Controlling traffic in, out and within a facility is essential to any security program. Control includes accurately identifying employees and visitors, directing or limiting their movements, and controlling inbound and outbound vehicles. Today's computerized access control and alarm monitoring systems make it possible to implement traffic control and monitoring on a large scale.

In January 1989, the continued expansion of civil aviation prompted the Federal Aviation Administration (FAA) to require airports to use computerized security systems to control access of personnel in airport secure areas. In 1991, the FAA defined the Security Identification Display Area (SIDA), and established requirements for airport security identification badges.

The FAA regulations were revised a few times over the next decade and updated significantly in 2001. Effective Feb. 17, 2002, the FAA's airport security rules were transferred to the Transportation Security Administration (TSA), as Chapter XII of title 49 of the Code of Federal Regulations. Chapter XII includes parts 1500 through 1699. Part 1542 is titled “Airport Security.” Section 1542.207 covers access control systems, and section 1542.211 covers identification systems.

Today nearly all airports also use the access control system card as an ID badge. Thus most airport access control systems are an access control system and a personnel badging system rolled into one.

Most of the early airport access control systems were customized. The capabilities of today's access control systems have grown far beyond those of the early systems. Nowadays there are many commercial off-the-shelf systems that exceed the requirements of most airports for both federal regulatory compliance and airport operational needs.

There are only a few specific TSA requirements for access control systems and ID systems, and they are functional or managerial in nature rather than technical. To understand how some of the regulations apply requires a basic understanding of general functionality of today's access control systems.

For the sake of simplicity, our focus is on access control systems using cards; however, hand geometry readers, fingerprint readers or other biometric devices can also be used. No matter what type of identification device is used, the basic functionality of access control systems remains the same. Most airports use access control cards as the basic access control device, because the card can double as an identification card. Some airports are also using biometric devices in addition to the cards to provide higher levels of security for critical areas.

The primary purpose of an access control system is to regulate who can go where, and when they can go there. The who is determined by the people enrolled into the access control system (usually by typing in their name and other relevant information) and who are provided with a security access control card. These are the authorized users of the system. The where is determined by the doors and gates (sometimes both are referred to as “portals”) at which the access control card readers are installed. There are two aspects to the when of access control:

• The activation date and expiration date for each individuals authorized access, and

• Day-of-week and time-of-day restrictions that can be applied to an individual's authorized access.

Where and when a user is allowed to go is called the user's access privilege. The definition of access privileges will vary slightly from system to system, but they all involve a way to associate a portal with an authorized access time. Although many systems offer the ability to define custom access privileges on a per-user basis, that approach is too cumbersome and time-consuming for managing the privileges for the majority of users in a large system.

Most systems provide access levels (an access level is a named list of portals and access days and times) for groups of people who have the same access requirements, to facilitate plain-English management of access details. For example, an access level named Engineering could define the access privileges for the airport's Engineering personnel. Using self-explanatory access level names makes it easy to assign access privileges to users without having to review the details every time a new user is enrolled. Furthermore, access levels provide a way to easily apply security policies. System expansion is facilitated by the use of access levels, since it is easier to add a new door to a group of access levels than to add the door separately to each individual's record.

Often a set of access times (days of the week, and hours of the day) can be defined as a named Schedule (sometimes called a Time Zone), so that it is not necessary to repeatedly type in the time details for each door or access level. The ability to name schedules, such as weekdays, seven days a week, or midnight shift makes it easier to create and manage access levels.

Often access level groups are provided to further assist in the management of access. Access levels can be named for the physical locations or areas to which they provide access (such as Concourse B, Concourse C, and so on), and access level groups can be named for the categories of users, such as maintenance or Continental Airlines baggage claim.

Some systems allow the creation of temporary access levels, which have a starting date and an expiration date. Sometimes people need temporary access to areas or need to take an alternate route in the facility (for example, due to construction). This allows the temporary access privileges to expire, while the permanent access privileges remain intact.

In 2001, the FAA dropped the requirement that access control systems include the capability to restrict access by time and date. In general most airports found that restricting access by time of day was not practical because the majority of cardholders are not airport employees, but employees of air carriers or other airport tenants. Maintaining schedule information for non-employees was considered too troublesome for all parties concerned.

However, it is conceivable that a threat condition could develop in which an airport would be best served by a system that could restrict the number of personnel allowed access to the secured area at any particular time. As a general rule, most new systems include detailed time-and-date restriction capabilities, as well as the ability to limit access to areas by personnel count. The fact that the FAA does not require that airport systems have such capabilities does not discount their value.

The more users in the system, the more important reporting capabilities become. Not only should the system generate a report indicating details of a single user's access privileges, but it should also generate reports that indicate “who can go where” within the facility. Flexible reporting capabilities can help to determine quickly who can go through a particular door at night.

Access control systems record all access attempts, and whether the system granted or denied access. Thus it is possible to generate a report listing who has gone through a particular door, and also to generate a list of what access was granted or denied to any individual or group. Such reports are valuable for security investigations.

Access control systems also provide monitoring capabilities to detect and report when doors have been forced open, or have been held open after an authorized access. One security system feature inspired by airport requirements is the ability to set up security privileges allowing specific users to authorize a door to be held open. This is a necessity for passenger gate doors that lead to the tarmac, but only when the gate is actively in use for a departing or arriving flight. This is accomplished differently from system to system; for example, some systems use a keypad in addition to a card reader.

The alarm management features of access control systems include on-screen display of alarms, playing pre-recorded alarm messages, and even sending out pager messages and e-mail notifications. They also usually include an area to type comments, which are stored in a database and are included later in reports as part of the record of the alarm.

When access control cards are also used as identification cards, the system should support the ID badge requirements. That means auditing the system at least once a year or sooner, as necessary, to ensure the integrity and accountability of all cards. More importantly, the system must support the management of issued and unexpired cards that are lost, stolen or otherwise unaccounted for. If the number of lost, stolen or unaccounted for cards exceeds the percentage specified in the airport's security program, all existing cards must be deactivated and all cardholders must be reissued new cards. The percentage is determined by the FAA on a per-airport basis.

Some systems directly support the management of lost and stolen cards, and can generate a standard report that includes the total count of cards in that category.