AN ELECTRONIC ACCESS CONTROL SYSTEM

FIELD OF INVENTION

This invention relates to an electronic access control system. It relates also a portable authentication device and to an access control device forming part of the electronic access control system.

BACKGROUND TO THE INVENTION

Advanced electronic access control systems increasingly employ an authentication means in order to gain access to an access-controlled system (referred to hereinafter as a "main system"). For example, an authentication means in the form of a finger-print reader attached to a doorframe may be used to open a door mounted in the doorframe to permit an authorized user to access a facility. Other biometric authentication means include iris scans, palm scans, voice or facial recognition. A more prosaic authentication means is the use of a secret PIN (Personal Identity Number), the presumption being

that only the individual issued with the PIN is in possession of that knowledge and presentation of a correct PIN is therefore proof of identity.

A defect in many of these access control systems is a failure to discriminate clearly between "authorization" and "authentication", which if not properly addressed may expose an authorized individual to identity theft or invasion of privacy.

"Authorization" in the context of access control systems, refers to the act of authorizing an individual to access a main system without regard to the individual's identity. A metal key is an example of an authorization; anyone in possession of that pattern of metal is authorized to access a corresponding lock.

"Authentication" in the context of access control systems, refers to the verification of an individual's true identity. Authentication requires either access to some secret knowledge possessed only by that individual (such as a PIN) or some individual-specific biometric data such as a fingerprint.

Three security models may be constructed from these basic elements as follows:

1. Authorization only;

2. Authentication only;

3. Authentication and authorization.

The "authorization only" model involves the issuing of an authorization to an authorized individual. The individual's identity may or may not be recorded at the time the authorization is issued, termed "identified" and "anonymous" authorizations, respectively. Subsequently, presentation of the authorization is sufficient to gain access to a main system. A metal key is an example of an anonymous authorization. The issuing of an electronic key tag having a unique identity code stored therein and the recording of the authorized individual's name against the particular tag, is an example of an identified authorization.

The "authentication only" model combines authentication and authorization. An individual with a specified identity, which may be proven by an authentication means, is authorized for access to a main system. In order to gain access to the main system, the individual is authenticated and granted access if the individual's identity is proven. An example of an "authentication only" access control system is an electronic lock using a fingerprint reader.

The "authentication and authorization" model issues an explicit authorization as in the authorization only model, but also provides an authentication means to verify the identity of the authorized individual. An example is an electronic banking card (the authorization means) which must be used in conjunction with a PIN (the authentication means).

There are two problems arising from conventional access control implementations:

1. The increasing incorporation of authentication means into third-party devices exposes authorized individuals to identity theft. For example, future banking machine may incorporate iris scanners, obliging all users to scan their irises into the machine. There is no assurance that this sensitive biometric information will not be used to forge a user's identity on another system using the same authentication means. As authentication tests become more and more sophisticated, the burden of proof that a user did not execute a fraudulent act will increasingly fall upon the individual whose identity has been stolen. Individuals are nevertheless expected to entrust sensitive authentication data to third- party devices.

2. An authentication means always provides a unique signature for a user's identity across different systems. When third party access points demand that a user be authenticated in order to be authorized, it becomes much easier to track an individual's movements through diverse systems, possibly invading an individual's privacy of movement.

As the number of electronic authorization points increases, these two issues are a matter of concern to authorized individuals.

It is an object of the project invention is to provide a uniform and systematic means for controlling access to a main system, whereby an authorized

individual's identity may be protected, thereby eliminating the two concerns referred to above.

SUMMARY OF THE INVENTION

According to the invention there is provided an electronic access control system comprising:

at least one portable authentication device including:

a) authentication memory means in which authentication information which is unique to an authorized user, can be stored;

b) first authorization memory means in which a first authorization code can be stored;

c) input means for inputting an authentication means;

d) authentication device interface means for interfacing with a compatible device;

e) authentication control means which is operable to compare the inputted authentication means with the authentication information and if there is a match, to generate a control signal permitting the first authorization code to be released for transmission to a compatible device via the authentication device interface means; and

an access control device for controlling access to a main system, the access control device including:

a) access control device interface means which provides an interface with the authentication device interface means allowing the

transmission of the first authorization code to the access control device;

b) second authorization memory means in which a second authorization code is stored;

c) authorization control means which is operable to receive the first authorization code and to compare the first authorization code with the second authorization code and if there is a match, to generate an actuation signal permitting access to the main system.

The authentication memory means may be configured to store authentication information in the form of biometric information unique to the authorized user, therein.

The authentication memory means may be configured to store an authentication code unique to the authenticated user, therein.

The interface means of the access control device may be in the form of an electrical connection means which provides an electrical connection between the portable authentication device and the access control device.

The portable access control device may include an electrical power source sufficient to provide power for the operations of the portable authentication device and of the access control device.

The access control device may include encryption means which is operable to generate an encryption code and to send a challenge signal containing the encryption code to the portable authentication device, the portable authentication device being operable to send an encrypted return signal containing the first authorization code combined with the encryption code, to the access control device in response to the challenge signal received from the authorization control means, the authorization control means being operable to compare the encrypted first and second authorization codes.

The encryption means of the access control device may be in the form of a random number generating means which is operable to generate an encryption code in the form of a random number.

The electronic access control system may be in the form of an electronic locking system wherein the portable authentication device is in the form of an electronic key and the access control device is in the form of an electromechanical lock.

The electromechanical lock of the electronic locking system may comprise:

a) a cylinder having a front end and an opposite rear end, which can be rotatably mounted to a first component to be locked, the cylinder including a keyway at the front end thereof, for the key and electrical connection means which provides an electrical connection with the electrical power source of the key;

b) a tailpiece which is operable to interfere with the movement of a second component to be locked and which is mounted to the cylinder at the rear end thereof in arrangement wherein relative rotation between the tailpiece and the cylinder is permitted in an uncoupled condition of the lock and wherein the cylinder and the tailpiece are rotatably coupled in a coupled condition of the lock;

c) an electrically-operated clutch mechanism which is operable, when actuated, to releasably connect the cylinder and the tailpiece thereby causing the cylinder and the tailpiece to become rotatably coupled in said coupled condition of the lock; and

d) electronic control means which is electrically connected to the electrical connection means and to the clutch mechanism and which is operable to generate an actuation signal for actuating the clutch mechanism.

The invention extends to the portable authentication device forming part of the electronic access control system, as defined hereinabove.

The invention also extends to the access control device forming part of the electronic access control system, as defined hereinabove.

BRIEF DESCRIPTION OF THE DRAWINGS

Further features of the invention are described hereinafter by way of a non- limiting example of the invention, with reference to and as illustrated in the accompanying diagrammatic drawings. In the drawings:

Figure 1 shows a schematic sectional side view of a lock of an access control system in the form of an electromechanical locking system, in accordance with the invention;

Figure 2 shows a schematic enlarged fragmentary sectional side view of the clutch mechanism of the lock of Figure 1 ;

Figure 3 shows a schematic side view of a key of the electromechanical locking system in accordance with the invention;

Figure 4 shows a perspective view of the cylinder casing of the lock of Figure 1 ;

Figure 5 shows a schematic rear end plan view of the cylinder casing of the lock of Figure 1 ;

Figure 6 shows a schematic sectional side view of the cylinder casing of Figure 4, sectional along section line Vl - Vl of Figure 5;

Figure 7 shows a schematic sectional side view of the cylinder casing of Figure 4, sectioned along section line VII - VII of Figure 5;

Figure 8 shows a schematic front end plan view of the cylinder casing of Figure 4;

Figure 9 shows a schematic rear end plan view of the bobbin of the lock of Figure 1 ;

Figure 10 shows a schematic front end plan view of the bobbin of Figure 9;

Figure 11 shows a schematic perspective view of the bobbin of Figure 9;

Figure 12 shows a schematic perspective view of the coupler of the lock of Figure 1;

Figure 13 shows a schematic rear end plan view of the coupler of Figure 12;

Figure 14 shows a schematic front end plan view of the coupler of Figure 12;

Figure 15 shows a schematic perspective view from the front end, of the tailpiece of the lock of Figure 1 ;

Figure 16 shows a schematic perspective view from the front end, of the bobbin, coupler and tailpiece of the lock of Figure 1 in an assembled condition;

Figure 17 shows a schematic perspective view from the rear end of the bobbin, coupler and tailpiece of the lock of Figure 1 in an assembled condition;

Figure 18 shows a schematic exploded view of the bobbin, coil, spring, magnet and metal cup comprising the actuator assembly of the clutch mechanism of the lock of Figure 1 ;

Figure 19 shows a schematic block diagram illustrating the manner in which the key causes actuation of the lock of Figure 1;

Figure 20 shows a schematic sectional plan view from the rear end, of the lock of Figure 1 , sectional along section line XX - XX of Figure 2;

Figure 21 shows a 180° cylindrical cross-section through the lock along section line XXI - XXI of Figure 20, illustrating the clutch mechanism as viewed from the centre of the cylinder, with all of the clutch mechanism components projected onto a common radius;

Figures 22A to 22E show radial cross-sectional views of the tailpiece, coupler, bobbin and cylinder illustrating, in sequence, the disengagement of the clutch mechanism;

Figures 23A to 23D show radial cross-sectional views of the tailpiece, coupler, bobbin and cylinder, illustrating, in sequence, the actuation of the clutch mechanism;

Figures 24A to 24D show radial cross-sectional views of the tailpiece, coupler, bobbin and cylinder, illustrating, in sequence, the manner in which the clutch mechanism is disengaged when a shock is applied to the lock;

Figure 25 shows a schematic block diagram illustrating the operation of the electromechanical locking system of Figure 1 ;

Figure 26 shows a flow chart illustrating the sequence by which access to the master authorizations on the key are protected by means of a PIN;

Figure 27 shows a schematic block diagram illustrating the sequence of signals exchanged between the lock and the key of the electromechanical locking system of Figure 1 , during authorization of an operation on the lock that has been requested by the key;

Figure 28 shows a schematic block diagram illustrating the sequence of signals exchanged between the lock and the key of the electromechanical

locking system of Figure 1 , when the key invokes an operation on the lock; and

Figure 29 shows a flow diagram illustrating the key in a locked (key holder not authenticated) and an unlocked (key holder authenticated) state.

DESCRIPTION OF PREFERRED EMBODIMENT

With reference to the drawings, an access control system in accordance with the invention, in the form of an electronic locking system is designed generally by the reference numeral 8. The electronic locking system is an electromechanical locking system comprising an access control device in the form of a lock 12 and a portable authentication device in the form of key 14. The lock 12 has a front end 10 and a rear end 11 and includes a cylinder 16 which is rotatably mounted to a first component to be locked, an electronic control unit 18 which is housed within the cylinder, a tailpiece 20, a clutch mechanism 22 which is housed within the cylinder 16 and a tailpiece adapter 24.The tailpiece adapter 24 is connected to a lock bolt (not shown) or other conventional locking device which interferes with movement of a second component to be locked to the first component.

Many of the features of the lock 12 are described in earlier International Patent Application PCT/IB2006/003600 filed in the name of the Applicant for the present invention. For ease of reference the technical description of the

lock and the drawings accompanying PCT/IB2006/003600 have been reproduced herein. Much of the technical description of the components of the lock 12 are not material to the present invention and have been inserted merely for the sake of completeness of description.

The key 14 comprises a metal split key blade 26 which is split into two key blade portions 26.1 and 26.2 and a key body 28. The key blade portions 26.1 and 26.2 provide for a 2-wire electrical contact with the lock 12. The key blade thus provides a mechanical and electrical lock interface 5 with the lock 12 by which electrical power, data and mechanical effort is transmitted to the lock 12. The key blade portion 26.1 is notched on one or both sides thereof with pyramidal notches in a manner similar to a conventional key. The key 14 includes a SIM card which is housed within the key body and in which a number of unique key authorisation codes and a unique authentication code can be stored. The key 14 further includes a printed circuit board which supports the key's electronics. The key includes a power regulator and a microcontroller which includes authentication control means in the form of an authentication controller. The microcontroller supports the lock protocol and power management functions. The key further includes a battery for supplying power to the key and the lock electronics. Input means in the form of a button 27 is provided which permits a user to selectively input data to the lock 12. The key body 28 has an indicator lamp 1 mounted thereto, the purpose of which will be disclosed hereinafter.

The key authentication code is in the form of a PIN chosen by the user. The authorization codes are protected by an authentication firewall 3 which prevents un-authenticated access to the authorization codes.

The lock 12 is sized so as to provide a drop-in replacement for conventional mechanical cylinder locks. It will be appreciated that the electronic locking system may be used in any application wherein a lock may be required. The cylinder 16 and the tailpiece 20 are of plastics material and are coupled to one another in an arrangement wherein the cylinder and tailpiece are rotatable relative to one another in a disengaged condition of the lock 12. In an engaged condition of the lock, the cylinder 16 and the tailpiece 20 are releasably connected to one another by the clutch mechanism, thereby causing the tailpiece and the cylinder to be rotatably coupled.

The cylinder 16 comprises a cylinder casing 29 and a key housing 30 which is fixedly connected to the cylinder casing 29 by means of a cylindrical spigot formation 31 which fits into a socket 32 defined by the cylinder casing. The spigot formation 31 defines a pair of annular ridges 33 and the socket defines a pair of complementary annular grooves 34 in which the ridges are received, providing a snap joint. The key housing defines a keyway 35 in which the key blade 26 is received. The key housing 30 includes two electrical contacts 37 which each comprise a pair of wiping contacts which make electrical contact on opposite sides of each of the two key blade portions. The wiping contacts for each key blade portion ensure that an adequate electrical connection is maintained between the lock and the key from the point of entry of the key

blade 26 into the keyway 35, providing at least 150 μs during which the authorisation process may take place before the key is fully inserted and the user starts to turn the key. The contacts 37 are connected to the control unit 18 via electrical connectors 21.

The key housing 30 further includes a key blade locking pin 23 of a conventional design which interacts with the groove 23.1 in the key blade portion 26.1 , preventing the key blade from being withdrawn from the key housing 30 when the cylinder 16 is rotated. A second cylinder locking pin 25 interacts with an annular groove 9 within the key housing 30 preventing the cylinder 16 from being displaced axially and thereby removed from the lock.

The cylinder 16 is rotatably connected to the tailpiece 20 by means of an annular snap joint wherein the cylinder casing 29 defines three annular ridges 36 and the tailpiece 20 defines three complementary annular grooves 38 which receive the ridges 36 in an arrangement permitting rotation of the cylinder relative to the tailpiece. As such, the cylinder and the tailpiece define common axes of rotation.

The control unit 18 includes electronic control means in the form of an electronic key interface 4 which provides an electrical connection with the key blade 26 of the key 14 and for data transmission between the key 14 and the lock 12. When electrical contact is made between the lock interface 5 and the key interface 4, the key 14 supplies a pulse of electrical power to the lock 12. The control unit 18 includes a power capacitor which releases sufficient

electrical power to the lock enabling it to operate for a short period of time and to communicate with the key via the two-wire bus between power pulses using a Manchester bit-encoding scheme. The control unit 18 includes a microcontroller which is connected to the clutch mechanism 22 and the key interface and which is operable to send an actuation signal to the clutch mechanism for actuating the clutch mechanism.

The control unit 18 includes a memory device in which a number of unique lock authorization codes are stored. Each lock authorization code corresponds to a particular operation requiring authorization, which the lock is to perform.

The primary lock and key interactions consist of:

1) Lock detection: the key 14 detects the presence of a powered or un- powered lock 12.

2) Power provision: the key powers up an un-powered lock and subsequently provides power to the lock on request.

3) Lock identification: the key identifies the lock so that it can perform operations on the lock.

4) Authorisation: the lock challenges the key to prove it has authorisation to invoke operations.

5) Operations: the key executes authorized operations on the lock. Signals associated with operations may be interleaved with authorisation challenges and power requests.

The microcontroller of the control unit 18 holds a digital input high with a weak pull-up resistor and enters a sleep mode in which consumes less than 0.1 μA. In the event that the key is put into contact with a capacitive load, the input transitions to low and wakes the microcontroller. The key then tests the lock with a power pulse to verify it is indeed a compatible lock. If so, the key initiates a power-up sequence. The key subsequently supplies power to the lock on demand.

The microcontroller of the control unit 18 includes encryption means in the form of a random number generator which is operable to generate random number sequences as a security feature, the purpose of which will be explained hereinafter.

When an un-powered lock is detected, the key initiates a power-up cycle by sending a series of square pulses at 128kHz for 4ms. The lock then wakes up within the 4ms pulse and remains in a quiescent state for approximately 4ms following the pulse.

The electronic locking system 8 utilises a "challenge/response" communications protocol for communications between the lock 12 and the key 14. The interface between the lock 12 and the key 14 consists of physical,

electrical and protocol elements that enable a key to communicate with the lock into which it is inserted, and is described in further detail hereinafter. Each lock has a globally unique identity (GUID), which is queried by the key when it is inserted into the lock. The key then uses this GUID to locate any authorizations it may have for this lock in its own database. The key then attempts to invoke a command on the lock (usually OPEN, to open the lock). The control unit 18 lock sends a "challenge" ("CHAPC") signal to the key. With reference to Figure 27, the CHAPC signal consists of a random 64-bit sequence generated by the random number generator. Upon receipt of the CHAPC signal, the key combines the random sequence with the relevant key authorization code stored in the SIM card of the key, thereby foiling possible "man-in-the-middle" attacks. The authorization code and the random sequence are mixed according to a prescribed one-way hashing algorithm to generate a 64-bit hash number.

In response to receipt of the CHAPC signal, the microcontroller of the key, generates and sends a return signal ("CHAPR") to the lock. The lock performs the identical operation combining the random sequence with the corresponding lock authorization code and if the two results are identical, then this is proof that the key is in possession of the correct authorization code and the control unit 18 of the lock generates an actuation signal allowing the operation to proceed. The lock thereafter returns a signal ("CHAPS") to the key advising the key of the outcome of the authorization procedure, and then proceeds with or aborts the operation. The authorization process described and the hashing functions used are widely deployed and in common use, the

primary objects being to enable the key to prove it is in possession of the secret key authorization code without revealing the authorization code itself, or provide any information that would permit an observer to easily determine the key authorization code, or permit an interceptor to substitute one command for another, or permit an interceptor to replay a prior authorization.

It will be appreciated that each of the key authorizations are unique and are associated with the kind of operation(s) that a possessor of that authorization is entitled to invoke. Examples of operations are "OPEN" to open the lock; "ISSUE" to issue an authorization to another key; and "ZAP" to wipe all authorizations from the lock and return it to its virgin state. The key authorization codes may be associated with one of these commands, or the key may have a single key authorization code in the form of a so-called "master" authorization which authorizes the key to perform any kind of operation on the lock.

It will be appreciated that one or more keys may be issued to each of a number of authorised users wherein the keys may or may not have the same authorization codes stored therein. As such, authorized users in possession of the keys may or may not be authorized to perform the same operations on a compatible lock. Only when the lock has verified that the key is in possession of sufficient authorization to execute an operation, will the lock proceed with the operation. The lock has no knowledge of the key's identity, and does not rely upon knowing a key's identity in order to perform the authorization. The only knowledge the lock has of the user is the identity of the authorization. As

an association is not made by the lock between an authorization and an individual's identity at the time the authorization is issued, authorized access is effectively anonymous.

The key 14 may also have one or more so-called "master" key authorization codes stored in its SIM card, which may be used to instruct the lock 12 to issue an authorization for a particular operation to be performed on the lock, to another key. Typically, these "master" authorizations are protected by an authentication mechanism as they would permit someone with temporary access to the key to issue a "master" authorization to the lock. With reference to Figure 29, the authentication mechanism is illustrated. Usually, the key is in a "locked" mode that prevents access to the master authorizations. To employ one of the master authorizations, the user must first tap in a three digit PIN number using the button 27 (for example, the PIN "235" must be entered by pressing the button twice, pausing, pressing the button three times, pausing, etc.). This is also the manner in which the key authentication code is inputted to the authentication controller of the key. On entry of a valid PIN, the key becomes "unlocked", during which master authorizations may be used. If the key remains unused for longer than 30 seconds, the key then reverts back to the "locked" mode. This implementation of the authentication function is simple and cheap but may be improved by means of a finger print reader for example, which are now also commonly deployed on memory sticks, PDA's and laptops. In Figure 26, a detailed overview of the manner in which a separate master key (key 1) is used to issue an "OPEN" authorization to

another key (key 2), is illustrated. The indicator lamp 1 mounted to the key body flashes to indicate a successful step in the process.

The clutch mechanism 22 comprises a 0.3mm thick silicone steel cup 40, a locking member in the form of a coupler 42, a coil 46 and a cylindrical Neodymium magnet 48 which contacts the steel cup 40 at a rear end of the magnet and which is partially located within the coil 46 at the front end of the magnet. The clutch mechanism 22 further includes a blocking member in the form of a bobbin 50 which is displaceable over the magnet 48 and which is acted upon by urging means in the form of a 5mN bobbin return spring 52. The spring is a compression coil spring. Electrical wires (not shown) extend from the coil 46 via holes 54 in the steel cup 40 to the control unit 18 for energising the coil.

With reference to Figures 9 - 11, the bobbin 50 comprises a cylindrical wall 56 defining a central aperture 57, a flange 58 which is disposed at the rear end of the wall 56, a pair of blocking cogs 60.1 and 60.3 and a pair of guide cogs 60.2 and 60.4 which project radially outwardly from the flange 58. The blocking cogs 60.1 and 60.3 are disposed diametrically opposite one another, and the guide cogs 60.2 and 60.4 are similarly disposed diametrically opposite one another. The cogs 60.1 and 60.3 each define slanted engagement faces 62.1 and 62.2, respectively, the purpose of which will be explained hereinafter. The cogs 60.1 and 60.3 further define slanted release faces 64.1 and 64.2, respectively, which are disposed opposite the engagement faces the purpose of which will be explained hereinafter. The cogs 60.2 and 60.4

further define slanted retreat faces 60.5 and 60.6, respectively, the purpose of which will also be explained hereinafter.

With reference to Figures 12 - 14, the coupler 42 comprises a central boss 66, a pair of curved wall sections 68.1 and 68.2 which are disposed opposite one another and which are joined to the boss 66 by means of webs 70.1 and 70.2. The curved wall sections 68.1 and 68.2 define circumferential spaces 78.1 and 78.2 between them. Distal ends of the wall sections 68.1 and 68.2 define slanted release faces 80.1 and 80.2, respectively, at operative rear ends thereof. Proximal ends of the wall sections 68.1 and 68.2 define engagement faces 82.1 and 82.2, respectively, at operative rear ends thereof. A major part of each distal end of the wall sections 68.1 and 68.2 define abutment faces 92.1 and 92.2. The webs 70.1 and 70.2 define slanted abutment faces 71.1 and 71.2, respectively. Elongate well formations 69.1 and 69.2 penetrate into the webs 70.1 and 70.2 from the front end of the coupler. The well formations are of sufficient size to accommodate the axial torsion spring peg 96.1

With reference to Figure 15, the tailpiece 20 has a generally cylindrical configuration defining a front face 72 having a first engagement formation in the form of a first protuberance 74 and second engagement formation in the form of a second protuberance 76. The protuberance 74 has a slanted release face 74.1 at one end and an engagement face 74.2 at an opposite end thereof. The second protuberance 76 defines a slanted release face 76.1 at one and an engagement face 76.2 at an opposite end thereof.

In the assembled condition of the clutch mechanism 22, the rear end of the coupler 42 abuts the front end of the tailpiece 20, with the bobbin, having the coil 46 wound thereon, being located within the coupler, the assembled clutch mechanism being received within the cylinder casing 29. With reference to Figures 16 and 17, in the inactivated condition of the clutch mechanism 22, the protuberances 74 and 76 are located within the spaces 78.1 and 78.2, respectively, defined by the coupler 42. As such, when the coupler 42 is caused to rotate in a clockwise direction relative to the tailpiece 20 (when viewed from the front end of the lock), the engagement faces 82.1 and 82.2 engage the engagement faces 76.2 and 74.2, respectively, causing the coupler and the tailpiece 20 to become rotatably coupled. In this manner, torque can be applied via the coupler 42 to the tailpiece 20. Rotation of the coupler 42 in a counter-clockwise direction (when viewed from the front end of the lock) relative to the tailpiece, causes the slanted release faces 80.1 and 80.2 of the coupler 42 to slide over the slanted release faces 74.1 and 76.1 , respectively, of the tailpiece 20, thereby causing the coupler to lift off the tailpiece and thereby become disengaged therefrom.

With reference to Figure 18 of the drawings, the coil 46 is a hollow cylinder with an outer diameter of 4.88mm, an inner diameter of 3.68mm and a width of 2.11mm. The coil 46 is electrically connected to the control unit 18 via electrical conductors 19.1 and 19.2. The magnet 48 is 3 x 3mm Neodymium magnet which provides a radial clearance of 0.35mm between the magnet and the coil, sufficient to permit winding of the coil on the cylindrical wall 56 of the bobbin 50. The cylindrical wall 56 of the bobbin is 0.2mm thick, which is of

adequate thickness to permit fabrication by conventional plastic moulding techniques. As the force drops off as the clearance is increased, the clearances should be kept as small as possible. A radial clearance of 0.14mm provides sufficient clearance for mounting misalignments or coil distortion.

The coil 46 has a resistance of 300 ω drawing 6.67mA at 2V. The coil is fixedly coupled to the bobbin 50 which permits it to be slid over the front end of the magnet 48. The force generated by the coil 46 ranges from 10.7mN to 12.7mN as the coil is displaced across its operating range of 1.3mm (see Graph 1). The force of the bobbin return spring ranges from 5.OmN to 7.7mN over the corresponding range. These forces are sufficient to accelerate the bobbin 50 and coil 46 with total mass of about 70mg at an acceleration of 5- 8g, providing an overall actuation time of 6ms.

Graph 1 : Forces during actuation

The cup 40 has a baseplate 41 defining two electrical wire channel holes 54 and a cylindrical side wall 58 which extends from baseplate 41. The cup 40 serves three functions: firstly, to conduct the magnetic flux from the far pole of the magnet 48 across the coil 46, which increases the coil force by about 30%; secondly, to prevent excessive magnetic flux from escaping which may interfere with other devices and/or attract metallic particulate matter; and thirdly, to provide protection against external magnetic interference. The bobbin return spring 52 is seated between the baseplate 41 of the cup 40 and the coil 46.

With reference to Figures 4 - 8 of the drawings, the cylinder casing 29 defines an inner cylindrical wall section 84 which has a slightly larger internal diameter than the external diameter of the coupler 42, thereby permitting the coupler 42 to be received within the cylindrical wall section 84. The cylinder casing 29 has a pair of diametrically opposed longitudinally-extending ribs 86.1 and 86.2, which project inwardly from the wall section 84. An annular stop formation 88 extends inwardly from the wall section 84. Curved lips 89.1 and 89.2 extend from the stop formation 88 towards the front end of the lock. The casing includes two diametrically opposed guide arms 88.1 and 88.2 which are spaced from the wall section and which extend longitudinally from the stop formation towards a front end of the lock. Tabs 90 extend inwardly from distal ends of the ribs. The guide arms 88.1 and 88.2 define slanted retreat faces 88.4 and 88.5 respectively; and further define slanted lifting faces 88.6 and 88.7, respectively, the purpose of which will be described hereinafter.

When received within the casing 29, the ribs 86.1 and 86.2 are received within the circumferential spaces 78.1 and 78.2, respectively. As such, when the cylinder casing 29 is caused to rotate in an anti-clockwise direction (viewed from the rear end of the lock), the abutment faces 92.1 and 92.2 are brought into abutment with the ribs 86.2 and 86.1 , respectively, thereby permitting a torque which is applied to the cylinder casing 29 to be transmitted to the coupler 42. The casing 29 defines a number of locating formations 87 at its front end for locating and connecting the key housing 30 thereto.

In the inactivated (home) condition of the clutch mechanism 22, the bobbin 50 is located within the coupler 42 in an arrangement wherein the front end of the boss 66 of the coupler is received within the aperture 57 of the bobbin.

In an uncoupled condition of the lock, the cylinder 16 is not engaged by the clutch mechanism and thus not coupled to the tailpiece 20. As such, when the key housing 30 is rotated by the key, the cylinder 16 rotates in synchrony with the key housing 30 but the tailpiece 20 and thereby the tailpiece adapter 24, is left unmoved.

In use, when the key 14 is inserted into the keyway in the key housing 30 and the code communicated to the control unit 18 is authenticated, an energy pulse is sent from the key to the control unit energizing the coil 46 thereby to actuate the clutch mechanism. The bobbin 50, actuated by the coil 46, is impelled into the steel cup 40. With reference to Figures 23A - 23D, the blocking cogs are lifted above the webs 70.1 and 70.2 of the coupler 42,

permitting the coupler 42 to rotate freely with respect to the bobbin 50. Figure 23A shows the clutch mechanism 22 in its home position prior to the coil being energized. Figure 23B shows the retraction of the bobbin upon activation of the coil 46. As the cylinder 16 is rotated with respect to the tailpiece 20, the ribs 86.1 and 86.2 of the cylinder abut against the abutment faces 92.1 and 92.2, respectively, transmitting the torque from the cylinder to the coupler 42. The engagement faces 82.1 and 82.2 of the coupler 42, in turn abuts the engagement faces 76.2 and 74.2 respectively, of the tailpiece 20, thereby causing the cylinder and the tailpiece to become rotatably coupled and the torque to be transmitted from the cylinder to the tailpiece. Figure 23C shows the lock rotated through 15°, whereas Figure 23D shows the lock in an engaged position rotated through 34.8°.

With reference to Figures 22A - 22E, when the coil is not actuated and the cylinder is rotated with respect to the tailpiece, the engagement faces 62.1 and 62.2 of the bobbin blocking cogs 60.1 and 60.3 engage the abutment faces 71.1 and 71.2, respectively, of the coupler 42, causing the bobbin 50 and coupler 42 to become locked together as a single unit (see Figure 22B). In a coupled condition of the lock, the bobbin and coupler are coupled and further turning of the cylinder 16 results in pressure being applied via the lifting faces 88.6 and 88.7 on the guide arms 88.1 and 88.2, respectively, and the lifting faces 64.1 and 64.2 on the bobbin blocking cogs 60.1 and 60.3, respectively; and pressure is further applied between the engagement faces 82.1 and 82.2 of the coupler 42 and the engagement faces 74.2 and 76.2 of the tailpiece. The combined slopes of both the lifting and engaging faces are

configured so as to overcome any friction existing between the surfaces with a minimum required angular rotation, causing the rotatably coupled bobbin and coupler assembly to be ejected along the cylinder casing towards the front end thereof (see Figure 22C).

The coupler is lifted off the tailpiece 20 (see Figure 22D), and the clutch mechanism is thus disengaged and the cylinder is free to rotate with respect to the tailpiece (see Figure 22E).

An essential requirement for the clutch is that it must not be possible to engage it by means of external acceleration or shock, and this is accomplished in the following manner. The mass of coupler 42 is balanced by a torsion spring 96 which extends between curved step formations 98.1 and 98.2 extending inwardly from the wall sections 68.1 and 68.2 of the coupler, and the step formation 88 of the cylinder casing. As such, when the clutch mechanism is accelerated from the front end of the lock towards the tailpiece 20 at an acceleration exceeding 3g, the coupler 42 sinks into the cylinder casing. The bobbin 50 and coil 46 are relatively light and as such, will only sink into the cup 40 against the force of the spring 52 at a relatively higher acceleration. For all accelerations, the bobbin 50 thus rests on the coupler in its blocking position, and any attempt to turn the cylinder will result in the clutch mechanism being disengaged.

When subjected to rapid shock or violent vibration, however, the motion of the bobbin with respect to the coupler is mostly random. In this event, the coupler bounces up and down along the cylinder casing. With reference to Figure 2 and Figure 14, the torsion spring 96 maintains a constant torque on the coupler. An axial leg 96.1 at the end of torsion spring 96 penetrates one of the well formations 69.1 or 69.2. A perpendicular leg 96.2 braces against one of the ribs 86.1 or 86.2 in the cylinder casing. In this manner, the torsion spring 96 retains the coupler against the ribs 86.1 and 86.2 of the cylinder casing. With reference to Figures 24A - 24 D, if the cylinder is rotated with respect to the tailpiece 20, when subjected to shock, the coupler is lifted off the protuberances 74 and 76 of the tailpiece 20. The torsion spring 96 rotates the coupler over the protuberances 74 and 76 towards the ribs 86.1 and 86.2 of the cylinder casing, causing the clutch to become disengaged.

In addition to longitudinal shock the cylinder could be subjected to angular shock, in which event the force of the torsion spring could be overcome, causing the cog to become re-engaged. However, there is no theoretical limit to the strength of the torsion spring that can be employed, and the slopes of the engaging faces 74.2 and 76.2 can be correspondingly adjusted to compensate for the friction on the slopes to ensure that the shock response of the coupler remains un-affected when torqued by the torsion spring. Even with a relatively weak torsion spring, it proves in practice to be exceedingly difficult if not impossible to engage the clutch mechanism by means of external shock alone.

A design target is to minimize the turn angle required from the home position to the point at which the clutch mechanism engages; usually a lock set requires this turn to be less than 35°. This is accomplished, firstly, by making the angular width of the bobbin blocking cogs 60.1 and 60.3 as small as is compatible with mechanical requirements; and, secondly, by employing slanted retreating faces 88.4 and 88.5 of the guide arms 88.1 and 88.2 of the cylinder casing 29. The retreating faces are angled such that when the bobbin 50 is lifted up the guide column, the bobbin faces 60.5 and 60.6 on the bobbin guide cogs 60.2 and 60.4 interact with the retreating faces 88.4 and 88.5 to cause the bobbin to rotate in a clockwise direction as seen from the rear end of the lock. This rotation brings about an additional clearance between the engaging faces 62.1 and 62.2 on the bobbin and the engaging faces 71.1 and 71.2 on the cog, permitting the engaging faces to be partially engaged prior to actuation of the coil and consequently requiring a smaller turn before the clutch mechanism is engaged.

The clutch mechanism 22 may include a clutch actuation position indicator mechanism which is operable to notify the microcontroller of the control unit 18 when the clutch mechanism is in a position to be actuated. The clutch actuation position indicator mechanism is facilitated by a formation within the cylinder which generates a small clicking sound that is detectable as a voltage spike in the coil 46. The microcontroller is operable to generate an actuation signal in response to the voltage spike being detected by the microcontroller.

The benefit of such a mechanism is that the power need only be applied to the actuator when the user starts to turn the cylinder, thereby prolonging the key's battery life. In practice however the key's power consumption is dominated by the standby current required by the key's electronics, and such mechanisms are therefore optional in a real-world application.

It will be appreciated that the exact configuration of the lock and of the key may vary greatly while still incorporating the general principles of the invention described hereinabove. In particular, the applicant envisages that engagement of the cylinder and tailpiece can be achieved by means other than cogs, such as ball bearings, pins, ratchets, toothed wheels or friction- engaging members all of which are comprehended by the above invention. The exact configuration of the clutch mechanism may also vary while still incorporating the essential features defined herein.