Electrical
Commercial access control system installation field guide
Design and install by the door: the credential, reader, controller, and electric lock, with free egress and fire-alarm release proven on every opening.
Direct answer
Access control decides who gets through which door, when, using a credential, a reader, a controller, and an electric lock. But every controlled door must still let people out freely and release on a fire alarm, so it is a life-safety system, not just a lock. The life-safety code, the AHJ, and the manufacturer control the door.
Key takeaways
- Every controlled access door must allow free egress without a key, credential, code, or tool, usually with a single releasing motion.
- Fail-safe locks release on power loss; fail-secure locks stay locked on power loss, and the choice is a per-door life-safety decision.
- Any maglock or electrically locked egress door must release on the fire alarm or sprinkler activation and stay released until the fire system resets.
- Specify OSDP with Secure Channel enabled over Wiegand, and use 13.56 MHz encrypted smart cards or mobile credentials instead of cloneable 125 kHz prox.
- Commission every door in every state, and confirm egress, fail-state, and fire-release details against NFPA 101, the IBC, NFPA 72, the AHJ, and the manufacturer.
What access control is, and why a controlled door is a life-safety system
Access control decides who gets through which door, when. The credential identifies a person, the reader passes that identity to a controller, the controller checks it against a schedule and a permission list, and if the answer is yes it releases an electric lock for a few seconds. That is the security half of the job.
The other half is the one that hurts people when it is done wrong. Every controlled door also has to let occupants out freely in an emergency and release on a fire alarm. A controlled opening is a small life-safety system that happens to do security, not a lock that happens to be electric. The most common and most dangerous mistake in this trade is locking people in.
Get five things right and the rest is wiring: the door hardware, the fail-safe versus fail-secure choice, the egress and fire-alarm interface, the credentials, and the management software. Miss the egress and you have built a trap with a company logo on it. The cameras that watch these doors are covered in the video surveillance guide, and the cable that feeds the whole system is in the low-voltage and Class 2 cabling guide.
The door is the system, not the panel
A controlled door is the unit of this work. Each controlled opening is a reader, a controller or a connection back to one, an electric lock, a request-to-exit device, a door-position switch, and the mechanical door hardware itself, all behaving as one assembly. Price the job by the door, design by the door, and commission by the door. A bid that counts panels and readers but never lists the locking method, the fail state, and the egress release per opening is a bid that will surprise everyone later.
The reason the door is the right unit is that all of its parts have to agree on what the opening does in three states: normal operation, loss of power, and fire alarm. Normal is easy. The two that get skipped are the ones that matter. On power loss, does this door stay locked or release, and is that the answer life safety needs here? On a fire alarm, does any electric lock holding this egress door drop? If the parts were chosen one at a time off a price sheet, the door rarely answers those two questions the same way twice.
Walk every opening before you order hardware. The frame material, the door swing, the existing exit device, the gap at the strike, and whether the opening sits on a required egress path or a fire-rated wall all change the parts list. Two doors that look identical on a floor plan can need completely different hardware once you stand in front of them.
The parts of a controlled door and what each one does
Five devices plus the door hardware make up a controlled opening, and each has a clear job and a clear failure when it is wrong. Learn the set once and every door reads the same way.
The credential is what the person carries or is. The reader turns that into data and sends it to the controller. The controller makes the grant-or-deny decision. The electric lock holds and releases the door. The request-to-exit device tells the system a legitimate exit is happening so it does not alarm. The door-position switch reports whether the door is open or closed, which is what makes monitoring possible. Strip out the door-position switch and you have a lock, not a monitored system.
| Part | What it does | The failure when it is wrong |
|---|---|---|
| Credential | Identifies the person: card, fob, smart card, phone, PIN, or biometric | Legacy prox is cloned in seconds with cheap hardware |
| Reader | Reads the credential and sends it to the controller over a protocol | Wiegand sends the number in the clear; OSDP can encrypt it |
| Controller / panel | Decides grant or deny against schedules and a permission list | No offline operation locks the door wrong when the network drops |
| Electric lock | Holds the door and releases it: strike, maglock, or electrified hardware | Wrong fail state traps people or leaves the door unsecured |
| REX (request-to-exit) | Signals a legitimate exit so the door is not alarmed | Missing or misaimed REX throws false forced-door alarms on every exit |
| Door-position switch (DPS) | Reports open or closed for forced-door and held-open alarms | No DPS means no real monitoring, only a lock |
Credentials, and the move off insecure prox
A credential is what the reader checks: something you carry, something you know, or something you are. The carried kind covers the 125 kHz proximity card, the fob, the 13.56 MHz smart card, and the phone used as a mobile credential. The known kind is the PIN. The are kind is biometric, a fingerprint or a face. Many secure doors combine two, a card plus a PIN, so a lost card alone does not open anything.
Here is the part that gets skipped. The 125 kHz proximity card that still hangs on millions of lanyards transmits a fixed number with no encryption. A copier sold for the price of a tank of gas reads it from a pocket and writes it to a blank card in seconds, and the cloned card opens the door exactly like the original. Treat legacy 125 kHz prox as a convenience badge, not a security credential. For any new install, a 13.56 MHz smart card with real cryptography, such as MIFARE DESFire EV-series with AES, is the practical floor, and a mobile credential over an authenticated channel raises that floor again.
Mobile and biometric both shift the trust model and both carry their own caveats. A phone credential leans on the device security and the enrollment process. Biometric raises privacy and template-storage questions that some jurisdictions and some employers regulate. Confirm the credential technology, the encryption, and the enrollment workflow against the manufacturer's documentation and the owner's security policy, because the security of the whole system rests on the weakest credential you accept.
What is OSDP, and why it replaced Wiegand
OSDP, the Open Supervised Device Protocol, is the reader-to-controller communication standard maintained by the Security Industry Association. It matters because the alternative it replaces, Wiegand, is a 1970s interface that sends the credential number up the wire in the clear, one direction only, with no supervision of the line. A pair of taps on the wire behind the reader captures every badge that crosses it, or injects a number that was captured earlier. The reader is on the unsecure side of the door by definition, which is exactly why the wire behind it cannot be trusted.
OSDP fixes the parts Wiegand cannot. It runs over a two-wire bus, talks in both directions so the controller can monitor and update the reader, supervises the line so a cut or a tamper is noticed, and supports encryption, commonly AES-128, through what the standard calls Secure Channel. Two-way communication also means one bus can carry several readers and the controller knows if one goes silent.
The trap is shipping OSDP without turning on its security. A reader installed in OSDP mode with Secure Channel left disabled is sending data unencrypted, which is most of the Wiegand problem with extra steps. Specify OSDP with Secure Channel enabled and verified, and confirm the supported version and key-management process against the reader and controller manufacturer. OSDP without encryption is not the upgrade anyone thinks they paid for.
The controller makes the decision, at the edge or in a closet
The controller is where the grant-or-deny decision happens. It holds the credential list and the schedules, takes the number from the reader, checks it, and energizes or de-energizes the lock relay. The reader does not decide anything. Keeping the decision off the reader, on the secure side of the door, is the whole point, because the reader sits where an attacker can reach it.
Two architectures show up in the field. The traditional one is a multi-door panel in a secure closet, with reader, lock, REX, and DPS wiring home-run back to it. The newer one pushes the controller to the edge, a single-door or two-door controller mounted near the opening or above the ceiling, networked back to the head end. Edge controllers shorten the door cable runs and scale a door at a time. Closet panels concentrate the wiring and the backup power in one protected place. Both are valid; the building, the cable paths, and the owner's IT posture decide which fits.
The question that separates a serious controller from a toy is what it does when the network or the head end goes away. A controller that has to phone home for every decision fails the moment the link drops. Specify controllers that cache credentials and schedules locally and keep making correct decisions offline, then log the events and sync when the connection returns. Confirm the offline capacity and behavior against the manufacturer, because how long and how completely a controller runs offline varies widely.
Electric strikes, maglocks, and electrified hardware
Three locking methods cover almost every controlled door, and matching the right one to the opening is half the install. The electric strike replaces the fixed strike plate in the frame and releases the latch when signaled. It suits wood, aluminum, and hollow-metal frames, it is usually fail-secure, and it preserves free egress because the lever or panic bar on the inside still retracts the latch mechanically at any time. The strike controls entry; the door hardware still controls exit.
The magnetic lock, or maglock, is a different animal. It is an electromagnet on the frame and an armature on the door, commonly rated around 1200 lbf of holding force, with no moving parts. It is inherently fail-safe, it holds only while powered, and it has no mechanical way for a person to release it from the egress side. That last fact is the catch: a maglock has no latch to retract, so it requires separate egress release devices and it pulls the opening into a stricter set of code rules. Reach for a maglock when the door and frame cannot take a strike or electrified hardware, not as the default.
Electrified hardware builds the electric function into the lockset or the exit device. An electrified mortise lock, an electrified panic exit device, or electric latch retraction lets a heavy commercial opening be controlled while the panic bar or lever still gives free egress in a single motion. This is often the cleanest answer on a code-required exit because the mechanical egress never depends on the electronics. Match the lock to the door, the frame, the swing, and the fire rating, and confirm the holding force, the handing, and the listing against the manufacturer's specification for that exact opening.
What is the difference between fail-safe and fail-secure?
Fail-safe means the lock releases when it loses power. Fail-secure means the lock stays locked when it loses power. That single difference, applied per door, is the most consequential decision in the whole system, because it sets what the opening does during the exact event, a power failure, when nobody is there to fix it.
Maglocks are fail-safe by nature; they hold only while energized, so cut the power and the door is open. Electric strikes are most often fail-secure; lose power and the door stays latched, which keeps a perimeter or a sensitive room secure through an outage. With a fail-secure strike, free egress still works because the inside lever or panic bar retracts the latch mechanically, independent of power. The fail state controls who can come in during an outage, not whether trapped occupants can get out.
The decision is a per-door balance of security and life safety, and it is the one to slow down on. A fail-secure strike on a stairwell discharge or a maglock with no proper egress release on a required exit are the failures that show up in incident reports. Do not carry one rule across a building. Decide the fail state opening by opening, and confirm every required-egress door against the adopted life-safety code, the AHJ, and the hardware manufacturer's listing before you set it. Getting this wrong is how people end up locked in.
Do access control doors have to allow free exit?
Yes. Free egress is the rule the entire trade bends around: a person on the inside must always be able to leave through a controlled door without a key, a credential, a code, a tool, or any special knowledge, and usually with a single releasing motion of the hand. Pushing the panic bar or turning the lever has to let them out, every time, in the dark, in a panic, with no training. This is not a feature you add. It is the floor under everything else.
The mechanism for free egress is mechanical, not electronic. On a fail-secure strike or electrified hardware, the inside lever or the panic bar retracts the latch directly, so the door opens whether or not the access system is alive. This is why a request-to-exit device is not the egress. The REX serves the electronics, telling the controller not to fire a forced-door alarm when someone leaves. The person's exit must not depend on the REX working. If pulling the door requires the electronics to function, the design has a life-safety defect.
Maglocks are where free egress gets violated, because a maglock has no mechanical release. Hang one on an egress door and you now owe the code a compliant way to drop it for anyone leaving, plus the fire-alarm release covered next. The number-one rule never moves: occupants get out without a credential. Confirm the egress arrangement for every controlled opening against NFPA 101, the IBC, and the AHJ, because the permitted locking arrangements and the single-motion requirements are spelled out there and they are not optional.
Maglocks and locked egress must release on a fire alarm
Any electric lock holding an egress door has to release when the building fire alarm or the sprinkler system activates, and it has to stay released until the fire system is reset. This is the interface that turns a security door back into an exit the instant a building tells everyone to leave. It is a life-safety requirement, not a nicety, and it is the second thing an inspector checks on a maglocked egress door after free egress itself.
The wiring has to make the release direct and dependable. For a sensor-release arrangement, where motion on the egress side normally drops the lock, the code also requires a manual release: a push button mounted within reach of the door, commonly described as 40 to 48 in above the floor and within about 5 ft of the opening, marked for exit, that cuts power to the lock directly and independent of the rest of the electronics, holding the door unlocked for a set interval on the order of 30 seconds. The fire-alarm signal that drops the lock should act on the lock power, not pass through software that can hang.
Coordinate this interface with the fire alarm system early, because the tie-in, the monitoring, and the supervision belong to that system. The fire alarm system installation and testing guide covers the panel side. On the access side, confirm the release method, the manual release, the unlock interval, and the reset behavior against NFPA 101, NFPA 72, the AHJ, and both manufacturers. A maglock that does not drop on the alarm is the failure that makes the news.
Delayed egress and controlled egress are special and code-limited
Sometimes the owner genuinely needs a door that resists immediate exit: an infant-protection wing, a memory-care unit, a retail door fighting theft. The code answer is delayed egress, and it is a narrow, tightly bounded permission, not a general license to slow people down. Treat it as the exception it is and confirm it is even allowed before you design around it.
Delayed egress works on an irreversible timer. When a person pushes on the egress hardware, applying force for a short window, the device starts a process that cannot be stopped and the door releases after a set delay, commonly 15 seconds, extendable to 30 seconds only where the AHJ approves it. The IBC and NFPA 101 differ on details, including how long the force must be applied, roughly one second under the IBC versus three under NFPA 101, so the adopted code controls. An audible alarm sounds at the door when the timer starts, signage is required, the lock must release on power loss and on fire alarm, and the device rearms manually, not on its own.
There are also hard limits on where delayed egress is permitted. The IBC, for instance, bars it from assembly, educational, and high-hazard occupancies, and the occupancy rules differ between the codes. Do not design a delayed-egress or controlled-egress opening from a product datasheet. Confirm the occupancy is eligible, the delay, the force, the signage, the releases, and the rearm against the adopted edition of the life-safety code and the AHJ in writing. This is the most over-applied and most cited locking arrangement in the field.
REX and door position: how the door gets monitored
A request-to-exit device and a door-position switch are what separate a monitored door from a door that merely locks. The REX detects a legitimate exit, either a button by the door, a motion sensor over it, or the signal from a panic bar's built-in switch, and tells the controller to expect the door to open so it does not treat the exit as a break-in. On a fail-secure strike, the REX often does nothing to the lock at all, because the lever already releases the latch mechanically; its only job is to shunt the alarm.
The door-position switch reports open or closed, usually a recessed magnetic contact in the frame, and that one signal enables the two alarms that make access control useful after hours. A forced-door alarm fires when the DPS shows open with no grant and no REX, which is the signature of someone who pried or pulled the door without a credential. A held-open alarm fires when the door stays open past a set time, which is the signature of the propped-open back door that quietly defeats the entire system.
Aim and time these or they cry wolf. A REX motion sensor that sees people walk past a nearby corridor unlocks or unshunts when nobody is leaving. A held-open timer set too tight alarms on the normal delivery. Tune the REX coverage and the held-open interval to the real traffic at each door, because an access system that floods the operator with nuisance alarms gets ignored, and an ignored alarm is the same as no alarm.
The management software: cloud or on-prem
The software is where the system is administered: who has which credential, which doors each person may use, on what schedule, and the audit log of every grant, deny, and alarm. This is the layer the owner actually lives in day to day, long after the installers leave, and the audit log is often the reason the system was bought, because it answers who opened which door and when.
Cloud and on-prem are the two deployments, and the choice is about control versus convenience. Cloud management means no server to maintain, updates handled by the vendor, and administration from anywhere, at the cost of trusting the vendor's tenant security and keeping the credential database off site. On-prem keeps the database and the server inside the owner's walls, which some security and compliance postures require, at the cost of patching, backups, and uptime falling on the owner's IT. Hybrid setups put controllers and the credential cache on site with management in the cloud.
Whichever it is, set up the schedules, the credential lifecycle, and the audit log retention deliberately at commissioning. The schedule is what unlocks public doors during business hours and locks them after. The credential lifecycle is how a terminated employee loses access the same day, which is the control that fails most often in practice. The retention period for the audit log is frequently driven by the owner's industry, so confirm it against their compliance requirements rather than accepting the default.
The system lives on the network
Modern access control is an IP system. Edge controllers, head-end servers, and many readers ride the building network, and a growing share of the hardware draws Power over Ethernet, so a single Cat6 run can carry both the data and the power for an edge controller and even the lock through it. That makes the network a shared dependency between the security trade and IT, and the jobs that go smoothly are the ones where that conversation happens before the cable is pulled.
Coordinate the addressing, the VLAN, the PoE budget, and the switch ports with IT the way you would coordinate any other major system on their network. Access control is a security device that an attacker would love to reach, so it usually belongs on its own segment, isolated from the general user network, with firewall rules that allow only the traffic it needs. The PoE budget is real arithmetic: a switch feeding controllers and locks has a power ceiling, and a maglock drawing through PoE counts against it.
The physical cabling rules, the pathway, the separation from power, the jacket rating for the space, and the bend radius, are the same rules every limited-energy system follows, and they live in the low-voltage and Class 2 cabling guide. Pull access control wiring to that standard. A door that works on the bench and fails intermittently in the building is usually a cabling problem, not a software one.
The door cable and the wiring back to the closet
Each controlled door needs several conductors, and the trade usually pulls them as one composite cable rather than a fistful of separate jackets. A typical door bundle carries the reader conductors, often shielded, the lock power pair sized for the lock current, the REX pair, and the door-position-switch pair, all in a single sheath run from the opening back to the controller. Buying it as a composite access-control cable keeps the install clean and makes sure every conductor a door needs actually shows up at the frame.
Size and route the bundle for the worst case at that door. Lock power is the conductor that bites people: a maglock or an electric strike at the end of a long run drops voltage in the supply pair, and an underfed lock chatters, holds weak, or fails to release crisply. Run the lock conductors heavy enough for the current over the distance, the same voltage-drop thinking the electrical guides cover, and keep the reader and contact conductors on their own pairs so lock switching does not couple noise into the data.
Home-run each door to the controller or panel and leave service loops at both ends. Label every conductor at the closet by door and function, because the person troubleshooting a forced-door alarm at 2 a.m. should not have to ring out a cable to find which pair is the contact. The cable rating for the space, plenum or riser, and the firestopping at rated walls follow the low-voltage and Class 2 cabling guide.
Power supplies, battery backup, and the fail-safe catch
Access control runs on a dedicated low-voltage power supply, commonly 12 or 24 VDC, sized for the controllers, the readers, and the locks it feeds. The locks are the heavy draw, and they are often put on their own supply or their own outputs so a stuck lock load does not starve the electronics. Size the supply for the total continuous lock current plus the controllers, with headroom, not for the nameplate sum on a good day.
Battery backup keeps the system alive through a utility outage, and it is where the fail-state logic gets subtle. A fail-secure strike on battery keeps deciding and keeps the door secure through the outage, which is usually what you want on a perimeter. A fail-safe maglock on battery stays locked as long as the battery lasts, which is fine for security but means the backup is now holding an egress door shut on stored power. That is acceptable only because the fire-alarm release and the egress release still drop the lock regardless of the battery.
Here is the line not to cross: the battery must never become a reason a fire-alarm release fails to work. The release path that drops a maglock on alarm has to act on the lock power directly, so that whether the system is on utility or on battery, the alarm still opens the door. Confirm the backup runtime, the lock power budget, and the release wiring against the power-supply and lock manufacturers, and verify on battery during commissioning, not just on shore power.
Integration with video, intrusion, and visitor management
Access control gets more useful when it talks to the other systems on the site. The common pairing is video. Tying a badge event to the camera covering that door means an operator reviewing a forced-door alarm or a denied badge can pull the exact clip instead of scrubbing hours of footage, and a denied credential at 3 a.m. comes with a face. The camera side, the pixels-per-foot you need at the door to actually identify that face, is covered in the video surveillance guide; design the camera to the door it watches.
The intrusion alarm is the second integration. A valid badge during armed hours can disarm the area for that person, and the last person out can arm it, which removes the keypad dance that leads to false alarms and bypassed systems. Visitor management is the third: a front-desk or self-service workflow that issues a temporary, expiring credential and ties it to a host and a log, so visitors are not riding on a shared lobby badge that never gets revoked.
Unified platforms that run access, video, and intrusion in one interface are common now, and they reduce the seams where things fall through. The caution is that integration widens the attack surface and ties your systems to one vendor's security. Confirm the integration method and its security with the manufacturers, and hold the same network and credential hygiene across all of it that you would on access control alone.
The cyber side: where access control gets breached
A physical access control system is a network of computers that happen to open doors, which makes it a target. The breach vectors are predictable. The reader-to-controller link is one, which is the entire argument for OSDP with Secure Channel over Wiegand. The credential is another, which is why legacy 125 kHz prox is a liability. The third, and the one that catches the most sites, is the controller or server still sitting on its factory default password months after the install.
Lock down the obvious things and you close most of the door. Change every default password on every controller, panel, and management account before the system goes live, and use distinct credentials, not the same one across the site. Put the access control hardware on its own network segment, away from the general user network and off the open internet, with only the traffic it needs allowed through. Enable encrypted communication end to end: OSDP Secure Channel to the readers, encrypted credentials, and TLS to the management server or cloud tenant.
Keep it patched and keep it accounted for. Controllers and readers get firmware updates that fix real vulnerabilities, and a system nobody has updated in three years is running known holes. For cloud-managed systems, turn on multi-factor authentication for administrators and review who has admin rights, because an attacker who owns the management account owns every door. Confirm the hardening steps against the manufacturer's security guidance and the owner's IT policy. The cheapest breach is the one you prevent with a password change.
Commission every door, in every state
Commissioning is where access control is actually proven, and it is done one door at a time, because every opening is its own little system and the failures hide in the openings nobody fully tested. A system that grants and denies correctly on the bench can still trap people at a door where the fire release was never wired or the fail state was set wrong. The functional test at the door is the only thing that finds that before an incident does.
Test each controlled opening through its full behavior, not just a badge swipe. Present a valid credential and confirm it unlocks; present a denied one and confirm it does not. Walk out and confirm free egress works with the electronics dead, by killing power if the design claims fail-secure egress through the lever. Trigger the fire alarm and confirm every maglock and electrically locked egress door releases and stays released until reset. Force the door and confirm the forced-door alarm. Prop it and confirm the held-open alarm. Run the schedule across an unlock and a relock boundary. Verify the REX shunts the alarm without becoming the egress.
Write it down per door as you go. A commissioning record that lists each opening, its lock type and fail state, and a checkmark against egress, fire release, and each alarm is the document that proves the building is safe to occupy and the thing the AHJ wants to see. Skip the commissioning of the egress and the fire release and you own whatever happens at that door.
- Valid credential unlocks; denied credential does not, and the deny is logged.
- Free egress works with the electronics dead, by one motion of the inside hardware.
- Every maglock and locked egress door releases on the fire alarm and stays released until reset.
- Forced-door alarm fires when the door is opened with no grant and no REX.
- Held-open alarm fires when the door stays open past the set interval.
- REX shunts the alarm on exit without becoming the means of egress.
- Schedules unlock and relock at the right times across a day boundary.
- Battery backup tested live: locks and releases behave correctly on battery, not just shore power.
Code, life safety, and ADA
Access control sits on top of the egress and life-safety codes, and those codes win over any security goal. NFPA 101, the Life Safety Code, and the IBC govern means of egress, door operation, and the permitted electrified locking arrangements, including free egress, sensor release, delayed egress, and access-controlled egress doors. NFPA 72 governs the fire alarm interface that releases the locks. These are the documents that decide whether a controlled door is legal, and they are adopted and amended jurisdiction by jurisdiction, so the edition the AHJ enforces controls.
ADA and the accessibility standards govern the hardware a person has to operate. Door hardware on an accessible route must be operable with one hand, without tight grasping, pinching, or twisting of the wrist, which steers the lever and panic-bar selection, and there are limits on opening force and rules on mounting heights and maneuvering clearance. A reader mounted too high or a door that takes too much force to open fails accessibility even if it passes security.
Treat the AHJ as a design partner, not a final exam. The egress arrangement, the fail-safe choices, the fire-alarm release, and any delayed or controlled egress on a job should be confirmed with the AHJ before the hardware is ordered, in writing where it matters. Free egress and fire-alarm release are non-negotiable, the fail-safe versus fail-secure choice has to be right per door, and every controlled opening on an egress path is the AHJ's business. When the security requirement and the life-safety code disagree, the code is not the thing that bends.
Maintenance: the door hardware wears
Access control is mechanical at the point that matters, and mechanical things wear. Electric strikes develop slop and stop releasing cleanly, maglock faces collect grime that cuts holding force, exit-device latches drift out of alignment, and readers fail or get painted over. None of that announces itself until a door stops working or an alarm goes quiet, so the system needs a real inspection cycle, not just a help-desk ticket when something breaks.
Walk the doors on a schedule and exercise the parts that have to work in an emergency. Test free egress and the fire-alarm release periodically, not just once at the original commissioning, because those are the functions that fail silently and the ones that hurt people when they do. Check and log the battery condition on the power supplies, since a dead backup battery is invisible until the outage that needed it. Confirm forced-door and held-open alarms still report, and verify the credential database against the actual occupants, pulling badges that should have been revoked.
What to document
The record that matters most on an access control job is the door schedule, because every opening is different and the differences are exactly what a future technician, inspector, or owner needs to know. For each controlled door, capture the locking method, the fail state, how free egress is achieved, whether and how it releases on the fire alarm, the credential technology, and the result of the commissioning test. That table is what proves the building is safe and what makes the next service call fast instead of a re-survey.
Keep it where the people maintaining the door can actually reach it. A door schedule buried in a closeout binder in a basement is a schedule nobody reads. Recording the per-door details, the commissioning results, and the as-built in a field tool like FieldOS, tied to the opening, means the fail state and the fire-release method travel with the door instead of living in a binder. When a door changes, the record changes with it.
| Door | Requirement | Note |
|---|---|---|
| Locking method | Strike, maglock, or electrified hardware | Match to frame, swing, and fire rating |
| Fail state | Fail-safe or fail-secure, confirmed per door | Right state is a life-safety decision |
| Free egress | Single-motion release without a credential | Mechanical, independent of the electronics |
| Fire-alarm release | Releases and stays released until reset | Required on maglocks and locked egress |
| Credential technology | Encrypted smart card or mobile, not legacy prox | Note OSDP Secure Channel enabled |
| Commissioning result | Egress, fire release, and alarms verified | Dated, by opening, with who tested |
Common mistakes
- Setting the fail-safe versus fail-secure choice wrong on a door, so it traps people or fails unsecured on power loss.
- Blocking free egress: a controlled door that needs a credential, a code, or working electronics to let someone out.
- A maglock or locked egress door that does not release on the fire alarm.
- Leaving insecure 125 kHz prox or unencrypted Wiegand in place and calling it secure.
- Shipping the controllers, panels, and management accounts on factory default passwords.
- Applying delayed or controlled egress where the occupancy does not permit it, or without the alarm, signage, and releases.
- Never functionally testing the egress and the fire release, door by door, at commissioning.
Field checklist
Want this checklist to run itself on every job — with photo proof and a signed record crews can hand the customer? That's FieldOS.
Standards and references
The life-safety codes lead. NFPA 101, the Life Safety Code, and the International Building Code govern the means of egress, door operation, and the permitted electrified locking arrangements, including free egress, sensor-released and access-controlled egress doors, and delayed egress. These are where the single-motion release, the unlock intervals, the delay timing, and the occupancy limits actually live. NFPA 72, the National Fire Alarm and Signaling Code, governs the fire alarm interface that releases locked egress doors. The fire alarm system installation and testing guide covers that panel side.
On the security and accessibility side, OSDP is the SIA standard for reader-to-controller communication and is the reference for specifying encrypted reader links. The ADA Standards for Accessible Design and the referenced ICC A117.1 govern operable hardware, opening force, and mounting, and they apply to readers and door hardware on accessible routes. UL listings and the manufacturers' installation instructions govern the specific hardware, the holding force, the fail behavior, and the listing for a given opening.
Three rules carry the whole job, and none of them bend for a security goal: free egress and fire-alarm release are non-negotiable, the fail-safe versus fail-secure choice has to be right per door, and the credentials and readers should be encrypted with OSDP while every door gets commissioned. Codes are adopted and amended by jurisdiction and they change between cycles, so confirm the egress, the fail-state, and the fire-release details against the adopted edition, the AHJ, and the manufacturer before you build.
Terms and definitions
Access control carries its own vocabulary, and the same door gets described differently across a drawing set, a hardware schedule, and a software screen. These are the terms that have to mean the same thing to everyone on the job.
Two pairs cause the most confusion and the most danger. Fail-safe and fail-secure describe what the lock does on power loss, not how good it is. Electric strike and maglock are different locks with different egress and code consequences, not interchangeable parts. Get those two pairs straight and most of the rest follows.
- Access control
- A system that decides who may pass through which door, when, using a credential, a reader, a controller, and an electric lock, while still allowing free egress
- Credential / reader
- The credential is what a person presents (card, fob, smart card, phone, PIN, or biometric); the reader reads it and sends it to the controller
- Controller
- The device on the secure side that makes the grant-or-deny decision against schedules and a permission list and drives the lock
- Electric strike vs maglock
- A strike releases a latch and is usually fail-secure with mechanical free egress; a maglock holds by magnet, is fail-safe, and needs separate egress release
- Fail-safe vs fail-secure
- Fail-safe unlocks on power loss; fail-secure stays locked on power loss. The choice is a per-door life-safety and security decision
- REX (request-to-exit)
- A button or sensor that tells the controller a legitimate exit is happening so it does not alarm; it is not the means of egress
- Free egress
- The requirement that occupants always exit a controlled door without a key, credential, code, or tool, usually with one releasing motion
- OSDP
- Open Supervised Device Protocol, the SIA standard for encrypted, supervised, two-way reader-to-controller communication, replacing legacy Wiegand
FAQ
What is an access control system?
An access control system decides who gets through which door, when, using a credential, a reader, a controller, and an electric lock. Each controlled door must still allow free egress and release on a fire alarm, so it is a life-safety system as much as a security one. The life-safety code and the AHJ control it.
What is the difference between fail-safe and fail-secure?
Fail-safe means the lock releases when it loses power; fail-secure means it stays locked when it loses power. Maglocks are fail-safe, electric strikes are usually fail-secure. The choice is a per-door balance of security and life safety, so confirm every required-egress door against the adopted code, the AHJ, and the manufacturer.
Do access control doors have to allow free exit?
Yes. Free egress is the rule the trade bends around: a person inside must always exit a controlled door without a key, credential, code, or tool, usually with one releasing motion. The exit is mechanical and must not depend on the electronics. Confirm the arrangement against NFPA 101, the IBC, and the AHJ.
What is OSDP and why does it replace Wiegand?
OSDP, the Open Supervised Device Protocol from SIA, is the reader-to-controller standard that supports encrypted, supervised, two-way communication. Wiegand, the 1970s alternative, sends the credential number in the clear with no supervision, so it can be tapped or spoofed. Specify OSDP with Secure Channel actually enabled, since OSDP without encryption gives back most of the Wiegand risk.
Does a maglock have to release on a fire alarm?
Yes. Any maglock or electrically locked egress door must release when the fire alarm or sprinkler system activates and stay released until the fire system is reset. The release should act on the lock power directly so it works on utility or battery. Confirm the method against NFPA 101, NFPA 72, the AHJ, and both manufacturers.
Is a 125 kHz proximity card secure?
No. A 125 kHz prox card transmits a fixed number with no encryption, and a copier sold cheaply clones it in seconds, so the copy opens the door like the original. Treat legacy prox as a convenience badge, not security. For new installs use a 13.56 MHz encrypted smart card or a mobile credential as the floor.
What is a REX in access control?
A REX, or request-to-exit device, is a button, motion sensor, or panic-bar switch that tells the controller a legitimate exit is happening so it does not fire a forced-door alarm. On a fail-secure strike the REX often only shunts the alarm, because the lever already releases the latch. The REX is never the means of egress.
What do I do when delayed egress is requested on a door?
First confirm the occupancy even permits it, since the IBC bars delayed egress from assembly, educational, and high-hazard occupancies. If allowed, it needs an irreversible 15-second delay (30 only with AHJ approval), an audible alarm, signage, release on power loss and fire alarm, and manual rearm. Confirm every detail against the adopted code and the AHJ.
Should access control be cloud or on-premises?
Cloud management removes the server and updates and allows administration from anywhere, but keeps the credential database off site with the vendor. On-prem keeps the database inside the owner's walls at the cost of patching and uptime. Some compliance postures require on-prem. Either way, change default passwords, segment the network, and set the audit-log retention to the owner's requirement.
People also ask
Codes cited in this guide
This guide is written and reviewed against the published standards below. Always confirm the current adopted edition with the authority having jurisdiction.