FIELD OF THE INVENTION The present invention relates to attendance devices and in particular attendance devices for verifying the attendance of service providers at remote locations.

BACKGROUND TO THE INVENTION There are situations in which the verification of a person's attendance at a particular location is important. For example, in a situation where a "contractor" is requested to attend a particular site location to perform work, it may be in the requestor's or "manager's" interest to verify whether such attendance took place and for how long the worker was in attendance. Various devices exist which allow a manager to verify and monitor the duration of attendance of contractors at distinct locations. This is usually achieved by contractors interacting with a device installed at such locations.

However, there are limitations with these systems, such as the number of devices that can be registered to a single manager.

SUMMARY OF THE INVENTION

According to a first aspect of the invention, there is provided an attendance device, comprising a counter arranged to generate a counter value representative of a time elapsed from registration of the attendance device with a server, a memory for storing an encryption key and a unique identifier associated with the attendance device, and a first processor adapted to generate an encryption of the counter value and the unique identifier, using the encryption key. Using a counter to monitor elapsed time provides several advantages. Whereas prior art attendance devices store comprehensive time and date information with high granularity for encryption of location and time information, the inventor has realised that valuable memory can be used up by the large variable length of standard 32 or 64 bit system time. Furthermore, the attendance code is advantageously kept short so that a contractor can easily record it at a site location with minimal error. Only a finite number of bits can be encrypted into a short alphanumeric code. By reducing the number of bits taken up by time using a relatively small counter value, more space is available for other data, such as that relating to location of the attendance device at a particular site location. Since more space is available for the such information, many more attendance devices can be registered to the same manager.

According to a second aspect of the invention, there is provided an attendance device, comprising a system clock synchronised with a system time on a server, a memory for storing an encryption key, a unique identifier associated with the attendance device and a registration time corresponding to a time of registration of the attendance device with a server, and a first processor adapted to generate a counter value from a subtraction of the registration time from the system time, and a second processor adapted to generate an encryption of the counter value and the unique identifier, using the encryption key. The attendance device may further comprise a display coupled to the processor and arranged to display the encryption. In which case, the display is alphanumeric. Thus, a contractor can easily take down the number displayed on the display. This may be done by writing on paper or more preferably by recording the code on an electronic device such as a smart phone which may be operable to transmit the code to the server. The attendance device may further comprise an input device arranged to provide an input signal to the processor to generate the encryption and/or the display to display the encryption. Thus, instead of permanently displaying an encryption code in the device display which would use power, the code may only be generated and displayed on user input. Alternatively or additionally, the first processor may be adapted to generate the encryption at regular time intervals and the display arranged to display the most recent encryption generated by the first processor.

The counter preferably has a resolution of one minute or two minutes, so that an attendance code is accurate to within one or two minutes. On synchronisation with the server the counter may be reset to zero. Alternatively, the counter may be reset to a random value to provide a further level of security to the encrypted attendance code.

The attendance device may further comprise a communications interface coupled to the memory and/or the first processor adapted to receive information from the server. This communications interface may be used to register or maintain the device. The communication interface may adapted to receive a reset signal from the server to reset the counter value to zero or a random value. The communications interface may be adapted to receive an update packet comprising an updated unique identifier and an updated encryption key.

Advantageously, the communications interface is an optical communications interface and may receive information from the server via an optical display. Alternatively, the communications interface could be any other wireless interface or a USB or firewire interface. The communication interface may transfer data using any known synchronous or asynchronous protocol.

The optical display may be a liquid crystal display, an electroluminescent display, an LED display or a plasma display panel.

The first processor and the second processor may be the same processor.

According to a third aspect of the invention, there is provided a method of monitoring attendance using an attendance device according to the first or second aspects described above, the method comprising: providing a counter value representative of a time elapsed from registration of the attendance device with a server to the processor; at the processor, generating an encryption of the counter value and the unique identifier using the encryption key; and displaying the encryption on the display.

The processor may additionally generate a checksum of the counter value and the unique identifier the encryption generated by the processor further comprises an encryption of the checksum. The method may be initiated by receipt of an input signal at the input device.

According to a fourth aspect of the invention, there is provided a method of calibrating an attendance device according to the first aspect of the second aspect, the method comprising: at a central server: transmitting a registration packet comprising a unique identifier, an encryption key, and a counter offset; and storing a value of the current system time and the counter offset; and at the attendance device: receiving the registration packet; setting the counter to a value based on the counter offset; and storing the unique identifier and the encryption key in the memory.

BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments of the present invention shall now be described, by way of non-limiting example only, with reference to the accompanying figures, in which: Figure 1 is a schematic diagram of an attendance device according to an embodiment of the present invention;

Figure 2 is a front view of the attendance device of Figure 1 ; Figure 3 is a front view of a transmission display for transmitting data to the attendance device of Figure 1 ;

Figure 4 is an illustration of the reduction in required storage space for a counter value generated by the attendance device of Figure 1 ;

Figure 5 is an example illustration of an encryption packet before encryption by the attendance device of Figure 1 ;

Figure 6 is a further example illustration of an encryption packet before encryption by the attendance device of Figure 1; Figure 7 is a flow diagram of steps for generating an attendance code according to an embodiment of the present invention;

Figure 8 is a flow diagram detailing steps for generating an attendance code according to a variation of the present invention;

Figure 9 is a flow diagram illustrating steps for decrypting the attendance code generated by the steps shown in Figure 7; and Figure 10 is a flow diagram illustrating steps for decrypting the attendance code generated by the steps shown in Figure 8.

DESCRIPTION OF EMBODIMENTS OF THE INVENTION Embodiments of the present invention are concerned with providing a reliable, secure and inexpensive device to allow managers to monitor the attendance of workers, hereinafter described as "contractors" at distinct locations, herein referred to as "site locations". Embodiments of present invention also provide potential for many thousands of such compact and inexpensive attendance devices to be installed and registered to a single manager at site locations throughout his domain, each attendance device unique to all others. Embodiments can be installed at a site location, and are adapted to display a short alphanumeric code containing information concerning the current time, date and location in encrypted form. A contractor is instructed by a manager to record the code on arrival and/or departure from a site location. The code can then be returned to the manager to verify the time and location of attendance of a contractor at a particular site location and the duration of the contractor's visit, with a reduced risk of falsification by the contractor of information concerning his whereabouts.

Figure 1 is a schematic diagram showing the architecture of an attendance device 10 according to an embodiment of the present invention together with its interaction with a server 12. The attendance device 10 includes a processor 14, a memory 16, a display device 18, a receiver 20, a counter 22 and an optional user input 24 together with an internal power source, such as a battery (not shown). Memory and counter busses 26, 28 are provided between the processor and both the memory 16 and the counter 22 respectively. Data can be transmitted from the processor 14 to be displayed on the display device 18 via a one-way display bus 30. The output of the optional user input 24 is also provided to the processor 14 via a user input bus 32. The receiver 20 of the attendance device is coupled to the processor 14 via an interface input bus 34a and an optional interface output bus 34b. Although Figure 1 shows the counter 22, memory 16 and receiver 20 as being external to the processor 14, it will be appreciated one or all of these components may be integral to the processor 14. The attendance device 10 may implemented using any known microprocessor, for example a PIC® microcontroller such as the PIC24F32KA301, PIC16F527 or PIC32MX210F016B. The memory 16 may comprise any combination of volatile or non-volatile memory known in the art, and is adapted to store information concerning the device location and value of the counter 22 together with an encryption key for encrypting such stored data for display on the display device 18 and any other suitable configuration information. To simplify manufacture, minimise cost and reduce energy consumption of the attendance device 10, the display device 18 is preferably an alphanumeric LCD display, as shown in more detail in Figure 2. It will be appreciated, however, that any video display known in the art which provides the requisite function could be used, such as an electroluminescent, LED or plasma display. The display device 18 is configured to display a short alphanumeric code 36 containing encrypted information relating to the location of the device and a measure of elapsed time relative to know point in time, as will be described in more detail below. The attendance code 36 is kept relatively short so as to reduce the likelihood of a contractor copying the code from the display incorrectly. The attendance code 36 may be permanently displayed on the display device 18 or alternatively the code 36 may be displayed only in response to activation of the user input 24. The user input 18 may be a button, motion sensor or any other known input device. The processor 14 may be programmed to display the code 36 on the display device 18 only during certain times, for example during a contractor's standard working hours or only during the day/night. The particular code 36 shown in the display 18 in Figure 2 is for example only.

Referring again to Figure 1, the attendance device 10 may be calibrated or recalibrated by a server 12 or other such computing device via the attendance device's receiver 20. The server 12 transmits data via an integral or coupled transmitter 36 across a communications interface 38 to the receiver 20. The communications interface 38 may comprise any appropriate interface known in the art such as USB, firewire or a suitable wireless interface. Preferably, however, the receiver 20 comprises a plurality of photodiodes 20a and 20b, and the transmitter 36 comprises a plurality of corresponding light sources configured to as to align with the photodiodes 20a, 20b when packaged in the attendance device 10. The transmitter 36 may comprise two or more distinct transmission areas 40a, 40b on a transmission display 42 such as a CRT or a flat panel display such as an LCD or plasma display, as shown in more detail in Figure 3. Data is transmitted via the transmission areas 40a, 40b by the periodic transition of pixels in the transmission areas 40a, 40b between dark and light colours, such as black and white. In other embodiments, the light sources may be LEDs or ordinary lamps transmitting data in a similar manner. It will be appreciated that other known methods of data transfer may be used.

To register the attendance device 10 to a particular manager, the communications interface 36 is set up between the attendance device 10 and the server 12. In a preferred embodiment, this is achieved by a manager or other user physically holding the device 10 relative to the transmission display 42 such that the photodiodes 20a, 20b align with the transmission areas 40a, 40b. The transmitter 36 may then initiate communication between the server 12 and attendance device 10 either independently or in response to user input such as the press of a button located on the front of the device. Alternatively, communication could be initiated automatically on replacement of the battery. Where a communication interface 38 such as USB of firewire is used, transmission may be initiated by the interface 38 itself. Data is transmitted to the attendance device 10 across the communications interface 38 via any known protocol, and preferably sent using synchronous transmission. Once communication is initiated, the server 12 transmits a registration packet to the attendance device 10. The registration packet may contain the following information:

- An unique identifier for the device 10, referred to as the "locationID". Each locationID is unique to one of the set of the devices linked to a particular manager (company, entity, body corporate etc).

- An encryption key which is unique to the manager's set of devices. All devices calibrated in connection with a distinct manager may be calibrated with the same encryption key. Each encryption key may be linked to a single manager so as to be used only on devices linked to that single manager. Alternatively, private/public key encryption may be used to increase the security of the encrypted data. Each device may be supplied with one of a set of public encryption keys, the set unique to the manager's set of device. A single key for decryption may then be kept by the manager and, for example, stored at the server 12, as will be described in further detail below. As a further alternative, a double encryption technique may be used in which the data is encrypted twice by the attendance device 10 and subsequently decrypted at the server 12 using a two stage process, as will be described in more detail below. In such circumstances, the server 12 transmits two encryption keys to the attendance device 10; a primary encryption key and a secondary encryption key. The primary encryption key is unique to the manager. The secondary encryption key is one of a set of secondary encryption keys also unique to the manager, a particular secondary key chosen at random from the set and transmitted to the attendance device 10. The server 12 then links the chosen secondary encryption key with the locationID of the attendance device 10 to which it was sent, and stores the link. On receipt, by the attendance device 10 of the locationID and encryption key(s), the processor 14 stores these variables in the memory 16. In a preferred embodiment, the locationID and encryption key may be stored in EEPROM or other non-volatile memory whilst the counter value may be stored in volatile memory such as RAM.

A counter offset for reset of the counter 22 to a predetermined value. The counter offset may, by default, be set to zero. Alternatively, the counter offset may be a random number within the counter's 22 range, generated by and stored on the server 12. The processor 14 then offsets the counter 22 by the value of the counter offset. Accordingly, the counter 22 is synchronised with a system time of the server 12 offset by a known time period. Since the offset is known only to the server 12, the level of encryption of the time/date information to which the counter value relates is further increased. Preferably, to minimize the size of the registration packet, a size of the offset is small compared to the size of the counter's 22 range. For example, for a 21 bit counter, an 8 bit offset seed may be used. This may decreases the registration time since less information needs to be transferred across the communications interface 38.

Other configuration information may also be transmitted to the device, such as whether the device display's 18 backlight should be switched on, and whether the device display should permanently display the attendance code 34 or whether the code 34 should only be displayed on activation of the user input. Once calibrated, the attendance device 10 may be mounted to a wall or other surface at a site location. The design of the device's 10 casing is so as to inhibit the device from being opened or dismounted without damage to the device 10. For example, the mounting screws may be tamperproof allowing only tightening of the fixing to a surface. Equally, the moulding may be click sealed once the calibration process has been completed. The attendance device 10 preferably has no user serviceable parts. In some circumstances however, the internal power source may be replaceable by a manager or an authorised person such as a maintenance engineer. The internal power source is preferably chosen to last for the device's 10 entire service period, which may correspond to the time range of the counter 22.

The counter 22 is configured to monitor time elapsed from a particular time reference, stored on the server 12. For example, the counter 22 may be a 21-bit counter having a time resolution of one or two minutes. With a two minute resolution, the time range of the counter is 2x2 ²¹ (4,194,303) minutes - approximately 8 years. Thus the internal power source may be chosen with an 8 year service period in mind. The counter 22 may be a wraparound counter such that its value returns to zero after reaching its maximum value of 2 ²² . Accordingly, in instances where the counter value is reset to a predetermined random value during calibration, as long as the reset counter value and the system time of the server 12 at which the counter 22 was reset are known, the value of the counter 22 at any particular time can be determined and, vice versa, the time for any particular instantaneous value of the counter 22 can be determined. Using a counter 22 to monitor elapsed time provides several advantages. Whereas prior art attendance devices store comprehensive time and date information with high granularity for encryption of location and time information, the inventor has realised that valuable memory can be used up by the large variable length of standard 32 or 64 bit system time. Furthermore, as mentioned above, the attendance code 36 is advantageously kept short so that a contractor can easily record the attendance code 36 at a site location with minimal error. Only a finite number of bits can be encrypted into a short alphanumeric code. The inventor has realised that by encrypting a short 21 -bit counter value, more space is available for other data, such as the locationID and an optional checksum. For example, the maximum number of bits able to be encoded into an 8 character alphanumeric code is 40 bits, calculated as follows. For each character of the code, there are 36 possibilities (0 - 9, A - Z = 36 characters). Four of these characters are not used due to potential misinterpretation (- 0, 1, 0 and 1) which leaves 32 (2 ⁵ ) possibilities. Each character in the code 36 therefore has a data value of 5 bits. For an 8 character code, 40 bits can be encoded (5 x 8).

As is shown in Figure 4, 11 bits of the 32 bits previously taken up by standard time are now free for other data. Using, for example, the 8 character code 36 described above, 19 bits of the 40 bit capacity are now available for the locationID and the optional checksum. Since more space is available for the locationID, many more devices can be registered to the same manager. Whereas in prior art devices using standard 32-bit time and date only 8 bits were available for locationlDs (256 different IDs), the present invention can offer up to 2 ¹⁹ different locationlDs, i.e. up to 524,288 unique devices registered to the same user. Even with the implementation of a 5 bit checksum, 2 ¹⁴ (16,384) different locationlDs and thus attendance devices may be registered to a single manager. Such a configuration is described in Figure 5.

Where the internal power source of the attendance device 10 is a battery, the attendance device 10 may optionally extract or monitor a value of the level of charge left in the battery. This level may be stored in the memory 16 or extracted when required by the processor 14. A small number of bits of the 40 bit display capacity may be used to encrypt an indication of the level of the battery or simply, using a single bit, an indication that the battery charge is running low, so that a manager can keep track of the battery level of each of his devices in each location. In such cases, a reduction in size of either the locationID, counter or checksum may be made. For example, figure 6 shows a configuration in which the size of the checksum has been reduced to 4 bits to make room for a 1 bit battery indication.

It will be appreciated that the number of bits allocated to each of the counter 22, locationID, checksum may by chosen at the managers discretion. For example, where fewer devices are required and thus a smaller number of unique locationlDs are required, the locationID can be made smaller leaving room for a larger counter, checksum, or battery indicator value. Equally, if the capacity of the counter is increased, counter granularity can be reduced, thus increasing the accuracy of monitoring of contractors while the time range of the counter is maintained. It will, however, be appreciated that an increase in size of one variable will lead to a compromise in the size of another. Such choices depend on the requirements of the manager. It will also be appreciated that with larger displays the number of encryptable bits will increase.

Once the attendance device 10 has been installed at a site location, it is ready for operation.

Generation and display of the attendance code by the attendance device 10 will now be explained in detail with reference to Figures 5 to 8. As mentioned above, the device may generate an attendance code on activation of the optional user input 24. Alternatively, if no user input 24 is provided, the attendance device 10 may periodically update the display 18 to display an up to date attendance code based on the current value of the counter 22 and the locationlD. In either case, the processor may load 50 the current counter value, locationlD and encryption key(s) from the memory 16. Based on the counter value and the locationlD, a checksum is optionally generated using any known method. Using the encryption key(s) the processor 14 can encrypt an encryption packet comprising the counter value, location ID optional checksum and optional battery level indication, examples of which are shown in Figures 5 and 6, into an 8 digit alphanumeric code 36 and displayed 54 on the display device 18.

A flow chart showing the steps of alternative method of encryption using double encryption is shown Figure 8. The attendance device 10 encrypts, at step 57, some but not all of the bits of the encryption packet using the stored primary encryption key. For example, the attendance device 10 may encrypt 2 bytes (16 bits) out of the 5 byte registration packet. The attendance device 10 may then perform a second encryption at step 58 using the secondary encryption key, in which some but not all of the bits of the encryption packet are encrypted. The result is a registration packet in which all of the bits have been encrypted at least once using the primary encryption key, and some have been encrypted twice using both the primary and secondary encryption keys. Bits which have only been encrypted using the primary encryption key contain data relating to the locationlD. the 8 digit alphanumeric code 36 is then displayed 54 on the display device 18.

At the time that an attendance code is generated, the counter value may be stored in nonvolatile memory. Then, on subsequent generations of attendance codes, the current counter value can be checked against stored counter values to ensure that an attendance code is never issued twice. The attendance device 10 may not issue a code if the current counter value matches on of the counter values stored in the non-volatile memory.

As mentioned above, the steps shown in Figures 7 or 8 may be performed in real time, at set time periods, or in respond to user input. In any case, the contractor may then record the attendance code 36 so that he/she can subsequently confirm his attendance at a site location. When a contractor has visited one or more site locations and recorded one or more corresponding attendance codes 36, the contractor may pass these codes by way of electronic transmission or any other known method either back to the associated manager or directly to the server 12 together with his identity and preferably the identity of his manager. Attendance codes may be recorded on site using a handheld device such as a smart phone and sent in real time to the manager or server 12 via a wireless communications network.

Processes of decryption and verification of the attendance code 36 are shown in Figures 9 and 10. Referring first to Figure 9, the server 12 may receive 60 an attendance code together with information concerning the identify of the contractor and/or identity of his associated manager using any suitable method. So that the server 12 can choose the correct decryption key, which correspond to the encryption key used to encrypt the original locationID, counter value and optional checksum and battery level indicator, one of a) the contractors identity and b) the manager's identity must be known. Once the server 12 has identified the manager and associated decryption key, the attendance code can be decrypted 62, and the locationID, counter value and optional checksum and battery level indicator extracted.

Figure 10 shows an alternative method of decryption where a double key encryption is adopted. Like steps have been accorded like reference numerals. As discussed above, the encrypted attendance code is a product of encryption using both of the primary and secondary encryption codes. Decryption may be performed as follows. The identity of the manager is verified as described above with referenced to Figure 9. The manger's unique primary encryption key can therefore be ascertained which may then be used to perform the first part 68 of decryption of the attendance code. At this point, the server 12 may then extract 70 part or all of the locationID from part decrypted attendance code since these parts have only been encrypted once, using the primary encryption key. Based on the part of the locationID extracted from the part decrypted code, the server 12 may fetch 72 the secondary encryption key, which was linked to the extracted locationID on registration, and subsequently complete the second and final step of encryption of the attendance code using the secondary encryption key, thus extracting the remaining information - counter value and optional checksum and battery level indicator - as described above with reference to Figure 9.

A number of verification steps 66 may be performed on the decrypted elements 64. Firstly, if a checksum has been used, the server 12 may recompute the checksum of the decrypted locationID and counter value and compare the recomputed checksum with the decrypted checksum to determine the validity of the decryption. If the checksums match, there is a high chance that the attendance code is authentic and error free, so no further verification may be necessary. However, there is a small chance of a false positive. Accordingly, further checks may further checked alongside decrypted attendance codes having non matching checksums. In the event that the calculated checksums do not match, the decryption may be marked as "bad" and stored for subsequent analysis. Any suitable checksum verification technique known in the art may be used. For example, the extracted counter value may be analysed to check that the time/date it relates to is between the time of registration of the device and the current time. Equally, the extracted locationID may be checked to see whether it appears on the server.

A near miss analysis may then be performed on "bad" decryptions. The expected time/date and location of a contractor at a particular time can be input by a manager. The server 12 may then calculate expected attendance codes over a time period centred on the expected time and date of attendance. For example, where a contractor was due to arrive at a site location at 12.15 am, 3/1/2013, expected attendance codes for the period of 12 pm - 12.30 pm on 3/1/2013 may be generated. In addition codes having with substituted letters representing common typographical errors can also be generated. The server 12 may then compare the expected attendance codes with the "bad" attendance code to find near matches. The server 12 may then record near matches and a probability that the "bad" code was simply a user error or typographical mistake. Any other suitable near miss technique known in the art may be used.

Extracted information from validated attendance codes may then be analysed. Using the counter value and the stored offset relating the corresponding locationID of the attendance device 10, the time at which the contractor visited the site location and recorded the attendance code 36 can be calculated. Accordingly, a manager can determine the time at which the contractor was at the site location. Furthermore, if the manager has instructed the contractor to record attendance codes on arrival and departure from the site, the manager has a comprehensive record of the time the contractor spent at that site location. The battery level indicator can also be analysed to determine whether the battery is low in an attendance device 10 and if so, indicate that a manager or an authorised person may be required to replace the battery.

The server 12 is preferably provided with a database (not shown) to store all collected data concerning managers and associated contractors such that information regarding attendance can be accessed and analysed, and reports generated in real time or at a later date.

As an alternative to the counter 22, the processor 14 of the attendance device may have a system time. In such cases, on calibration, the system time of the attendance device is stored in the memory 16. On generation of the attendance code 36, a counter value is generated by subtracting the current system time from the system time stored in the memory 16, which corresponds to the time of registration of the attendance device 10 with the server 12 and then scaling the product to a resolution of, for example, one or two minutes. The calculated counter value is thus equivalent to the counter value generated by the counter 22 described above, providing the same benefits over standard time/date encryption as those discussed above in relation to the counter 22 generated counter value.