Rack mount or mini tower.

Intel Core i7 Processor running at a

CPU
minimum of 2.7 GHz
Mem 64GB DDR4
ory
HDD 1TB Solid State Drive
High end graphic card with DVI video out.
DVI Two graphics cards shall be required to
support 4 LCD monitors
ODD 16X Half Height DVD-ROM Drive
Rack/ Rack mounted for the system and Tower
Towe type for the Operator
r
OS Windows 10 or later

E. SAN Storage:
1. Storage Units
a. The recording system should be a unified SAN with minimum RAIDS
6.
b. The SAN storage shall be offered with redundant controller
configuration.
c. The SAN shall be optimized for video surveillance.
d. The hard disks required for recording must be enterprise level one
with minimum 7200rpm.

F. Video Wall Controller

1. Input/ output slot
2. Input: BNC, SDI, YPbPr, HDMI, DVI, VGA, TVI, DP
3. Output: HDMI, DVI, VGA, SDI
4. Build-in matrix
5. Video wall control (maximum 32 large screen)
6. Division, splicing, base map, cross-window roaming

G. CCTV Keyboard
1. 10.1” touchscreen
2. Wifi connection
3. PoE powered
4. HDMI, DVI output
5. Liew view, display and transmission control, screen joint, cross-window
External video play

IP ACCESS CONTROL & INTRUSION SYSTEM

A. The security access system shall have the following:

SECURITY MANAGEMENT SYSTEM 16775-28

Project: KW.21.0667_Beyout Plus (M1) 31 October 2024
 1. Access control system server

2. Intrusion System

3. IFC Door controllers

4. Card Reader

5. Long range card reader

6. Credential cards

7. Request To Exit Switch

8. Magnetic Door Contact

9. Access Control Cards / Biometric Enrollment System

10. Access control system workstation & printers

1.01 ELECTRONIC ACCESS CONTROL SYSTEM SERVER

A. Type
1. Rack mounted server
2. Capable of fitting in a standard 19inch 42U rack

B. Hardware
1. Hardware performance shall be above security optimum
recommended specification. The following performance
specifications are provided as a minimum.

A. The server shall use a Microsoft Windows(64 bit) operating

system. Server operating systems such as Linux, Unix, and OS
X shall not be acceptable.

B. The operating system used by the system server shall be

Microsoft Windows Server 2022.

C. The operating system used by the workstations shall be

Microsoft Windows 10 Professional (64 bit) or Windows 11 Pro.

D. The database engine used by the system shall be one of the

following:

E. Microsoft SQL Server 2019 (64 bit), or

F. Microsoft SQL Server 2019 Express (64 bit).

G. Workstations shall support multi-monitor operation, allowing

an operator to configure one or more monitors for each

SECURITY MANAGEMENT SYSTEM 16775-29

Project: KW.21.0667_Beyout Plus (M1) 31 October 2024
 workstation.

H. Workstation display resolution shall be a minimum of 1920 x

1080 pixels.

I. Workstation shall be able to use up to 4Gb of RAM.

1. Intruder Alarm System

1.1. The ISMS will incorporate a fully functional intruder alarm system.

1.2. All inputs globally within the system must be able to be utilised as intrusion
alarm inputs to allow intruder detection sensors to be connected to the
system.

1.3. All outputs anywhere within the system shall be available for intruder alarm
purposes such as sounding remote sirens etc.

1.4. Arming and disarming the intrusion detection system shall be either by using
card readers, alarm management terminals, key-switches or schedules.

1.5. It shall be possible for the system to cause readers to beep during entry and
exit delays.

1.6. It shall be possible for the system to active outputs during entry and exit
delays.

1.7. It shall be possible to configure the system to isolate faulty external devices so
as not to trigger false alarms.

1.8. It shall be possible to configure the system to fail to arm if an input point is
active.

1.9. It shall be possible to configure the system to fail to arm if an input point has
unacknowledged alarms.

1.10. It shall be possible for the system to cause readers to beep when alarms are
present in the system.

1.11. It shall be possible to set the system to a test mode to allow for testing and
maintenance.

1.12. The intruder alarm zone and the access zone for an area shall be treated as
separate logical items.

1.13. The intruder alarm system shall provide a dependency feature whereby an
alarm zone does not go into the set state until all dependent alarm zones are
in the set state.

1.13.1. If the alarm zone is set (armed) and the access door is secure:

SECURITY MANAGEMENT SYSTEM 16775-30

Project: KW.21.0667_Beyout Plus (M1) 31 October 2024
 1.13.1.1. A cardholder shall require authorisation to both unset
(disarm) the intruder alarm zone, and to access the
access zone to be allowed access.

1.13.1.2. If the cardholder is not authorised to unset the alarm

zone or not allowed to access the access zone, then
access shall be denied.

1.13.2. If the alarm zone is unset (disarmed) and the access door is secure:

1.13.2.1. A cardholder shall require access to the access zone only

for access to be allowed.

1.13.2.2. If the cardholder is not authorised to access the access

zone, then access shall be denied.

1.13.3. For normal operation, after an authorised token is presented, and

access is granted, then the alarm zone shall remain unset after the
door relocks.

1.13.4. As an optional function, the alarm zone may auto-set after a

predetermined time period.

1.14. When specified, alarm monitoring may use a connection with central alarm
monitoring stations via digital communicators using Contact ID format,
connected directly to the IFC panels.

1.15. Connection with central alarm monitoring stations may be by TCP/IP or cellular
networks.

1.15.1. It shall be possible for alarms from one IFC to be transmitted via a
second IFC where the digital communicator is installed. (Peer-to-peer
communications).

1.15.2. Digital communicators are to be able to communicate alarms from all

system IFCs, independent of system server.

1.15.3. The system shall report and log all digital communicator activity and
the reason for any failure to communicate.

1.15.4. The system shall provide for up to two back up communicators on

different IFCs to provide automatic backup capability should the
designated digital communicator fail to operate on the appropriate
alarm condition.

1.16. Cardholders shall be assigned to groups, to which any combination of the

following intruder alarm privileges relating to the operation of the system may
be assigned:

1.16.1. unset intruder alarm zones,

SECURITY MANAGEMENT SYSTEM 16775-31

Project: KW.21.0667_Beyout Plus (M1) 31 October 2024
 1.16.2. set intruder alarms zones,

1.16.3. status of alarms and inputs on AMT,

1.16.4. acknowledge alarms,

1.16.5. shunt inputs,

1.16.6. force-arm alarm zones,

auto-isolate alarm zones.

1.02 Central Control and System Management Software

1. Central Control and System Management Software

1.1. The ISMS servers shall use a Microsoft Windows operating system as defined
previously.

1.2. The system database shall be a version of Microsoft SQL Server appropriate for the
system size required. The version of Microsoft SQL Server is among those defined
previously.

1.3. The connection between ISMS and Microsoft SQL Server shall use Windows
Authentication.

1.4. The ISMS shall employ a server incorporating current generation design and
components. The hardware specification, including processor speed, internal memory and
hard disk size shall be specified by the supplier and must be sufficient to meet or exceed the
capacity and throughput of the specified system.

1.5. The ISMS shall be capable of supporting a minimum of 100 hardware based
operator workstations running concurrently. Operator workstations running terminal
emulation software will not be accepted.

1.6. The ISMS shall automatically log and time/date-stamp all events within the system
including intruder alarm set/unset events, access control events, operator actions and
activity.

1.7. The configuration GUI shall make extensive use of menus and windows and require
a minimum of operator training to operate the system proficiently. Systems requiring a
script/program language approach to configure the system will not be accepted.

1.8. A free text notes/memo field shall be available for each logical/physical object to
store abstract information relating to that item.

1.8.1. The notes field shall support 128,000 characters of text.

1.8.2. The notes field shall support word-wrap, insert, delete, cut, copy and paste
functions.

1.9. The ISMS must be capable of receiving simultaneous alarm signals from remote
locations without loss or excessive delay in their presentation to the operator. Any

SECURITY MANAGEMENT SYSTEM 16775-32

Project: KW.21.0667_Beyout Plus (M1) 31 October 2024
authorised operator should be allowed to acknowledge, view and/or process an alarm.

1.10. The ISMS shall be fitted with a real-time clock, the accuracy of which shall be
preserved over the period of a mains power supply failure. Time synchronisation between
the ISMS and Ethernet connected IFCs shall be automatic and not require operator
intervention.

1.11. Operator selection of processing tasks shall be via menu selections. Authorised
operators shall be able to process alarms, produce reports, and modify items without
degrading system performance.

1.12. The following is the minimum operational and monitoring functions required. The
ability to:

1.12.1. program either a group or individual card readers with access control parameters,
without affecting other card readers,

1.12.2. program the access criteria for individual cardholders or groups of cardholders,

1.12.3. store non access control data fields for each cardholder. The names of these data
fields shall be user-definable,

1.12.4. authorise or de-authorise a cardholder in the system with the result reflected
immediately throughout all access points in the system,

1.12.5. enable a card trace against selected cardholders so that an alarm is raised each time
that cardholder presents their access card or token,

1.12.6. pre-program holidays so that different access criteria apply compared to normal
scheduled days. The system must have a capacity to set at least 400 holiday days,

1.12.7. recognise and manage regional holiday requirements,

1.12.8. define as many access zones as there are card readers fitted,

1.12.9. allow or disallow individual cardholder access to any single, or group of card
readers, in real-time,

1.12.10. log all ISMS and operator activity to hard disk as it is received at the ISMS server,

1.12.11. program alarm response instructions into the system so that these are presented to
the operator when processing an alarm event,

1.12.12. enable an operator to enter messages against alarm events. This may be an
enforced operator operation based on configuration on a per operator basis,

1.12.13. configure user-definable short messages to allow the operator to enter commonly
used comments with minimal effort when entering messages related to alarms. For
example, false alarm, user error, etc. These messages should also be assigned to keyboard
shortcut keys to enable faster commenting on alarms,

1.12.14. temporarily override a cardholder, or group of cardholders, pre-programmed access

SECURITY MANAGEMENT SYSTEM 16775-33

Project: KW.21.0667_Beyout Plus (M1) 31 October 2024
criteria.

1.12.15. Update multiple AMTs display messages quickly using the bulk change feature

1.13. The operator GUI shall display a one-line plain language event message for every
activity event (alarm or otherwise) occurring in the system. All activity logged shall be time
and date stamped to the nearest second (hh:mm:ss). On having the appropriate operator
authorisation, it shall be possible to drill down into the properties of each component that
makes up that event. The event message shall advise:

1.13.1. the time of event created at the IFC,

1.13.2. the time the event was received at the ISMS server,

1.13.3. the source of the event,

1.13.4. any successful or unsuccessful access attempt,

1.13.5. if the access attempt is unsuccessful, the reasons for the denial.

1.14. This includes but is not restricted to the following items:

1.14.1. all card attempts,

1.14.2. all door alarms,

1.14.3. all operator activity including logon, logoff, and alarm response messages,

1.14.4. all alarm monitoring activations,

1.14.5. all communication link failures.

1.15. Time schedules for different days shall be configurable.

1.16. Regional holidays shall be configurable to allow for regional variations.

1.17. The system shall provide a detailed operator help file. This help file shall provide
operators with text, audio, and video, help instructions and tutorials.

1.18. The system shall allow for searching of items configured within the system based on
the following:

1.18.1. item characteristics,

1.18.2. related items,

1.18.3. times related to events including within properties of a configured item (creation
and modification events).

1.19. The system shall integrate with Microsoft Active Directory enabling cardholder and
user records to be fully synchronised on a real-time, bi-directional basis.

1.19.1. Integrations that use third party applications to synchronise between Microsoft

SECURITY MANAGEMENT SYSTEM 16775-34

Project: KW.21.0667_Beyout Plus (M1) 31 October 2024
Active Directory and the system shall not be acceptable.

1.20. The system shall allow for a separate biometric operator privilege.

1.21. The system shall be able to find unmigrated and duplicate DesFire cardholder keys

1.22. ISMS shall be able to purge pending queued messages from IFCs as required by the
user with this privilege.

1.23. ISMS shall be able to deploy IFC firmware as follows via an upgrade tool.

1.23.1. On demand

1.23.2 On a predetermined schedule

1.24 ISMS shall allow the user to track IFC firmware deployments status via the upgrade

tool.

1.25 ISMS shall allow users to connect via a web-based client safely and securely without
the need for the user to utilise a separate client-based application and provide the following
ISMS client functionality

1.25.1 View Cardholder’s History and activities

1.25.2 manage cards(excluding printing and encoding) and credentials

1.25.3 manage cardholders and assign access

1.26 ISMS shall allow bulk configuration and setup of supported system devices via a
delimited csv file.

1.27 ISMS shall allow for configuration and setup of a read-only replica SQL database

in a highly available environment in order to reduce the load on the primary

SQL database

1.28 ISMS shall support the redaction of the following Personal Identifiable Information
in order to meet GDPR requirements

1.28.1 Cardholder Events

1.28.2 Cardholder Information

1.29 System software installation shall support command-line silent installation

1.30 ISMS shall support cardholder case and accent sensitive searches

1. System Integration
1.1. The ISMS shall support OPC AE protocol.

SECURITY MANAGEMENT SYSTEM 16775-35

Project: KW.21.0667_Beyout Plus (M1) 31 October 2024
 1.1.1. The OPC AE interface shall allow third party OPC clients to subscribe
to receive alarms and events from the ISMS.

1.1.2. When an alarm is processed, the OPC AE client shall send an event
processed message back to the ISMS to process the alarm on the
ISMS.

1.1.3. The ISMS shall support multiple simultaneous OPC AE connections.

1.2. The ISMS shall support OPC DA protocol.

1.2.1. The OPC interface shall support OPC DA specification 2.0 and 3.0.

1.2.2. The OPC DA interface shall allow the status of system components to
be reported to an external OPC DA client.

1.2.3. The OPC Interface shall allow third party OPC DA clients to generate
system component overrides including but not limited to alarm zone
and access zone overrides.

1.2.4. The ISMS shall support multiple simultaneous OPC DA connections.

1.3. The ISMS shall support a REST Web Service API.

1.3.1. The ISMS cardholder functionality shall support a REST Web Service
to allow an external system to create, remove, and modify
cardholders, including assigning access rights.

1.3.2. The ISMS alarms and events functionality shall support a REST Web
Service to allow external systems to receive alarms and events from
the ISMS.

1.3.3. The ISMS shall provide a REST Web Service that will allow a third-
party system to perform actions in the ISMS such as open doors,
disarm alarm zones, and turn an IFC output on.

1.3.4. The ISMS shall support a REST Web Service that will allow a third-
party system to interrogate the status of ISMS items such as doors,
alarm zones, and IFC inputs.

1.4. The ISMS shall allow data exchange with other applications using XML
protocols.

1.4.1. The system shall provide an XML interface to allow for the import,
export, and synchronization of data in an on-going basis from other
applications directly into the cardholder database both in a real-time

SECURITY MANAGEMENT SYSTEM 16775-36

Project: KW.21.0667_Beyout Plus (M1) 31 October 2024
 manner and in a batch-oriented approach. A developer’s kit with a
sample application shall be readily available.

1.4.2. The system shall provide an XML interface to allow for updating
access control schedules from other applications directly into the
ISMS database in both a real-time manner and in a batch-oriented
approach. A developer’s kit with sample application shall be readily
available.

1.5. The system shall provide a tool which allows configuration and synchronization
of cardholder data with third party systems via a csv file. The CSV import
functionality shall support the following functionality:

1.5.1. manually triggered data import,

1.5.2. schedule triggered data import,

1.5.3. images imported via flat file.

1.6. An API that communicates directly to the IFC shall be available.

1.6.1. The API shall allow third party systems to pass events to the IFC and
for the events to appear in the ISMS event window.

1.6.2. It shall be possible for the IFC to be programmed to trigger actions

based upon these external events. For example, a video analytic
alarm from a video management system is passed to the IFC, the IFC
in turn will lock doors and raise and alarm.

1.6.3. It shall be possible for a third-party system to send a card number

and site code to the IFC to act as a “virtual card reader”.

1.6.4. The API shall allow the third-party system to interact directly with the
IFC with no reliance on the ISMS server.

1.7. The ISMS shall support the BACnet communications protocol.

1.7.1. BACnet communication will be via TCP/IP.

1.7.2. The IFC will communicate with BACnet devices with no need for
server intervention.

1.7.3. The BACnet integration will enable the IFC to monitor BACnet objects
for state changes and raise alarms accordingly.

SECURITY MANAGEMENT SYSTEM 16775-37

Project: KW.21.0667_Beyout Plus (M1) 31 October 2024
 1.7.4. The BACnet integration will enable the IFC to change BACnet object
states in response to events.

1.8. The ISMS shall support the SNMP communications protocol.

1.9. Events from third party systems shall be managed in the same way as inputs
connected directly to IFCs.

1.10. Interactions with third party systems shall be logged in the ISMS.

1.11. ISMS shall support smart sensor integration which detects the following

1.11.1. Masking

1.11.2. Air quality

1.11.3. Volatile organics

1.11.4. Vaping

1.11.5. Gunshot

1.11.6. Tetrahydrocannabinol (THC)

1.11.7. Fine particulate matter (PM 2.5 and PM10)

1.11.8. Ammonia

1.11.9. Nitrogen dioxide

1.11.10. Carbon monoxide

1.11.11. Carbon dioxide

1.11.12. Help keyword

1.11.13. Aggression

1.11.14. Barometric pressure

1.11.15. Light level

1.11.16. Temperature

1.11.17. Humidity

1.11.18. Tampered

SECURITY MANAGEMENT SYSTEM 16775-38

Project: KW.21.0667_Beyout Plus (M1) 31 October 2024
 1.11.19. Sound level

1.12 The system shall support biometric reader integration which can read all
four finger prints on a cardholder’s hand.

1.13 The ISMS shall have the ability to integrate with SIP intercoms and provide
the following
functionality
1.13.1 Answer calls from the ISMS
1.13.2 Call a SIP intercom from ISMS
1.13.3 Please a call on hold
1.13.4 Hanging up a call
1.13.5 View video for an intercom at 720p resolution
1.13.6 Grant access

1.03 FIELD DOOR CONTROLLERS

The IFC shall be the main controller in the field. The ISMS shall
communicate directly with all IFCs.

The IFC shall use a Linux operating system, this OS shall be specifically
re-developed for a security purpose. Applications on a general-
purpose OS such as Windows CE, Arduino, or a standard Linux kernel
shall not be accepted.

1.04 Each IFC shall be intelligent such that in the event of failure of
power or communications to the ISMS, for whatever reason, the
IFC shall continue to allow or deny access based on the full
security criteria at time of disconnection.

1.05 The IFC shall store on-board all the security and access
parameters to operate completely independently from the
central control server. Systems that rely on the central control
server for access decisions will not be considered.

1.06 The IFC shall buffer activity data and immediately transmit it to
the central control server upon re-establishment of
communications.

1.07 Should communications fail with the ISMS, each IFC shall be
capable of buffering up to 80,000 events.

1.08 All events shall be time-stamped at the IFC at the time of

occurrence.

SECURITY MANAGEMENT SYSTEM 16775-39

Project: KW.21.0667_Beyout Plus (M1) 31 October 2024
 1.09 ISMS that only time stamp the event upon receipt at the central
control hardware shall not be acceptable.

1.10 The IFC shall be capable of storing up to 500,000 card records

with associated access criteria.

1.11 The IFC shall support the use of six-state end-of-line circuits and
enunciate whether the circuit is open, closed, alarm, trouble,
open circuit tampered, or short circuit tampered as separate
conditions.

1.12 A configurable range of end-of-line resistor values shall be

supported as a software function to support pre-existing input
circuits when required.

1.13 The IFC shall include tamper protection for the front and the back
of the panel. The front panel shall be tamper protected for door
open, and the rear of the panel to detect if the panel has been
removed from the wall. These shall use optical tamper detection.
Mechanical tamper devices are not acceptable.

1.14 The IFC shall incorporate an ARM 9 processor with at least 256
Megabytes of non-volatile FLASH EEPROM. The IFC shall
incorporate boot code in a protected sector of the flash memory.
For software upgrades, all IFC software shall be downloaded
from the central server over the network

1.15 The IFC shall support direct download via USB to allow local
upgrade of the IFC.

A. The upgrade process shall only accept authenticated downloads via

the USB port.

1.16 The IFC shall operate from a DC power supply with battery
backup.

1.17 The IFC shall continue to operate for at least 24 hours in the
event of a mains supply failure.

1.18 The IFC shall be capable of automatically detecting and reporting

a low power condition.

1.19 IFCs shall automatically restart and resume processing following

a power failure.

SECURITY MANAGEMENT SYSTEM 16775-40

Project: KW.21.0667_Beyout Plus (M1) 31 October 2024
 1.20 IFCs shall be fitted with “watchdog” hardware and software to
provide automatic detection and restart should the processor
lock up.

1.21 The IFC shall contain its own real-time clock. The clock shall be
synchronised with the central control server clock at least once
per hour. The accuracy shall be such that the time difference
between IFCs shall not vary more than 0.5 second at any time.

1.22 The IFC shall be allocated to a time zone appropriate to the IFC
location to cater for regionally and globally located IFCs.

1.23 The IFC shall have an on-board Ethernet (TCP/IP) connection and
driver supporting 10BaseT and 100BaseT operation. Third party
plug-in RS485/Ethernet modules will not be accepted.

1.24 When specified, the IFC shall support 100/1000BaseT.

1.25 When specified, the IFC shall be fitted with 2 Ethernet ports
providing a fail-over communication capability.

1.26 The IFC shall have IPv6 address support.

1.27 The IFC shall support DHCP addressing.

1.28 The ISMS shall natively support WAN and NAT configurations to
communicate with IFCs on distributed networks.

1.29 The IFC shall support DNS operation.

1.30 Should the primary DNS not be available, the IFC shall be able to
automatically establish contact with a secondary or tertiary DNS.

1.31 The IFC shall be provided with a pre-configured IP address to

allow offline initial configuration via a web browser application
when required.

1.32 It shall be possible to view the IFC status and configuration for
commissioning and diagnostic purposes without the use of the
central server software or other proprietary software. This may
be achieved using a conventional web browser.

1.33 The IFC diagnostic web interface shall not share common log on
credentials with any other installed site.

SECURITY MANAGEMENT SYSTEM 16775-41

Project: KW.21.0667_Beyout Plus (M1) 31 October 2024
 1.34 Should excessive network broadcast traffic occur (resulting from
a denial of service attack or similar), an alarm shall be generated.

1.35 The IFC shall support a high security configuration that disables
unnecessary ports and legacy communication methods, this shall
be achieved by an onboard jumper or DIP switch.

1.36 All ISMS data communication between the central server and
IFCs shall be encrypted using an industry standard symmetric
encryption algorithm equivalent to AES-256 or stronger.

1.37 Communication between the management application and IFCs

shall be continuous and monitored for interruption.

1.38 The IFC shall include one RS232 multi-communications port.

1.39 The IFC shall include one USB 2.0 port.

A. There may be a USB removed version of the IFC as a derivative of the

standard model

1.40 Remote communication between the IFCs and the ISMS server
shall use the switched telephone network circuits.

A. Incoming connection shall be via an ISP service.

B. Outgoing connections via modems connected to the customer LAN

are not permitted.

1.41 The IFC shall support a cellular module for alarm transmission to
multiple alarm monitoring stations via a cellular network.

1.42 The IFC shall support logic functionality by way of configurable

logic blocks.

A. The IFC logic functionality shall be able to be run independent of the

ISMS server being online.

B. The following items shall be useable as input parameters to logic

blocks:

1. physical input states,

2. output states (both physical and logical),

3. door states,

SECURITY MANAGEMENT SYSTEM 16775-42

Project: KW.21.0667_Beyout Plus (M1) 31 October 2024
 4. other logic block states.

C. Up to ten logic block input parameters shall be configurable in

AND/OR combinations to cause a logic block to operate.

D. When a logic block changes state according to the input parameters

then the following types of items may change to reflect the state of
the logic block:

1. virtual output (software based),

2. physical relay.

E. The state change of the logic block shall have configurable timing
options with at least the following:

1. explicit,

2. delay on,

3. delay off,

4. pulsed,

5. maximum on time,

6. latched.

F. The IFC logic block shall be able to trigger actions across multiple
IFCs, independent of the ISMS server being online.

1.43 A separate alarm message shall be transmitted to the ISMS for at

least the following alarm conditions. The alarm message shall be
displayed in plain language text.

1. tamper,

2. tamper return to normal,

3. unit stopped responding,

4. card error,

5. maintenance warning,

6. alarm sector state change,

7. user set alarm,

SECURITY MANAGEMENT SYSTEM 16775-43

Project: KW.21.0667_Beyout Plus (M1) 31 October 2024
 8. user unset alarm,

9. card trace,

10. wrong PIN,

11. access denied,

12. duress,

13. zone count maximum,

14. zone count minimum,

15. door open too long,

16. forced door,

17. door not locked,

18. power failure,

19. system reboot,

20. intercom.

1.44 The IFC shall communicate with and control the following
equipment:

1. biometric access readers,

2. card access readers with PIN keypads,

3. elevator access equipment,

4. alarm monitoring input/output panels and equipment,

5. alarm response equipment.

1.45 All communications links between the IFCs and remote devices
shall be monitored such that an alarm is raised at the central
control if the data being transmitted is corrupted or tampered
with in any way.

1.46 All data communication between IFCs shall be encrypted using

an industry standard symmetric encryption algorithm equivalent
to AES-256 or stronger.

SECURITY MANAGEMENT SYSTEM 16775-44

Project: KW.21.0667_Beyout Plus (M1) 31 October 2024
 1.47 All data communication between IFCs shall use an industry
standard asymmetric encryption algorithm for mutual
authentication and session key negotiation. This algorithm shall
be equivalent to ECC P-384 or stronger. Session keys shall be re-
negotiated on a regular basis at intervals no longer than 30
hours.

1.48 Communication between IFCs and downstream devices shall

support a high-speed serial protocol of at least 1Mbit/second.

1.49 The IFC shall support up to 10 high speed serial communication

ports.

1.50 The IFC shall support up 80 devices comprising a combination of

readers, I/O devices and sensors.

1.51 Devices connected to the high communication serial port shall

contain a manufacturer’s unique serial number.

1.52 When connected to an IFC, the serial number of the downstream

device shall be reported to the ISMS.

1.53 Once assigned to a function within an IFC, if any attempt is made

to substitute readers in the field without authorization, an alarm
shall be generated.

1.54 The IFC shall support the Wiegand connections protocol,

supporting up to 65,535 bits.

A. Wiegand formats shall be configurable, allowing for:

1. number of bits,

2. facility/site code bits,

3. card number bits,

4. parity bit configuration.

1.55 The IFC shall have OSDP reader support.

1.56 The IFC shall provide relay output facilities that are activated in
response to alarm activations. Relay functions required are:

A. Activate and latch a relay in response to an alarm. Relay to remain

latched until alarm processed.

SECURITY MANAGEMENT SYSTEM 16775-45

Project: KW.21.0667_Beyout Plus (M1) 31 October 2024
 B. Activate a relay for pre-set “pulse” time. The relay to release after the
“pulse” time lapses.

C. Relay activation to “mirror” or “follow” the alarm input activation.

1.57 The ISMS shall incorporate relay outputs that can be activated
according to time schedules, rather than alarm event.

A. Power Backup and battery backup Supply:

1. Each door controller shall be provided with and integral 7Ah
9Ah battery within the cabinet the controller is located within.
2. Batteries shall ensure that each door continues to function on a
standalone basis for a minimum period of 4 2 hours in the event
of PoE+ signal loss.

B. Support capability to remote release doors

C. Compatible with relay extension boar

1.04 Access Control Readers – Mifare Technology

1.12. The reader shall support the following technologies:

1.12.1. Mifare Classic,

1.12.2. Mifare Plus,

1.12.3. Mifare DESFire EV1,

1.12.4. Mifare DESFire EV2,

1.12.5. NFC.

1.13. The reader shall be capable of reading the CSN of the Mifare card and store
the CSN in the ISMS database

1.14. The readers shall support self-discovery on the ISMS.

1.14.1. Readers shall contain a manufacturer’s unique serial number.

1.14.2. When connected to an IFC, the serial number of the reader shall be
reported to the ISMS.

1.14.3. Once assigned to a function within an IFC, if any attempt is made to

substitute readers in the field without authorisation, an alarm shall
be generated.

1.15. Data communication rate between IFCs and readers shall be at least
1Mbit/second.

SECURITY MANAGEMENT SYSTEM 16775-46

Project: KW.21.0667_Beyout Plus (M1) 31 October 2024
1.16. Communication sessions between IFCs and readers shall use certificate
exchange protocols using keys with a minimum strength of ECC P-256.

1.17. Data communication between IFCs and readers shall be encrypted and use a
minimum of AES-128.

1.18. Readers shall generate a heartbeat signal to enable the IFC to identify lost
communications and thereby generate an alarm.

1.19. Readers shall be upgradeable via software downloaded from the ISMS without
any intervention at the reader.

1.20. The reader must accept a message from the IFC to advise that data from
reader to IFC has been received and to consequently stop sending the card
data.

1.21. Each reader shall be identified independently on the ISMS by means of a

unique plain language descriptor. The plain language descriptor shall be at
least 60 characters in length.

1.22. Where a card only reader is specified, the reader shall include:

1.22.1. Integrated reader module supporting the technologies listed above.

1.22.2. The card only reader option shall include an audible beeper and
red/green LEDs to provide user feedback.

1.22.2.1. A steady red LED shall indicate door secure.

1.22.2.2. A flashing red LED shall indicate access denied.

1.22.2.3. A steady green LED shall indicate door free access.

1.22.2.4. A flashing green LED shall indicate access granted.

1.22.2.5. It shall be possible to turn off the reader LED indication

via the ISMS software.

1.22.3. The beeper shall give different beeps to indicate:

1.22.3.1. access granted,

1.22.3.2. access denied,

1.22.3.3. second card required when dual card authorisation or

escort mode is programmed,

1.22.3.4. it shall be possible to turn off the reader beeper via the
ISMS software.

1.22.4. The readers must comply with at least IP68 environmental protection
rating.

SECURITY MANAGEMENT SYSTEM 16775-47

Project: KW.21.0667_Beyout Plus (M1) 31 October 2024
 1.22.5. The readers must comply with an impact rating of at least IK07

1.22.6. A vandal resistant enclosure having an impact rating of at least IK08

rating shall be available where:

1.22.6.1. Vandal covers shall be fixed to the wall surface using

tamper-resistant screws.

1.22.6.2. Vandal covers shall have bevelled edges to limit the

ability for persons to use the reader as an aid to climbing
the building.

1.22.6.3. All external surfaces shall be bevelled and without

protruding parts to meet anti-ligature requirements.

1.22.7. The reader must be RoHS compliant

1.22.8. The reader shall operate with a temperature range of -30oc to +70oc.

1.23. Where a PIN pad is specified, the reader shall include:

1.23.1. integrated reader module supporting the technologies listed above,

1.23.2. a minimum of a 3.5” LED colour display indicating:

1.23.2.1. card required,

1.23.2.2. PIN required,

1.23.2.3. access denied,

1.23.2.4. intruder alarm set,

1.23.2.5. intruder alarm unset,

1.23.2.6. free access,

1.23.2.7. second card required.

1.23.3. The display shall support multiple languages which shall be

selectable from the ISMS software.

1.23.4. The reader shall display information to the user using a combination
of text and graphics.

1.23.5. The reader shall display the date and time.

1.23.6. a PIN pad fully integrated with the reader,

1.23.7. the PIN pad shall be backlit,

1.23.8. The PIN pad shall include:

SECURITY MANAGEMENT SYSTEM 16775-48

Project: KW.21.0667_Beyout Plus (M1) 31 October 2024
 1.23.8.1. numerical 0 to 9 keys,

1.23.8.2. a cancel key,

1.23.8.3. an enter/accept key,

1.23.8.4. two soft keys that vary according to the current usage of
the keypad.

1.23.8.5. An option with no reader module, for use as an AMT.

1.23.9. Menus shall be accessible by logging on with either a card or a PIN.

1.23.10. The reader shall be capable of (but not limited to) carrying out the
following functions:

1.23.10.1. Arm alarm zones; A minimum of 50 per reader must be

supported.

1.23.10.2. Disarm alarm zones; A minimum of 50 per reader must

be supported.

1.23.10.3. View Alarms; A minimum of 100 per reader must be

supported.

1.23.10.4. Acknowledge alarms; A minimum of 100 per reader must

be supported.

1.23.10.5. View alarm history; A minimum of 100 per reader must

be supported.

1.23.10.6. Change the door to free access mode.

1.23.10.7. Change the door to secure access mode.

1.23.10.8. Change the door to operate from a user defined

schedule.

1.23.10.9. Turn outputs on and off. A minimum of 50 per reader

must be supported.

1.23.10.10. View the status of inputs. A minimum of 100 per reader

must be supported.

1.23.10.11. Isolate inputs. A minimum of 100 per reader must be

supported.

1.23.11. User definable custom images shall be displayed on the screen when
the reader is idle.

1.23.12. The reader shall support the following image formats:

SECURITY MANAGEMENT SYSTEM 16775-49

Project: KW.21.0667_Beyout Plus (M1) 31 October 2024
 1.23.12.1. PNG,

1.23.12.2. JPG,

1.23.12.3. JPEG.

1.23.13. It shall be possible to adjust the reader beeper via the ISMS software
to the following volume levels:

1.23.13.1. off,

1.23.13.2. quiet,

1.23.13.3. normal,

1.23.13.4. loud.

1.23.14. The reader shall have the ability to display the status of alarms and
indicate the status of physical and logical items via LEDs on front
panel.

1.23.14.1. The reader shall support at least 8 indication LEDs.

1.23.15. It shall be possible to turn off the reader indicator LEDs via the ISMS
software.

1.23.16. Tamper detection shall be provided against the unit being removed
from the mounting surface.

1.23.17. Keypad readers must comply with a minimum IP66 environmental

protection rating.

1.23.18. Keypad readers must comply with an impact rating of at least IK08.

1.23.19. The keypad reader shall operate with a temperature range of -30oc to
+70oc.

1.24. All readers must be RoHS compliant.

1.05 UHF LONG RANGE CARD READER

A. Read range: 5m

B. Type:
1. MIFARE DesFire EV1

C. Material:
1. UL94 Polycarbonate

D. Mounting:
1. Pole

SECURITY MANAGEMENT SYSTEM 16775-50

Project: KW.21.0667_Beyout Plus (M1) 31 October 2024
 E. Enclosure (Reader):
1. Weatherproof – IP 65
2. Vandal resistant

F. Tamper protected Car Compatibility

1.06 CREDENTIAL CARDS

A. The Security Contractor shall provide 2,000 access control cards to the
Owner.
1.25. The access token technology for this project shall match the reader technology
as specified separately but in association with this specification.

1.26. Access cards shall be of standard credit card size, being no larger than CR-80
and shall be direct printable using a dye-sublimation print process or be
capable of accepting an adhesive label printed through such a process.

1.27. All cards shall meet ISO standards.

1.28. As well as CR80 sized cards, vehicle tokens and key-ring transponders should
also be proposed as an alternative, where available.

1.29. The access token data shall include:

1.29.1. support for up to 2008-bit card numbers,

1.29.2. where a proprietary card number format is offered, the card format
shall include:

1.29.2.1. a unique site code not used for any other system
worldwide,

1.29.2.2. a unique cardholder identification number at least 7

digits long,

1.29.2.3. an issue level for each card number to allow for replacing
lost cards without reducing the card database size. Up to
15 levels of issue levels shall be supported.

1.30. The access control token shall uniquely identify the cardholder to the access
control system.

1.31. Uniquely identifiable information shall be stored in the access token in a

secure format.

1.32. Transmission of data between the proximity access token and the proximity
reader shall be in a secure format.

SECURITY MANAGEMENT SYSTEM 16775-51

Project: KW.21.0667_Beyout Plus (M1) 31 October 2024
1.33. There shall be barriers employed to prevent the copying or altering of access
control data stored on the card using any readily available equipment. The
tenderer shall document the barriers used.

1.34. Cards and access tokens shall be able to be encoded by the supplier according
to the client’s specifications, made known at the time of order.

1.35. Allowance shall be made for the supply of encoding software and hardware to
the client to enable encoding of their own cards and/or tokens on site.

B. Access control cards, shall be compatible with the access control

readers and shall be MIFARE DesFire EV1

1.07 Magnetic Door Lock (Signe/Double)

A LED Indication Green – Door Lock; Red – Door Unlock

B Voltage 12/24VDC+10%
C Holding Force (1200, 800, 600Lbs x 2)
D Material For Shell Anodized Aluminum
E Suitable For Wooden Door, Glass Door, Metal Door, Fireproof

1.08 Magnetic Door Contact

A Dimensions 20mm - 25mm diameter

B Housing ABS ,white colour
C Gap 25-35mm
D Output NC
E Power input 0.5A/100V/100W

1.09 Push to Exit Door Switch

A Suitable For NO (Fail Secure) and NC (Fail Safe) locks

B Operating Temp -10...+55°C
C Suitable Humidity 0 - 95% (non-condensing)
D Face Plate Aluminum
Material
E Button Material PVC

SECURITY MANAGEMENT SYSTEM 16775-52

Project: KW.21.0667_Beyout Plus (M1) 31 October 2024
 1.10 Door Break and Vibration Sensor with Siren Accessory

• High quality Omni-directional microphone sensor

• Up to 8m/120° detection coverage
• Selectable EOL resistors（Alarm Resistance: 1K, 2K2, 4K7, 5K6, 6K8）
•  9-16 VDC wide voltage adaptation with polarity reverse connection protection

1.04 Volumetric Sensor with Siren Accessory

• Detection range:18m 85.9°

• NC
• 10Kg pet immunity
• 9-16 VDC

1.05 Intrusion Keypad

• Same Mifare Card Reader Specs

2.10 BIOMETRIC ENROLLMENT SYSTEM

A. The Security Contractor shall be responsible for installation,

configuration, and training for an enrollment system for the access
cards/ Biometric fingerprint Access Controlled Devices. The BES shall
be located within the Security control room.

B. The BES shall

include:
1. P
C
W
o
r
k
s
t
a
t
i
o
n
2. Photo capture camera
3. Biometric Enrollment Reader
4. Card Printer
5. Necessary peripherals (stands, etc) required for system

SECURITY MANAGEMENT SYSTEM 16775-53

Project: KW.21.0667_Beyout Plus (M1) 31 October 2024
 operations as indicated in tender drawings

C. Workstation: The BES shall reside on an independent workstation.

Refer to Clause “WORKSTATION AND PRINTERS” in this section for the
workstation configuration.

D. Photo capture camera: Minimum 1.3-megapixel resolution, USB

powered integral flash with adjustable intensity, USB 2.0 connectivity
and TWAIN compliant. The camera will be supplied with tripod.

E. Biometric Enrollment Reader: MIFARE DESFire EV1 access token and

fingerprint enrollment combined unit.

F. Card Printer
1. ID plastic card Color printers (double sided) shall be supplied
with the card administration software, fully configured for
printing a number of logo designs incorporating a user photo
and holographic counterfeiting countermeasures as a
minimum. The system shall be configured and training
provided to allow the Operator to produce completed ID cards
based on the access card database.
2. Location: One device in security control room

G. The following functions shall be completed by the BES:

1. Enrollment of Authorized users through a biometric scan.
2. Conversion of biometric template into a format which is
compatible with the EACS.
3. Transmission and Storage of Biometric templates and/or EACS
templates onto the EACS server, and Access Control Panels.
4. Management, diagnostics, and update management of
fingerprint Readers.
5. Shall interface and control any field panels required for the
operation of the fingerprint Readers.

H. The BES shall be manufactured by the same manufacturer as the

fingerprint Reader.

2.11 WORKSTATION AND PRINTERS

A. The Workstation shall comprise the following minimum hardware:

1. Intel Core i7 Processor running at a minimum of 2.7 GHz
2. Min 64 GB DDR4
3. High end graphic card with DVI video out. Two graphics cards
shall be required to support 4 LCD monitors.
4. 1 TB SSD Hard disk drive.
5. DVD +/-RW drive capable of playing DVD and CDROM discs,
and recording on DVDRW, DVDR, and CDRW disks
6. 4 x USB ports

SECURITY MANAGEMENT SYSTEM 16775-54

Project: KW.21.0667_Beyout Plus (M1) 31 October 2024
 7. Ethernet network card
8. Rack mounted
9. Windows 10 or later

B. Printers
1. High quality, high speed laser printers for hardcopy system
printouts.
2. The printer shall be multi font, Color output.
3. It shall have a minimum operating speed of 200 characters /
second or higher
4. Printer shall be formatted to print on standard A3 and A4
paper.
5. Minimum of 300 dpi.
Refer the system drawings for the location and quantity of
the printer

INTERCOM SYSTEM

General:
Where clean rooms and laboratories define the workplace, communication can
become tedious due to restricted zones and special requirements to the equipment.
Special intercom stations with a sealed membrane surface should be resistant to
chemicals and allow hands-free speech when handling critical components. Clear,
intelligible, and ideally hands-free communication is essential in medical
environments. Staying connected with team members in remote locations or
coordinating workflows on the fly is just as important. This saves valuable time.

Passive infrastructure cabling system already exists for the hospital network.
However, the bidder must conduct the site survey and consider in his proposal and
pricing any additional requirements to complete the required tender scope.

System Components:
• Intercom Server
• IP Intercom stations
• Desktop station

Minimum specifications required

1- INTERCOM SERVER

a. Intercom server system description

The purpose of the SECURITY COMMUNICATION SYSTEM shall be to provide fast

“duplex,” (hands-free at both ends) voice communication as required to provide
instant intercommunications for employees and visitors, emergency paging and

SECURITY MANAGEMENT SYSTEM 16775-55

Project: KW.21.0667_Beyout Plus (M1) 31 October 2024