, but the capacitor must be charged up first. And the charging can only take place at 1 or 2 amps (owing to the building codes), so Command Access limits the charging current (presumably with a resistor).

Unlike the Adams-Rite power supply, there is no power available at the device to charge this capacitor until 24 VDC is applied to open the door. So it takes time to charge the capacitor. When the capacitor is charged up, the microcontroller inside the Command Access device discharges it directly though the solenoid pull-in coil through a power FET.

Sometimes it takes 10 seconds or more

Occasional very long responses are due to several factors.

One factor is timeouts on the RFID station not getting a response and retrying. These timeouts are inside of TCP/IP (and/or CoAp) and are different from the 15 second give-up in our firmware. The source of timeout/retrys can be anywhere from EZ Facility through the Internet to the Particle cloud and from there over the Internet and WiFi to the RFID station.

We tracked some of the variability down to weak WiFi at the front door area and installed an external high gain antenna on this station which seems to have rectified that specific problem. But there are still occasional timeout/retires beyond the MN WiFi.

Another source of long response times are EZ Facility (our current cloud based CRM system) timing out OAUTH access tokens and requiring us to obtain a new token (which, for reasons known only to EZ Facility, takes a long time). The tokens expire after 1 hour and we proactively request a new token before the old one expires. However, it can still happen that someone tries to enter just when we are proactively getting a new token and so we have to wait for the new token to arrive. For some reason, this can take 5 - 10 seconds, or more. We have long ago requested EZ Facility to issue OAUTH bearer tokens with a longer life - specifically 24 hours, so we can obtain a fresh token daily afterhours. They have not, however, agreed to do this. There is no reason to have the bearer token expire after just an hour. We are moving to a new system that will have faster authorization.

There will always be some unpredictable delays in any cloud-based system. On the other hand, Maker Nexus does not have a 24x7 full time IT staff that can maintain an in-house CRM system, so externally hosted systems will be with us for a some time to come.

How will Odoo affect the door unlock?

Odoo is also cloud based. Preliminary testing shows that it is mostly very fast, but sometimes there are noticeable delays. The delays may just be due to the development environment and may not be there in the production system, but we don't know for certain right now.

From an RFID perspective, the new system allows us to code business logic inside of it. This ability is VERY significant, as we might ultimately replace the many REST API calls that an RFID Station has to make with just a single call and let the CRM system's internal logic take care of everything needed to make and log access control decisions. Since cloud based APIs will always incur some performance variability, reducing many to one should be a huge help.

The overall transition will take place in a number of phases, owing to the high degree of complexity and the need to maintain operations seamlessly throughout this process. The RFID system will also need to transition in phases, and the first phase won't change much from a performance perspective, other than any response time improvements inherent to the new system. However, subsequent phases will move toward consolidation of cloud API calls toward the ultimate goals of one per card tap. But it is going to take time to get there.