A Physical Access Control System (PACS) is an electronic system that regulates who may enter or exit a physical space, replacing or supplementing the mechanical lock and key. It authenticates a presented credential, checks it against stored permissions, and actuates an electrified locking device to grant or deny passage while logging the event. PACS sit under Safety & Protection › Surveillance & Security and are routinely integrated with video surveillance, intrusion alarm, visitor management, and building-management systems.
Photo: cychk, CC BY-SA 4.0, via Wikimedia Commons
This guide is aimed at security and facilities purchasing engineers and design engineers. It covers 6 chapters from what a PACS is, system types and architectures, reader and credential technologies, locking mechanisms and materials, spec-sheet parameters, to selection decisions, with 7 procurement FAQs and a manufacturer overview, helping you build a complete access control knowledge framework in 30 minutes. All parameters reference UL 294, UL 1034, IEC 60839-11, NFPA 101, and FIPS 201 public standards.
Chapter 1 / 06
What is an Access Control System
A Physical Access Control System (PACS) is an electronic system that regulates who may enter or exit a physical space, replacing or supplementing the mechanical lock-and-key. It authenticates a presented credential, checks that credential against stored permissions (authorization), and actuates an electrified locking device to grant or deny passage, while logging every event. This places the PACS firmly under Safety & Protection › Surveillance & Security, where it is routinely integrated with video surveillance from industrial surveillance cameras, an intrusion alarm such as a perimeter alarm system, visitor management, and building-management systems. This entry covers physical and electronic access control hardware and systems at the door level, not purely logical or IT access control, although both share the DAC, MAC, RBAC, and ABAC policy models discussed in Chapter 2.
The defining behavior of a PACS is the sequence from credential to event log. A user presents a credential at a reader near the door; the reader captures the credential data and transmits it to the controller; the controller compares the credential identifier against the authorized list held in the controller or server; on a match the controller energizes a relay that drives the electrified lock to release, and on no match it denies and logs the attempt. The server stores user data, access privileges, and a time-stamped audit log of every event, including valid card, invalid card, Request-to-Exit, forced door, and anti-passback violation. This audit trail is what fundamentally distinguishes electronic access control from a mechanical lock that records nothing about who passed or when.
Two supporting devices complete the door. Egress is handled by a Request-to-Exit (REX) device, which can be a press button, a PIR motion sensor, or an integrated panic-bar switch, releasing the lock for free egress without a credential. A door position switch (DPS), implemented as a magnetic contact, monitors the open or closed state so the system can raise door-held-open, door-forced-open, and tailgating or anti-passback alarms. Together the reader, controller, lock, REX, and DPS form the minimum functional set of a managed opening, and almost every selection decision later in this guide maps back to one of those five elements.
Reader-to-controller communication is a design fork that shapes the whole system. The reader transmits credential data over either legacy Wiegand, a one-way and unencrypted signal, or modern OSDP, a bi-directional and encrypted protocol running over RS-485. The choice between these two protocols affects cable distance, encryption, supervision, and future-proofing, and it recurs throughout the chapters that follow because it touches credentials, wiring media, standards compliance, and selection in equal measure.
Fig. 1.1 The managed opening: reader and controller decide, the electrified lock actuates, the REX device grants free egress, and the door position switch monitors state for forced-door and held-open alarms.
Because the PACS authenticates, authorizes, actuates, and logs as one chain, a weakness in any link compromises the whole. An easily cloned credential undermines a strong lock; an unencrypted reader cable undermines a secure credential; and a non-compliant egress release undermines life safety regardless of how robust the security is. The remainder of this guide treats those links in order so that an engineer can map each opening to a credential technology, a protocol, a lock, and a code-compliant egress path with no gaps.
Chapter 2 / 06
Types and Architectures
Access control divides first into traditional and electronic. Traditional access control means mechanical locks, keys, padlocks, and combination locks; electronic access control is current-operated and is the subject of this guide. Electronic PACS are then classified by topology, which determines how decisions are distributed between the door, a panel, and a server or cloud. The table below summarizes the four mainstream topologies before each is described in turn.
Topology
Where the decision lives
Connectivity
Typical scale
Standalone / single-door
Controller, reader, and logic in one device at the door
None (no network)
1 to a few doors
Networked / panel-based (on-premise)
Door controller / access control panel (ACU), head-end server
LAN / RS-485 to server
Hundreds to thousands of doors
Cloud / managed (ACaaS)
Controllers plus hosted platform
Internet to hosted platform
Multi-site, no on-site server
Mobile-first / wireless
Wireless electronic locks, phone credentials
BLE / NFC, wireless locks
Reduced-cabling deployments
Standalone or single-door systems combine the controller, reader, and decision logic in one device at the door, with no network. They suit one to a few doors where central management is unnecessary, and they are the simplest to install because there is no panel, server, or head-end software to commission.
Networked or panel-based on-premise systems wire field readers back to a door controller or access control panel, commonly abbreviated ACU. Panels connect over LAN or RS-485 to a head-end server running the access management software, such as LenelS2 OnGuard or Genetec Synergis. This architecture scales from hundreds to thousands of doors and is the traditional choice for large enterprise and campus deployments where an organization wants to own and operate its own server.
Cloud or managed access control as a service (ACaaS) connects controllers to a hosted platform, such as Brivo, Kisi, Avigilon Alta, or Verkada, with management through a browser or app and no on-site server. It is the fastest-growing segment because it removes the on-premise server and lends itself to multi-site operation with low IT overhead. Mobile-first or wireless systems use BLE and NFC phone credentials together with wireless electronic locks to reduce cabling, and they often overlay one of the topologies above rather than replacing it.
A second, orthogonal classification is the policy or decision model, which applies to both physical and logical access control. DAC (Discretionary Access Control) lets the resource owner decide access through access control lists; it is flexible and the least restrictive. MAC (Mandatory Access Control) has the system enforce fixed security labels or classifications that users cannot override, and it is used for high-confidentiality government and military environments. RBAC (Role-Based Access Control) attaches permissions to roles, and users inherit those permissions through role assignment; it is the dominant enterprise model. ABAC (Attribute-Based Access Control) makes dynamic decisions by evaluating attributes of the user, resource, action, and environment, such as time and location, against policy, making it the most granular and context-aware model.
Topology and policy model are chosen together. A standalone door usually carries a simple owner-set rule that resembles DAC, while an enterprise on-premise or cloud platform typically implements RBAC across thousands of users and may layer ABAC for time-of-day or location-conditional access. High-confidentiality facilities that demand MAC tend to pair it with on-premise panels under direct organizational control rather than a multi-tenant hosted platform. Mapping the right topology to the right policy model early prevents a later rebuild when door counts or compliance requirements grow.
Chapter 3 / 06
Reader and Credential Technologies
The reader is where authentication starts, and the credential it reads is the single largest determinant of system security. Credentials fall into card and fob technologies, mobile credentials, and biometrics, and they differ enormously in clonability and encryption. The table below compares the main credential technologies before each is described in detail.
Credential
Frequency / medium
Encryption
Security note
125 kHz proximity (LF)
125 kHz
Read-only, little / none
Easily cloned in seconds; legacy, being phased out
13.56 MHz MIFARE Classic
13.56 MHz
Weak (broken)
Smart card, but Classic is not for sensitive use
13.56 MHz MIFARE DESFire
13.56 MHz
3DES / AES (EV1/EV2/EV3)
Preferred secure card credential
Mobile (BLE / NFC)
Bluetooth Low Energy / NFC
Yes, app / device
Often paired with on-device biometrics
Biometric
Fingerprint / face / etc.
N/A (matched)
Rated by FAR / FRR / CER, see Chapter 5
125 kHz proximity (LF) cards are read-only with little or no encryption, which makes them easily cloned; a copier costing around 30 USD can duplicate one in seconds. They are legacy technology and are being phased out, and they should not be used for anything sensitive. Their persistence in the field is purely a function of installed base, not security, and they are the first thing to replace when hardening an existing site.
13.56 MHz smart cards (HF) are the modern card standard. The family includes MIFARE Classic and the more secure MIFARE DESFire in its EV1, EV2, and EV3 generations, which use 3DES and AES encryption. Dual-frequency readers can handle both 125 kHz and 13.56 MHz, which is the practical migration tool: a site can deploy dual-frequency readers, issue DESFire credentials, and retire 125 kHz prox over time without a flag-day cutover. For sensitive openings the credential should be DESFire with AES, not Classic.
Mobile credentials use BLE (Bluetooth Low Energy) and NFC on a phone, and they are often paired with on-device biometrics so that unlocking the phone is itself a factor. Mobile credentials reduce the logistics of issuing and revoking physical cards and integrate naturally with cloud and mobile-first topologies. The reader still has a Wiegand or OSDP output toward the controller, and that output format matters: the Wiegand output format defaults to 26-bit and ranges from 26 to 37 bits.
Biometrics authenticate a physical trait rather than a possessed token, and they are evaluated by error-rate metrics rather than by clonability. The key metrics are FAR (False Acceptance Rate), FRR (False Rejection Rate), and CER or EER (Crossover or Equal Error Rate), which Chapter 5 covers with indicative numbers. Biometrics are frequently combined with a card or PIN as a second factor for high-security doors, because a single biometric tuned for low false acceptance can otherwise reject too many legitimate users and slow throughput.
The reader output protocol toward the controller is as important as the credential itself. The reader captures credential data and transmits it over legacy Wiegand, which is one-way and unencrypted, or modern OSDP, which is bi-directional, encrypted, and runs over RS-485. A secure DESFire credential read by a reader that then sends the identifier in clear Wiegand still exposes that identifier on the wire, which is why credential security and protocol security must be specified together rather than in isolation.
Image: Sezeruludag, CC BY 4.0, via Wikimedia Commons
Fig. 3.1 Credential security spans the card and the wire: a 13.56 MHz DESFire (AES) card or a BLE / NFC mobile credential read by an OSDP reader keeps the identifier protected from card to controller.Chapter 4 / 06
Locking Mechanisms, Materials and Media
The locking mechanism is the device that the controller actuates, and it is where security meets life safety. Three families dominate. The electromagnetic lock (maglock) places an electromagnet on the frame that attracts a steel armature plate on the door; it holds while powered and releases when power is removed, which makes it inherently fail-safe, and it has no moving parts. The electric strike is a hinged keeper in the door frame released by a solenoid; it is available fail-secure (locked when unpowered) or fail-safe, and it is commonly used with a mechanical latch or lockset. Electric or electrified mortise and cylindrical locks and electric deadbolts use motorized or solenoid-driven bolts integrated into the door hardware.
The fail-safe versus fail-secure behavior is the central trade-off. A maglock is fail-safe by physics, so it satisfies egress requirements only when paired with a REX and a life-safety release path, and it needs no mechanical latch. An electric strike can be specified fail-secure where code permits, so the opening stays locked on power loss while the mechanical lockset still allows egress from the secure side. The deadbolt and electrified mortise options sit between these, integrating into existing door hardware where a clean retrofit is wanted. Chapter 6 and the FAQ tie this choice back to NFPA 101 and the local AHJ.
Materials follow the environment. Lock bodies and housings are aluminum alloy or stainless steel, with stainless chosen for corrosion resistance on exterior and marine doors; armature plates are carbon or stainless steel so the magnet can attract them. Readers and keypads use polycarbonate or ABS enclosures, with IP- and IK-rated versions for outdoor and vandal-exposed locations, and keypads may be capacitive or metal. These choices map directly to the ingress-protection, impact, and temperature requirements an exterior or industrial door imposes.
The cabling and power media are dictated largely by the reader-to-controller protocol. Wiegand typically uses 18 AWG multi-conductor shielded twisted pair with a run length limited to roughly 150 m (500 ft) as a guideline, whereas OSDP runs over RS-485 twisted pair to about 1,200 m (4,000 ft). Cat 5e or Cat 6 carries IP and PoE controllers and edge devices, typically aggregated on an industrial Ethernet switch that may itself supply PoE. Power is low-voltage DC, 12 or 24 VDC from a regulated and battery-backed source such as a switching power supply, often backed by an industrial UPS for ride-through during outages, and PoE or PoE+ increasingly powers edge controllers and some locks. The order-of-magnitude difference in cable reach between Wiegand and OSDP is a recurring reason to standardize on OSDP for any campus-scale deployment.
The table below is a quick-reference lookup for media compatibility and the environment each material or cabling choice suits. It is intended for initial selection only; confirm IP and IK ratings, operating temperature, and run lengths against the specific product datasheet before installation.
Element
Material / media
Best fit
Lock body / housing
Aluminum alloy or stainless steel
Stainless for exterior / marine corrosion resistance
Armature plate
Carbon or stainless steel
Magnetic attraction for maglocks
Reader / keypad enclosure
Polycarbonate / ABS, IP / IK rated
Outdoor and vandal-exposed doors
Wiegand cabling
18 AWG multi-conductor STP
Short runs, roughly 150 m (500 ft)
OSDP cabling
RS-485 twisted pair
Long runs, about 1,200 m (4,000 ft)
IP / PoE devices
Cat 5e / Cat 6
Edge controllers, PoE / PoE+ locks
Power
12 / 24 VDC regulated, battery-backed
24 VDC preferred on long runs
Chapter 5 / 06
Key Specification Parameters
Reading an access control spec sheet means reading four different device datasheets, the lock, the reader, the credential, and the controller, plus the governing standards. The parameters below are the ones that drive selection, grouped by device, with a key-specs comparison table for the electromagnetic lock at the center because it is the most numerically specified component.
Electromagnetic locks are specified first by holding force. Standard tiers are 600 lbf (about 272 kg / 2.7 kN) for single doors and 1,200 lbf (about 545 kg / 5.3 kN), with double-door and 1,500-plus lbf models available. Voltage is usually dual 12 or 24 VDC, selectable by jumper. Current draw, cross-verified across multiple makers, is roughly 450 to 500 mA at 12 VDC and about 235 to 250 mA at 24 VDC for a 600-lb unit, and a comparable 420 to 500 mA at 12 VDC and 210 to 250 mA at 24 VDC for 1,200-lb units. The 24 VDC option is preferred on long cable runs because the lower current produces less voltage loss. The table below collects these maglock specifications.
Maglock spec
600 lb single-door
1,200 lb
Holding force
600 lbf (~272 kg / ~2.7 kN)
1,200 lbf (~545 kg / ~5.3 kN)
Voltage
12 / 24 VDC (jumper)
12 / 24 VDC (jumper)
Current @ 12 VDC
~450 to 500 mA
~420 to 500 mA
Current @ 24 VDC
~235 to 250 mA
~210 to 250 mA
Fail behavior
Inherently fail-safe
Inherently fail-safe
Larger tiers
Double-door and 1,500+ lbf models exist
Readers and credentials are specified by frequency and security. 125 kHz proximity (LF) is read-only with little or no encryption and is easily cloned, so it is legacy and being phased out. 13.56 MHz smart cards include MIFARE Classic and the more secure MIFARE DESFire (EV1/EV2/EV3) using 3DES or AES, and dual-frequency readers handle both 125 kHz and 13.56 MHz. Mobile credentials use BLE and NFC, often paired with on-device biometrics. The Wiegand output format defaults to 26-bit and ranges from 26 to 37 bits, a detail that matters when matching legacy readers to a controller.
Biometric performance is captured by three metrics. FAR (False Acceptance Rate) is the rate at which impostors are wrongly accepted and is set low for high security. FRR (False Rejection Rate) is the rate at which legitimate users are wrongly rejected and affects convenience and throughput. CER or EER (Crossover or Equal Error Rate) is the threshold where FAR equals FRR, and a lower CER means a more accurate system. As indicative performance from a published fusion study, varying by vendor, algorithm generation, and conditions, at a FAR of 0.1% a unimodal fingerprint reader showed about 6.9% FRR versus about 42.2% FRR for unimodal face, while multimodal fusion reached about 4.4% FRR.
System-level parameters describe the controller and head end: door capacity per panel, commonly 2, 4, 8, 16 or more doors; user and credential database size; event log depth; relay output ratings; programmable I/O for REX, DPS, and auxiliary functions; and battery-backup standby time. These determine whether a single panel can serve a building wing or whether the deployment needs many panels, and the I/O count must cover a REX and a DPS for every monitored opening.
Chapter 6 / 06
Selection Decision Factors
To turn the preceding chapters into a specific system, follow the decision sequence below. Most selection mistakes come not from a single wrong choice but from deciding security or convenience before life safety and code, so the sequence is deliberately ordered. These steps double as a fixed RFQ template, and they are governed by the standards summarized after the list.
Life safety and code first: any lock that prevents free egress, such as a maglock, must be fail-safe per NFPA 101 and the local AHJ, unlocking on loss of power to the locking system, while hardware that keeps free mechanical egress may be fail-secure; coordinate with the release signal from the fire alarm control panel and confirm UL 294 and UL 1034 listings before anything else.
Security grade and threat model: map each opening to an IEC 60839-11-1 Grade 1 to 4 (or equivalent risk tier) and choose credential security accordingly, avoiding 125 kHz prox for anything sensitive and preferring 13.56 MHz DESFire with AES or mobile.
Reader-to-controller protocol: specify OSDP with Secure Channel and AES-128 over Wiegand for new builds, for encryption, supervision (tamper and line monitoring), and bi-directional communications.
Topology and scale: standalone for one to a few doors, on-premise panel and server for large enterprise, or cloud ACaaS for multi-site deployments with low IT overhead.
Lock choice: a maglock is fail-safe with no latch but needs a REX plus a life-safety release, while an electric strike can be fail-secure and works with an existing mortise lockset; match holding force, door type, and frame.
Authentication strength: single-factor (card) versus multi-factor (card plus PIN, or plus biometric) for high security, with biometric FAR, FRR, and CER tuned to balance throughput against risk.
Environment: IP and IK rating, operating temperature, and vandal resistance for exterior and industrial doors, plus cable distance, roughly 150 m for Wiegand versus about 1,200 m for OSDP / RS-485.
Integration and data: VMS and video, intrusion, visitor management, HR or identity directory, anti-passback, audit and log retention, and reporting.
Two cross-cutting dimensions sit above the list. Resilience covers battery backup and standby, controller-edge local decision-making during network loss, and certificate and key management, so that a door keeps making correct decisions when the network or server is unavailable. Compliance for special sectors adds FIPS 201 and FICAM for U.S. federal facilities, plus sector mandates such as CJIS for criminal-justice facilities, which can dictate credentials and product certification regardless of the general threat model.
The standards that govern these decisions are worth holding in one view. UL 294 is the Standard for Access Control System Units, covering the panels, readers, and keypads and the delayed-egress, sensor-release, and door-hardware-release locking systems. UL 1034 covers Burglary-Resistant Electric Locking Mechanisms, including maglocks, electric strikes, electric deadbolts, and electrified locking mechanisms, and UL 294 and UL 1034 are complementary collateral standards. IEC 60839-11-1:2013 defines four security grades, Grade 1 lowest to Grade 4 highest, assigned via risk assessment, with IEC 60839-11-2 as the application and installation guideline.
On protocol and credential compliance, IEC 60839-11-5:2020 is the international standard form of OSDP (Open Supervised Device Protocol), the SIA reader-to-controller protocol; the current SIA spec is OSDP v2.2.2 (October 2024), OSDP Secure Channel uses AES-128 encryption over RS-485 and is required for federal use, and OSDP was approved as an IEC standard in May 2020. NFPA 101 (Life Safety Code) and the IBC set the egress and means-of-egress rules, requiring electrified locks that prevent free egress to be fail-safe and unlock on power loss, and governing delayed-egress and access-controlled (sensor-release) egress door allowances; fail-secure hardware stays compliant where the lockset or panic bar preserves free mechanical egress. FIPS 201 (PIV), in its current edition FIPS 201-3, implements HSPD-12 as the smart-card credential for U.S. federal facilities, and the FIPS 201 Evaluation Program (FICAM Testing Program) certifies PACS, PKI, and credential products for federal use.
Finally, manufacturer landscape informs serviceability and integration. Global and enterprise platform and hardware leaders include HID Global (readers and credentials, Seos and mobile), ASSA ABLOY (including HID and Aperio wireless), dormakaba, Allegion (Schlage), Honeywell, Bosch Security, Johnson Controls, Siemens, LenelS2 (OnGuard), Genetec (Synergis), Gallagher, Suprema (biometrics), IDEMIA (biometrics and FIPS), Identiv, Vanderbilt, Axis Communications, Avigilon and Avigilon Alta (Motorola Solutions), Brivo and Kisi (cloud ACaaS), Verkada, and Hikvision and Dahua / ZKTeco-class vendors from China for video-integrated and biometric systems. Reader-protocol governance for OSDP rests with the Security Industry Association (SIA). Confirm the chosen vendor's listings, protocol support, and spare-parts availability against the requirements above before committing.
FAQ
What is the difference between a maglock and an electric strike?
An electromagnetic lock (maglock) uses an electromagnet on the door frame to attract a steel armature plate on the door. It holds only while powered and releases the instant power is removed, so it is inherently fail-safe with no moving parts. An electric strike is a hinged keeper in the frame released by a solenoid; it can be specified fail-secure (locked when unpowered) or fail-safe, and it works with an existing mechanical latch or lockset. Maglocks need a Request-to-Exit device plus a life-safety release path, while electric strikes can retain mechanical egress through the lockset. Choose the maglock for fail-safe glass or aluminum doors and the electric strike when you want to keep an existing mortise lock and a fail-secure default.
Should I specify Wiegand or OSDP for reader-to-controller wiring?
Specify OSDP for any new build. Legacy Wiegand is a one-way, unencrypted signal whose cable run is limited to roughly 150 m (500 ft) and offers no tamper or line supervision. OSDP (Open Supervised Device Protocol) is bi-directional and runs over RS-485 twisted pair to about 1,200 m (4,000 ft). Its Secure Channel uses AES-128 encryption and is required for U.S. federal use. OSDP is standardized internationally as IEC 60839-11-5:2020, and the current SIA specification is OSDP v2.2.2 (October 2024). OSDP adds encryption, tamper and line supervision, and bi-directional communications that Wiegand cannot provide.
Which credential technology is secure enough for sensitive doors?
Avoid 125 kHz proximity (LF) cards for anything sensitive. They are read-only with little or no encryption and can be cloned in seconds with a copier costing around 30 USD; they are legacy and being phased out. For sensitive openings prefer 13.56 MHz smart cards, specifically MIFARE DESFire (EV1/EV2/EV3) using 3DES or AES, or mobile credentials over BLE and NFC that can pair with on-device biometrics. Dual-frequency readers handle both 125 kHz and 13.56 MHz during a migration. The default Wiegand output format is 26-bit, with formats ranging from 26 to 37 bits.
What do FAR, FRR and CER mean for a biometric reader?
FAR (False Acceptance Rate) is the rate at which impostors are wrongly accepted; set it low for high security. FRR (False Rejection Rate) is the rate at which legitimate users are wrongly rejected; it affects convenience and throughput. CER, also called EER (Crossover or Equal Error Rate), is the threshold where FAR equals FRR, and a lower CER means a more accurate system. As an illustration, at a FAR of 0.1% a unimodal fingerprint reader shows roughly 6.9% FRR versus about 42.2% FRR for unimodal face, while multimodal fusion drops to about 4.4% FRR. These figures are indicative and vary by vendor and conditions, so tune FAR, FRR and CER to balance throughput against risk.
What holding force and power should I expect from an electromagnetic lock?
Standard maglock holding-force tiers are 600 lbf (about 272 kg / 2.7 kN) for single doors and 1,200 lbf (about 545 kg / 5.3 kN); double-door and 1,500-plus lbf models exist. Most maglocks accept dual 12 or 24 VDC selected by jumper. Cross-verified current draw for a 600-lb unit is roughly 450 to 500 mA at 12 VDC and about 235 to 250 mA at 24 VDC; 1,200-lb units draw a comparable 420 to 500 mA at 12 VDC and about 210 to 250 mA at 24 VDC. Choose 24 VDC on long cable runs because the lower current reduces voltage loss.
Which standards and listings should an access control system carry?
For panels, readers and keypads look for UL 294 (Access Control System Units), and for the locking hardware look for UL 1034 (Burglary-Resistant Electric Locking Mechanisms covering maglocks, electric strikes and electric deadbolts); the two are complementary collateral standards. IEC 60839-11-1:2013 defines four security grades, Grade 1 lowest to Grade 4 highest, assigned by risk assessment, with IEC 60839-11-2 as the application and installation guideline. OSDP is standardized as IEC 60839-11-5:2020. For U.S. federal facilities, FIPS 201 (PIV, current edition FIPS 201-3) implements HSPD-12, and the FIPS 201 Evaluation Program (FICAM Testing Program) certifies PACS, PKI and credential products. NFPA 101 and the IBC govern egress.
How do egress and life-safety codes affect the lock choice?
Life safety and code come first. Under NFPA 101 (Life Safety Code) and the IBC, an electrified lock that prevents free egress, such as a maglock, must be fail-safe, meaning it unlocks on loss of power to the locking system, while hardware that always allows free mechanical egress may be fail-secure; these codes also govern delayed-egress and access-controlled egress door allowances. Egress is handled by a Request-to-Exit (REX) device, which can be a press button, a PIR motion sensor, or an integrated panic-bar switch that releases the lock for free egress without a credential. Coordinate the lock release with the fire alarm, confirm UL 294 and UL 1034 listings, and follow the local AHJ. A maglock is inherently fail-safe but needs a REX and a life-safety release path, while an electric strike can be specified fail-secure where code permits.
On the SpecForge access control channel, browse specification sheets for physical access control systems (PACS) and their components, covering standalone, networked on-premise panel, cloud ACaaS, and mobile-first wireless architectures, with reader and credential technologies from 125 kHz proximity, 13.56 MHz MIFARE DESFire, and BLE / NFC mobile to biometrics. This channel documents locking mechanisms (electromagnetic locks, electric strikes, electrified mortise and cylindrical locks, electric deadbolts) and the standards that govern them, including UL 294, UL 1034, IEC 60839-11-1, IEC 60839-11-5 (OSDP), NFPA 101, and FIPS 201. Each entry references holding force, voltage, current draw, credential security, Wiegand or OSDP protocol, and ingress protection, helping security and facilities engineers verify parameters and complete a code-compliant selection decision before issuing an RFQ.