High security electronic combination lock

BACKGROUND OF THE INVENTION

Mechanical combination locks such as those found on safes, vaults, cabinets and other high security enclosures are well known and subject to a number of attacks, such as by drilling, manipulation, and computer controlled auto dialing.

Electronic combination locks for such enclosures have been invented which provided the opportunity to increase the level of security afforded by the lock, while at the same time overcoming many of the shortcomings of the prior art mechanical locks. Two examples of these locks may be found at. U.S. Pat. No. 5,061,923 entitled Computerized Combination Lock and U.S. Pat. No. 5,517,184 entitled Electronic Combination Lock with High Security Features.

Recently an improved high security electronic combination lock has been invented which provides the opportunity to greatly increase the level of security afforded by the lock, while at the same time overcomes many of the short comings of prior art mechanical and electronic locks.

A dial type mechanical combination lock relies on the rotation of a knob to positions represented by numbers on the dial to rotate mechanical elements within the lock, such that the wheels of the mechanism align to allow a bar to drop into the wheels and retract the lock bar or bolt, allowing the enclosure to be opened.

The electronic combination lock does not have the equivalent mechanical elements and, therefore, cannot be attacked in the same manner. For example, the mechanical lock may be drilled to permit the insertion of an optical device into the lock mechanism to observe the positions of the wheels and thus their alignment, which permits the opening of the enclosure without the knowledge of the combination.

The electronic lock cannot be drilled for a similar purpose since the electronic lock mechanism will not reveal the position of any element, which gives the attacker any information as to the combination needed to unlock the device. The mechanical lock has a fixed position of internal elements relative to the dial and thus may be observed with the movements of the dial repeated by the attacker, at a later time. The electronic lock may not have a fixed knob to number position relation and thus observation of the movement of the knob is much more difficult if not impossible.

Dialers exist which may be attached to the knob on a mechanical or electrical combination lock and which dial combinations under the control of a computer. As each combination fails, the computer then continues to dial other combinations to eventually unlock the lock. With a combination lock of the mechanical type and sufficient time, a dialer is particularly effective.

Therefore an electronic combination lock is needed that limits the effectiveness of observation of knob position by employing a random time delay from the time the knob starts turning to enter a combination until the display is activated and begins incrementing the number displayed. Additionally, an electronic combination lock is needed that will, from a practical standpoint, prevent the use of an auto dialer or a person from determining the correct combination.

SUMMARY OF THE INVENTION

The electronic combination lock disclosed and described herein solves the problems discussed above and is a combination lock having a knob, which requires no divisions or markings relating to the numbers of the combination thereon. The rotation of the knob drives a generator, which produces electrical power. The power generated serves as a power source for the electronics of the lock. A knob rotation detector provides a signal to the microprocessor. The microprocessor utilizes this signal to determine the speed and amount of rotation of the knob.

The program controls the microprocessor. The ability to control the microprocessor with a microcode control program is an advantage in that the many functions and features may be added to make the lock mechanism and the enclosure more secure.

When the knob is rotated, the knob position detector sends a signal to the microprocessor. This signal is received by the microprocessor. The signal enables the microprocessor to determine the speed of rotation of the knob. As the speed of the rotation of the knob varies, the rate of change of the displayed numbers may change. This is accomplished so that at a high rate of knob rotation the displayed numbers may change at a high rate while at the lower rates or rotation, the rate of change of the displayed numbers may be at a slower rate. Further, the number of degrees the knob must be turned to effect the change of the displayed number will vary so that there may be no consistent amount of rotation required to change the displayed number by one unit. This aspect of the lock also acts to foil the use of a computer-controlled dialer.

The timing capabilities of the lock provide the opportunity to set the minimum time that can be used in the entering of the combination. The lock waits a period of time, typically, two seconds between the entry of one element of the combination and the lock permitting the entry at the next element of the combination. This wait time forces a large amount of time to be expended in trying each combination in an effort to open the lock. With a two-second wait between each combination element (0-99) and using a three-element combination it would take a minimum of 1,667 hours to enter the one million possible combinations.

The microprocessor may also count the failed attempts to open the lock since the last successful operation. If the numbers of tries or attempts to unlock the lock equals or exceeds the number set in the microprocessor microcode, the lock will fail to open even if an authorized combination is subsequently entered. After an error indication is displayed, the lock may be disabled to prevent further entry tries.

In order to eliminate the possibility of correlation between the number displayed and/or entered and knob position, there may be a random time delay between the start of knob rotation and the incrementing the number displayed.

When a condition is created where the lock will not open even with the eventual entry of the authorized combination, the lock electronics must be reset. The reset is accomplished by entering a reset combination or code.

DESCRIPTION OF THE DRAWINGS

FIG. 1

shows the electronic lock positioned on the door of a safe or vault and shows the location of the display and the knob of the lock with no markings as are conventional on mechanical combination locks.

FIG. 2

is a schematic diagram of the lock and its associated electronics.

FIG. 3

is an alternate schematic diagram of the lock and its associates electronics.

FIG. 4

is a side view of the lock.

FIG. 5

is a functional flow diagram of the logic control of the microprocessor of the electronic lock, showing the overall operation and control of the lock.

FIG. 6

is a continuation of the functional diagram of FIG.

5

.

FIG. 7

is a logic flow diagram representing the logic and operations to display numbers and symbols on the display.

FIG. 8

is a logic flow diagram showing a functional flow chart for the Power Down subroutine.

FIG. 9

is a logic flow diagram showing the logic operations used in the Numbers In subroutine.

FIGS. 10 and 11

show the logic flow diagrams representing the subroutine operations that control the electronics when two combinations are required to open the lock.

FIG. 12

is a logic flow diagram showing the logic control operations that tabulate the number of times errors occur in attempting to open the lock, and the preventing of the opening of the lock if the number of erroneous attempts exceeds a predetermined number, with the resulting lock out of the opening commands, if the correct combination is entered.

FIGS. 13-17

are flow diagrams expanding operations illustrated in the previous figures.

FIG. 18

shows a logic flow diagram representing the functional logic that prevents the lock from opening if the knob is left unturned for a pre-selected time without entry of the entire combination.

FIG. 19

is a logic flow diagram representing the logic control of the electronic lock to detect whether the knob of the lock has been turned more than 480 degrees without the knob stopping for a period of more than a predetermined amount.

FIG. 20

is a logic flow diagram representing the logic control operations to detect the stopping of the knob and the timing of the stop, and if the stop time is sufficient to recognize the numbers displayed as a combination element.

FIGS. 21 and 22

are logic flow diagrams that illustrates the logic control operations of the microprocessor to convert the speed of the knob rotation into a rate of incrementation of the displayed number.

FIGS. 23A and 23B

are logic flow diagrams that shows the logic control operations to permit the recovery from a condition where the number displayed is past the target number by less than or equal to 4 and allows the operator to reverse the display sequence and return to a number that is four units prior to the displayed number and to approach the target number again.

FIG. 24

is a functional diagram showing turning off the knob position sensor when power is generated.

FIG. 25

is a logic flow diagram illustrating the feature where the serial number of a lock is used to operate the lock, under some circumstances.

FIG. 26

is a logic flow diagram illustrating the logic and operations which enable the microprocessor to set a flag indicating that the lock security was compromised by an unauthorized bolt movement.

FIG. 27

is a flow diagram showing the microprocessor setting a flag indicating that the operator left the lock in an unsecure condition.

FIG. 28

illustrates the functional logic used to reset the flag use to indicate that an unauthorized access to the container secured by the lock may have occurred.

FIG. 29

is a functional flow chart of the logic used to reset the lock after the erroneous attempts have exceeded the predetermined number of FIG.

12

.

A more complete understanding of the invention may be acquired from the following detailed description of the invention that follows.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT OF THE INVENTION

Referring to

FIG. 1

, the lock

10

in which the invention is embodied is shown mounted on a safe or vault door

12

. The knob

14

is surrounded by a housing

16

, which shrouds the periphery of the knob

14

and supports the display

18

. Display

18

may be mounted separately from the knob

14

. The display shown is a Liquid Crystal Display (LCD) module, but could be any other display device. The knob

14

is attached to a shaft

20

extending out the back of the knob mechanism, through the wall of the safe or vault door

12

and into housing

22

of the electronics

24

of the lock

10

.

Extending from the housing

22

is a bolt

26

that is used to hold the door

12

shut when extended. Also contained in the housing

22

are the mechanical linkages and mechanisms which retract or extend the bolt

26

of the lock

10

. An example of the preferred mechanical mechanism is disclosed in U.S. Pat. No. 5,881,589.

In

FIGS. 2

,

3

and

4

the knob

14

is connected to the retractor drive

30

. A generator

29

may be connected through a clutch and gear train

28

to knob

14

. Generator

29

may generate the electrical power required by the electrical components of lock

10

. Generator

29

may be a stepper motor, a conventional AC or DC generator, a battery, or any other power source that could provide the power required by the electrical circuits used to operate lock

10

. Alternatively, lock

10

may be powered by an external power source, including, but not limited to, AC or DC line power, external battery, or other external signal that the lock

10

could convert into electrical power. Such external signals could include light, infrared, radio, or other signals in the electromagnetic spectrum.

Either knob

14

, retractor drive

30

, or shaft

20

typically interfaces with position detector

31

. Detector

31

will typically have a rotation indicator

32

and at least one sensor

34

. The rotation indicator

32

may trigger the first sensor

34

a

so that the amount of knob rotation may be determined. Additionally, a second sensor

34

b

may be employed when it is desired to know the position of retractor drive

30

with increased accuracy, for example, prior to rotating partial gear

48

. Detector

31

may use a segmented magnet as the rotation indicator

32

and a GMR for sensor

34

. Sensor

34

may be a device that can act as a switch. Examples of these sensors

34

, include, but are not limited to, hall effect devices, photoelectric circuits, reed switches, micro-switches, opto-isolaters, optical diodes, or similar devices. Rotation indicator

32

may be any device that can activate the sensor

34

selected. The output from the sensors

34

a

and

34

b

are then fed to the microprocessor

44

over signal lines

38

and

40

respectively.

The power control device

36

charges an internal capacitor with the electricity generated by the generator

29

. The voltage of the capacitor is then supplied over the power line

42

to the microprocessor

44

. The microprocessor

44

is powered for a limited time with the voltage, stored in the capacitor within power control

36

. Powered time of the microprocessor

44

is dependent upon the capacitance of the capacitor and the current drain of the microprocessor

44

and display

18

. The size of the capacitor(s) may be selected in coordination with the power requirements of the remainder of the system to provide power to the system for approximately 90 seconds after the generator

29

has ceased to generate power. This time period, typically, provides adequate time to open the lock

10

or to pause in the entry of the combination without losing the previously entered elements of the combination.

Microprocessor

44

provides outputs to display

18

. The display

18

is capable of displaying numerals of at least two digits. Additionally, display

18

may be capable of displaying symbols such as a lightning bolt for an error symbol, a key symbol for selection of the combination change mode, and/or arrows. These symbols may aid the operator in using the lock

10

.

The display

18

may be a Liquid Crystal Display or LCD device, which has the advantage of being a relatively low consumer of electrical power. Low power consumption may be a consideration when power is generated by the rotation of the knob

14

and the quantity of power generated may be relatively small when stored within the components of the electronics of the power control components

36

.

As described in greater detail in U.S. Pat. Ser. No. 5,881,589 one device for withdrawing the bolt uses an output from microprocessor

44

to a latch motor

46

. Motor

46

acts to rotate a partial gear

48

to position the partial gear in a position whereby it may be driven rotationally by a series of gear teeth on the periphery of the retractor drive

30

. The partial gear will mesh with the drive

30

and be driven by the rotation of the knob

14

. The partial gear, in turn, will drive a coaxially disposed second gear

50

. The second gear

50

is driven by a pin/slot, lost motion, arrangement wherein the second gear

50

carries a pair of pins that reside in a pair of slots formed into the partial gear

48

. The rotation of the partial gear

48

is a lost motion rotation for a short portion of the movement, at which point the pins and the slot ends are engaged to provide a positive drive of the second gear

50

.

In turn, the second gear is meshed with an idler gear

52

. The idler gear

52

further is meshed and mated with a rack

58

, which either is attached to or forms a portion of the bolt

26

of the lock

10

.

With partial gear

48

in the engaged position shown in

FIG. 2

, rotation of the knob

14

and thereby retractor drive

30

provides the necessary drive forces to drive the gear train gears in their respective directions of gear rotation and, accordingly, provides the forces necessary to drive the rack

58

of the bolt

26

to withdraw the bolt

26

or conversely to extend the bolt

26

, depending upon the direction of rotation of the knob

14

. In order to ensure that the bolt

26

is only withdrawn at appropriate times, whenever a valid combination has been entered into the electronics of the electronic lock and not at other times, the latch motor

46

controls the engagement of the partial gear

48

with the gear teeth on the retractor drive

30

. During periods that the lock is to be left in a secure condition, the partial gear

48

is disposed in a position whereby the teeth on the retractor drive

30

cannot engage the teeth on the partial gear

48

. Alternatively, other devices for withdrawing and extending the bolt may be employed. An example of another device includes, but is not limited to, that shown in U.S. Pat. No. 5,487,290.

The microprocessor

44

may be any suitable microprocessor manufactured and sold on the market. The lock

10

may utilize a microprocessor designated 80C51F and manufactured and sold by Oki Electric Industries Company, Ltd, of Tokyo, Japan.

The operation of the microprocessor is represented by the flow diagram of FIG.

5

. The following description will explain the microprocessor

44

logic operations and flow as the lock

10

is operated.

Microprocessor Operation and Control

Referring to

FIGS. 5 and 6

, the system begins functioning when the generator

29

provides sustaining power to the electronic logic or microprocessor

44

. This is represented by terminator

800

.

When sufficient power has been provided for a fixed time period, the system may initialize the ports, EPROM, LCD, counters, and variables in operation

810

. Typically this fixed time period is approximately two seconds. Additionally, the Random Access Memory (RAM), within the microprocessor

44

may be initialized with all bit switches or flags set to their default conditions, or to the conditions required/allowed/provided by the reset switch in operation

810

. These operations condition the system to accept inputs from sensor

34

a

of the lock

10

.

The lock program may be restarted without the lock turning off. This is represented by terminator

862

. When a program restart is performed a restart flag may be set in operation

812

. This flag controls the initialization process of operation

810

. The program flow then moves to operation

814

.

The microprocessor

44

in operation

814

, checks to see if the lock

10

has been attacked by checking the “CE” and “SA” flags and then generating a signal that may display a “CA”, “SA”, “CE”, or “SC” on display

18

. The “CA” indicates that the lock

10

is ready to accept a combination element entry. The other three codes indicate that the lock

10

has been attacked in some manner and that the lock

10

must be reset. Alternatively, other symbols could be used to indicate if the lock had been attacked. Furthermore, display of a code or symbol is not required and could be omitted.

In decision

816

, a determination is made as to whether this startup is the result of a power on entry or a restart entry of the lock program. One method of checking for a power on entry is to check to see if the restart flag or bit is set to “NO”. If this operational sequence of the system is due to power on, the flow is to decision

818

where the microprocessor

44

checks to see if the generator

29

is still producing power. If the generator

29

is not producing any power the flow branches to decision

822

. When the generator

29

produces power, the microprocessor

44

checks to see how long the power has been produced in decision

819

. If the generator has produced power for longer than a predetermined time period, for example, 2.8 seconds, then the audit and seal counters may be displayed, in operation

820

.

The flow from decision

818

and operation

820

both converge on decision

822

where it is ascertained if the error counter is equal to or exceed a predetermined number, typically 3 or more. If not, the flow branches around operation

824

to decision

826

. If the error counter contains a count of 3 or more, the flow is to operation

824

where the number of errors may be displayed. Thus, showing the operator the number of unsuccessful attempts made to open the lock since the last successful entry.

Thereafter the flow may move to decision

826

, where microprocessor

44

checks to see if the watchdog flag is set. The watch dog flag, when set indicates that the lock has been left with the knob

14

unmoved for a fixed period of time, for example, five seconds. If the flag is set, then the lock may turn off by the Power Down subroutine represented by terminator

1200

.

When the watch dog flag is not set, the flow may move to operation

827

. In this operation a symbol may be displayed to prompt the operator to begin entering the combination, for example, “E

1

” may be displayed, and then the processor waits for the knob

14

to rotate. The microprocessor

44

may wait until the knob

14

rotates in the clockwise direction and the sensor

34

a

sends at least a predetermined number of signals to microprocessor

44

before displaying any numbers. Thus, the knob may rotate before displaying numbers on display

18

. Additionally, the processor

44

may wait a random time period, typically between zero and two seconds while the knob rotates before displaying numbers on display

18

. This random delay time inhibits the ability of an observer to correlate knob position with the combination entered. Optionally, there may be a decision as to whether the NUM

2

switch is “ON” or set. When the NU

2

switch is “ON” the microprocessor

44

may send a signal to display a “00” and the NUM

2

switch would be changed to “OFF”. If the NUM

2

switch is “OFF” a signal may be sent to display a “50” on LCD display

18

and the NUM

2

switch would be changed to “ON”. Alternatively, any other number including a random number could be used instead of the “00” or “50”.

The functional flow then may move to decision

828

where microprocessor

44

determines if a combination element has been entered. If a combination element was entered, the flow moves to block

830

, which represents the Numbers In subroutine shown in FIG.

9

. Following reentry to the main system flow from

FIG. 9

, either an “E

2

” or “E

3

” may be displayed in operation

832

. An “E

2

” is displayed to prompt the operator to enter the second combination element and an “E

3

” is displayed to prompt the operator to enter the third combination element. Alternatively, any other symbol or prompt could be used. In some embodiments it may be desired to blank the display after the entry of a combination element, i.e. no prompt. A blank display

18

may make it more difficult for a person to gain entry with out the authorized combination since the person would not know how many combination elements the lock

10

required.

The flow from decision

828

(“NO” branch) or operation

832

could then move to decision

833

, where the watch dog flag is checked. If the watch dog flag is set, “ON,” then the lock may turn off at terminator

1200

using the Power Down subroutine.

With the watch dog flag “OFF” the flow continues to decision

834

. The microprocessor

44

may check the display switch in decision

834

. If the display needs to be updated due to knob rotation or program function, the display switch or bit is “ON”. When display

18

shows up-to-date information, the display switch or bit is “OFF”. With the display switch “ON” the flow moves to operation

836

which represents the Display.Flo subroutine shown in FIG.

7

. Alternatively, any other method of updating the display

18

may be employed.

When the display bit or switch is not on, or upon completing the display subroutine of

FIG. 7

, the flow enters operation

838

where the microprocessor

44

may check the voltage to ensure sufficient power is available to operate lock

10

. Thereafter the flow loops back to decision

828

discussed above.

Contained within the functional flow chart shown in

FIGS. 5 and 6

are the following subroutines: 1) Display.Flo—controls the display

18

; 2) Power Down—shuts off the power to proessor

44

; and 3) Numbers In—process the combination numbers. The Display.Flo subroutine

836

is discussed first.

Display Control

Block

836

of

FIG. 6

is further expanded in FIG.

7

. The Display Flo subroutine

836

converts the number/character data into a format that can be utilized by the display selected. Referring to

FIG. 7

, the flow enters at block

836

and then converts the tens data to segment data in operation

1100

. The display

18

displays characters and/or numbers made up of segments that are turned on or turned off and the ones turned on in conjunction with the others turned off form contrasting bars against the background of the display, making visible characters and/or numbers. This operation

1100

converts, through a table look up, the character and/or number in the tens position of the display, to data bits, ones and zeros, necessary to turn on or off the segments of the display in the tens position.

Next a check in operation

1102

may be made to ascertain if the display is displaying a combination character and/or number or a character and/or number which represents the mode of the lock

10

. The mode of the lock, if utilized, may condition the lock

10

to be opened with one combination, a minimum of two combinations or a combination which must be entered before any second combination is entered, known as the senior/subordinate mode. When the display

18

is responding to the operation of the lock

10

to indicate what mode it is to operate in, the display

18

may display a single digit, indicating to the operator that a combination is not being entered. During this phase of the lock

10

operation, operation

1102

may pass the flow to operation

1104

where the segment data for the tens position of the display

18

will not be set. When the lock

10

is in its normal operational mode of accepting combination input, the flow may move through the NO path from operation

1102

around operation

1104

, to operation

1106

where the units data is converted to segment data in the same manner as the conversion in operation

1100

. Then the lightning bolt, key and left and right arrows may be set ON or OFF as appropriate.

After converting the data into display data, the display data may be written to the display

18

to cause the display to show the appropriate symbols, in operation

1110

. Thereafter, the flow returns to operation

838

of FIG.

6

.

Power Down

Referring to

FIG. 8

, terminator

1200

represents entry into the Power Down subroutine. Typically, the microprocessor

44

blanks the information displayed on display

18

in operation

1202

. In some embodiments, the lightning bolt (error symbol) could remain displayed to indicate an error condition. Blanking the digits displayed reduces the consumption of electricity by lock

10

. In some embodiments display

18

may continue to display information until the processor and/or power supply is shut down.

The flow may then continue to decision

1204

where microprocessor

44

waits until the generator is not producing power and/or less than five volts is detected in the power storage device. The microprocessor could consider one of these two conditions before continuing to decision block

1206

. Thus, the lock

10

does not require the power storage device to discharge in order to conserve power and to reduce the power generation requirements for the next lock operation. In some embodiments of lock

10

, for security or other reasons, the microcode may require the voltage of the power storage device to drop below a fixed value before completing the power down sequence. This fixed voltage is approximately five volts, however the voltage used for a particular lock

10

will depend on the voltage required to operate the electronics

24

.

While the program flow may travel directly from block

1200

, block

1202

, or decision

1204

to operation

1214

, the flow may move to decision

1206

. The microprocessor

44

may check both the CE flag or switch and the error counter in decision

1206

. When both the CE flag is “ON” and the error counter is greater than a fixed number, typically zero; then a timer may be set for a time fixed in the microcode, typically five seconds. This five-second delay provides increased security for the lock by delaying further entry attempts under these conditions. Alternatively, microprocessor

44

at decision

1206

could check for error, covert entry (CE), or suspicious attempts (SA), or any other condition using “OR”, “AND”, or a mix of “OR” and “AND” logic to provide the level of security desired by the lock manufacturer or lock user. If the security condition check of decision

1206

indicates that long delay is not required the timer may be set for one second in operation

1208

. The one second and five second times are illustrative and may be set for any duration desired.

Next the flow continues to decision block

1212

where the microprocessor

44

waits for the timer set in operation

1208

or

1210

to expire. Thereafter, microprocessor

44

turns off when the power supply is dropped in operation

1214

. When power is once again generated in decision block

1216

the lock-operating program could resume with a power on entry illustrated by terminator

800

(FIGS.

5

and

8

). Alternatively, the microprocessor

44

could test for power generation between decision

1212

and operation

1214

. In this case, if no power generation was detected the microprocessor

44

would be shut down. When power was being generated, however, the lock could restart at terminator

862

at FIG.

5

. The above alternative may provide for faster lock response in some situations.

Numbers In

Referring to

FIG. 9

, Block

830

represents entry into the Numbers In subroutine. The numbers in the combination counter, and shown on the display

18

may be saved as an element of the combination in operation

850

. Thereafter, the program logic checks for entry of all elements of the combination in decision

852

. A combination may use three combination elements. The lock, however, may be programmed to use any number of elements desired. A larger number of combination elements results in a larger number of possible combinations. The larger the number of possible combinations tends to result in a higher level of lock security. If all elements have not been entered, then the flow returns to the main program flow.

When all the numbers for the combination have been entered, then there may be a determination at decision

854

as to whether the operation of the lock is conditioned for single combination operation; and if true, the combination is compared with the stored authorized combination in decision

856

. If on the other hand the lock is not conditioned for single combination operation, the flow branches at decision

854

to the Process Numbers Dual/Senior Type subroutine

855

shown in FIG.

10

. In embodiments of lock

10

employing single combination for entry neither decision

854

nor the Process Numbers Dual/Senior Type subroutine

855

would be required.

The entered and authorized combinations are compared at decision

856

. If the combination does not match then the error signal may be set and the error counter may be updated by incrementation in the lightning error subroutine shown in FIG.

12

and represented by operation

860

. Thereafter, the flow may move to the power down subroutine represented by terminator

1200

.

Referring back to

FIG. 9

, if the combination matches in decision

856

, the ports

62

of microprocessor

44

may be checked to see of the change key

60

has been inserted. If the change key

60

has been inserted into the ports

62

, then the flow may move to block

864

which represents the subroutine shown in FIG.

13

. Upon completion of the routine of

FIG. 13

, the may move to the power down subroutine represented by terminator

1200

.

If the change key

60

has not been inserted, then the flow at operation

858

can branch to operation

866

where microprocessor

44

increments the valid try counter unless the SA detect flag/switch is “ON”. Thereafter, the program flow may move to the Unlock Flo subroutine shown in FIG.

16

and represented by block

868

. Upon completion of the routine in

FIG. 16

the lock is either opened; restarted; indicates an error, if errors are displayed; or shut down.

Lightinig Error

The Lightning Error subroutine is employed to provide the lock operator with a visible indication that either the current operator or a prior operator entered an incorrect combination.

Referring now to

FIG. 12

illustrating the Lightning Error subroutine. The entry point for the subroutine is represented by terminator

860

. First, the error counter is incremented in operation

418

. Thereafter, microprocessor

44

checks to see if the error counter is larger than a predetermined number in decision

420

. This number may be approximately fifteen. If the error counter is smaller than the predetermined number, the flow branches around operation

422

to operation

424

.

When the error counter is equal to or exceeds the predetermined number, the microprocessor

44

will set the SA detect switch “ON” in operation

422

. Thereafter, the flow may move to operation

424

where an error symbol may be displayed. A lightning bolt is an example of one symbol that may be utilized as an error symbol. Thence, the program flow may return to the main flow.

Combination Change

Referring now to

FIG. 13

showing the Get Combo.Flo subroutine. This subroutine may be employed to change the combination for the electronic lock. The mode of the lock may check to see if a second combination is required to open the lock, in decision

900

. If not, the flow branches around operation

902

to operation

904

. If a second combination is required to open the lock, then the second combination may be obtained in operation

902

, from the knob input as discussed above for

FIGS. 5-11

.

After receiving the second combination, if required, the type or mode of operation for lock

10

may be selected, for example, as either single, dual or senior/subordinate mode in operation

904

. When single combination mode is selected, decision

906

moves the flow is to operation

908

which represents the Single.Flo subroutine shown in

FIG. 14

; when the routine in

FIG. 14

is complete, the flow returns to the main program flow where the new combination is acquired. To enhance the security of lock

10

the new combination may be required to be entered on the same power cycle.

If the determination at operation

906

is that the lock is operating in a mode other than a single mode, the flow is to block

912

which represents the Dual Combo.Flo subroutine of

FIG. 15

, and when that subroutine is complete, the flow returns to the main program flow where the operator(s) enter two combinations. Some embodiments of lock

10

may utilize only a single combination to open the lock. Consequently, only block

908

could be employed to change the combination.

Referring again to

FIG. 13

, block

908

represents the Single.Flo subroutine illustrated in FIG.

14

. Thus block

908

is expanded into a subroutine and when the subroutine in

FIG. 14

is complete, the flow returns to FIG.

13

.

In

FIG. 14

, the flow enters the subroutine at

908

from FIG.

13

and the new combination may be entered by the operator in block

1050

. The combination entry process was previously described in

FIGS. 5-11

, above.

To allow operator verification, once the combination has been entered, it may be flashed back on the display

18

to the operator. After the combination has been displayed to the operator, operation

1054

may provide a message to the operator prompting the operator to pull out the change key

60

from the ports

62

. One message that may be displayed is “PO”. Alternatively, any other message could be used to prompt the operator in operation

1054

. Additionally, the microprocessor may not provide any signal and may wait for the operator to remove the change key

60

.

The electronic control may then wait in operation

1056

until the change key

60

has been removed from ports

62

. The removal of the change key may signify the completion of the combination change. When the key

60

has been removed, the control logic flow may progress to operation

1058

where the new combination flag may be written into memory. Thereafter, the flow may return to the flow of

FIG. 13

where the operator may be prompted to confirm the combination by entering the new combination. If the combinations do not match, then the new combination may not be saved and the operator may repeat the combination change process. When the combinations match the new combinations may be saved as the new authorized combination for the lock. Alternatively, the combination entered may be saved without verifying the changed combination.

Unlocking and Opening the Lock

Referring back to

FIG. 9

, block

868

represents the Unlock.Flo subroutine shown in FIG.

16

. This subroutine permits opening the lock when the correct combination is entered unless the operator has been locked out. In

FIG. 16

, the number of valid combinations entered is checked, in decision

406

to determine if this number is greater than or equal to a predetermined number and if the number is less than the predetermined number the flow may move to decision

407

where the where the microprocessor

44

checks to see if the covert entry (CE) flag or bit is set “ON”. If the CE flag is “ON” then the flow would go to the Lightening Error sub-routine of

FIG. 12

represented by terminator

860

.

Typically, when the CE flag/switch is “ON”, lock

10

can not be opened until the entry of a CE reset combination. There exist situations, however, when a safe, vault, or other security container must be opened before the person with the CE reset combination can arrive. Therefore the Unlock Flo subroutine may permit opening the lock after the entry of five consecutive valid combinations. Some embodiments of lock

10

may not utilize the covert entry (CE) feature. Thus, decision blocks

406

and

407

may be omitted.

When the valid combination counter is greater then or is equal to the predetermined number or the CE flag is set “OFF”, the microprocessor

44

checks to see if the SA-NE switch or flag is set “ON” in decision

408

. The SA-CE switch may be ON after the operator enters a valid CE reset combination as part of the SA reset subroutine shown in FIG.

29

. If the SA-CE switch is “ON”, then the flow may move to operation

410

where the SA-CE switch is cleared (set to “OFF”) and the SA Detect switch is reset. The flow may then move to operation

862

, where the program restarts as shown in FIG.

5

.

If the SA-CE switch is “OFF” then the flow may continue to decision

409

where the status of the surreptitious attempts (SA Detect) switch is checked. If the SA Detect switch is ON, then the flow may move to the Lightening Error sub-routine represented by terminator

860

. When the SA Detect switch is OFF the flow may continue to block

411

where the valid try counter could be reset.

The microprocessor

44

may then check to see if the combination change (Combo Chg Sw) switch or bit is set on in operation

413

. If the Combo Chg Sw is “ON” and the CE flag is “OFF” then the flow may move to block

414

to open the lock

10

using the subroutine shown in FIG.

17

. When the Combo Chg Sw is set “OFF” or the CE flag is “ON” then the microprocessor

44

may check to see if the knob

14

has been turned too far without stopping in decision

412

. If the knob

14

has been turned too far then the flow will be to terminator

860

representing the Lightning Error subroutine. The amount of knob

14

rotation required to signal that the knob

14

has turned to far without stopping may be set by the programmer in the microcode. Knob

14

rotation without stopping may be limited to the range of one turn (

360

degrees) to three turns (1080 degrees). If the result of decision

412

is negative the flow will continue the OpenLock.Flo subroutine represented by operation

414

.

Referring now to

FIG. 17

, in operation

970

, the lock is opened or conditioned for opening and the error counter is reset. The contents of the error counter is representative of the number of unsuccessful attempts to open the lock

10

following the last successful operation. Further, the audit counter is updated by incrementing its contents to reflect the latest successful entry. Then the flow may return to the program flow illustrated in

FIG. 9

where the lock

10

may enter the power down subroutine represented by terminator

1200

.

Dual and Senior/Subordinated Combination Feature

Referring back to

FIG. 9

, decision

854

, if the lock

10

requires more than one combination to unlock the lock

10

, then the flow branches to the Process Numbers Dual/Senior Type Flow represented by terminator

855

. The flow from terminator

855

continues to FIG.

10

. Here, microprocessor

44

determines if the lock

10

is in the dual combination mode in decision

874

. When the operation is a dual combination type operation the combination match is checked in decision

876

and if the combination does not match either authorized combination, the error flag is checked at decision

877

and if ON the lightning bolt is displayed in the Lightning Error Subroutine represented by operation

860

and the error counter updated. The error flag is then reset in operation

861

.

Should the error flag be OFF in decision

877

, the error flag is set in operation

879

. The flow from operations

879

and

861

is to the Power Down subroutine represented by terminator

1200

.

When the combination matches, the ports

62

of the microprocessor logic control device

44

may be checked to see if the change key

60

is inserted in decision

878

. If not, the decision is made in operation

880

as to whether one combination has already matched and, if so, the flow is to the OpenLock.Flo subroutine in

FIG. 16

, previously described. If decision

880

determines that no previous combination has been matched, then a flag is set in operation

882

and the flow moves back to the reentry point. Typically, this reentry point may be at point A or operation

827

of FIG.

6

and is represented by terminator

827

.

If the change key

60

is detected in decision

878

the flow may move to the GetCombo.Flo subroutine represented by operation

864

. Thereafter, the flow could move to the Power Down subroutine represented by terminator

1200

, both previously described.

Referring back to decision

874

, if the lock is not conditioned to open in response to a dual combination entry, then the flow branches the Process Numbers Senior Mode flowchart represented by terminator

875

. The flow from terminator

875

continues on FIG.

11

. The change key

60

may be detected in decision

888

. When the change key

60

is preset the flow may move to the GetCombo.Flo subroutine represented by block

864

. Thereafter, the flow could move to the Power Down subroutine represented by terminator

1200

, all previously described.

If the change key

60

is not inserted into the ports

62

, the combination is compared in decision

890

to the senior combination. If the senior combination matches, then the senior combination flag is toggled on/off in operation

892

. This either enables the subordinate combination or disables the acceptance of the subordinate combination respectively.

When the combination does not match the senior combination in decision

890

, the microprocessor checks to see if the senior flag is set ON in decision

894

and, if so, the combination is checked against the subordinate combination in decision

896

. If either of the decisions

894

or

896

test false, then the flow from the respective decisions may be to the Lightning Error subroutine represented by operation

860

, previously described.

When the combination matches the subordinate combination in operation

896

, the flow is to block

868

which represents the Unlock.Flo subroutine of

FIG. 16

, which has been previously described. The flow from operations

868

or

860

could be to the Power Down subroutine represented by terminator

1200

.

Dual Combination Change

Referring to

FIG. 13

, block

912

represents the subroutine illustrated in FIG.

15

. Upon entry to the subroutine in

FIG. 15

the new combination is acquired or read as the first of two combinations, in operation

1000

. Then in operation

1002

, the combination may be flashed back to the operator, permitting the operator to observe the new combination that has been entered. After the combination has been flashed back to the operator for a predetermined time, the logic control may flow to operation

1004

where the new combination, the second of two, is read. The new, second combination may be flashed back to the operator for verification in operation

1006

. After the flashing ceases, as in operation

1002

, the message “PO”, standing for Pull may be displayed on the display

18

to inform the operator to pull the change key

60

from ports

62

. At this point, in

FIGS. 14 and 15

at operations

1058

and

1012

respectively, the change key symbol may be turned off and a message “CC” could be displayed to prompt the operator to confirm the combination(s) by entering the new combinations(s). Thence, the bolt

26

may be retracted and the new combination(s) may be stored in combination memory, completing the change of combination operation.

After the message “PO” may be displayed, operation

1010

may continue to sample the ports

62

to determine whether the change key

60

has been removed. The looping and sampling could continue until the key

60

is confirmed as removed, whereupon, in operation

1012

, the write new combination flag is set and the flow may return to the flow in

FIG. 17

at operation

914

. With this understanding of the operation and control of the microprocessor, the operation of the microprocessor will be described with respect to the several security features.

Fast Entry Prevention

A dialer attacks a combination lock by dialing combinations until the lock opens. In order to open a lock in a short time period a dialer typically rotates the dial rapidly. Consequently, it is desirable to slow down the entry of lock combinations. By slowing the acceptable entry of a combination, it insures that the lock may statistically withstand such an assault for a longer time. If a dialer were devised to overcome some or all of the other safeguards and features of the lock, slowing the acceptable entry rate reduces the number of entries that may be attempted in a given period of time. Time is an enemy of the attacker, and exposes them to detection. Thus, anything that will delay the attackers success is useful.

Accordingly, the electronic lock

10

is provided with a timer within the microprocessor

44

, which may wait a fixed time period, for example, two seconds after power-on, before entry of the first number of the combination. Additionally, this wait may be required after the entry of each subsequent number of the combination. Therefore, the total mandatory wait time could be eight seconds.

The internal clock timer of the microprocessor

44

may be started at power-on when the microprocessor

44

is supplied sufficient power from the power control

36

to operate the electronics

24

. After the lock

10

has received power for the fixed time period the lock electronics

24

may then accept the entry of the first combination number. After the entry of each subsequent combination number there may also be a wait period. Thus, the lock

10

may not be entered in less than eight seconds and since, from a practical standpoint, it will take additional time to rotate the knob to the proper number, it is unlikely that the lock could be opened in less than 10 seconds by someone who know the proper combination. This feature reduces the effectiveness of an attack with a dialer.

If the combination is found to be correct, the lock may be opened or a change of combination effected, as previously discussed. The logic of the fast entry feature is shown in FIG.

20

.

The prevention of entering a combination too rapidly acts to defeat the operation of a dialer. Accordingly, the selection of a minimum time, which must be exceeded in the entry of a combination, enhances the security of the lock

10

.

Maximum Unattended Period Safeguard Feature

A common and serious security violation is to enter the first two numbers of a combination so that the third number may be entered at a later time with a minimum of delay in accessing the enclosure. This practice allows one who knows only the last number of a combination to access the enclosure.

The electronic lock disclosed herein has a capability to defeat a partially entered combination and thus return the lock to a scrambled locked condition.

FIG. 18

illustrates the function of this feature combined with the fast entry prevention feature of lock

10

. The feature may start after the display of “E

1

”, “E

2

”, or “E

3

” as shown in

FIGS. 5 and 6

. Alternatively, this feature could start when the lock

10

is ready to accept the input of a combination element. Block

250

represents these prior actions. A timer is set to the period of time selected for this feature in operation

252

. One time period may be five seconds. The microprocessor may check for knob

14

rotation followed by a stop in decision

254

. If the knob

14

has rotated and then stopped for more than the number entry stop time allowed in the microcode, then the logic could permit the main program logic to enter the combination element in operation

255

. Thereafter the logic loops back to just prior to operation

252

to reset the timer. When the knob

14

has not rotated, or has not be stopped for, the fixed time period, the flow of operations may be from decision

254

to decision

256

where the unattended timer is polled to see if the number entry stop time period may have expired. If it has expired, then the combination element has not been entered within the allotted time and the lock

10

could shut down with the Power Down subroutine represented by terminator

1200

. This operation is on an interrupt basis and after the operation, the overall system operation continues unless the lock

10

has been shut down.

If the timer has not expired, the flow branches from decision

256

back to the main system operation as the interrupt is completed. Periodically, the main system flow is interrupted to check on the timer and knob status. This check is indicated by the loop back to decision

254

.

This features effect is that if the knob

14

of the lock

10

is not tuned within 5 seconds the numbers of the combination already entered are ignored and are not effective to form part of the combination to unlock the lock. This prevents the operator from entering the first two numbers of the combination and waiting until significantly later to enter the third number of the combination to quickly open the lock

10

.

Knob Rotation Limit

The use of the human hand to rotate the knob

14

of the lock

10

results in the knob

14

being turned a partial turn and the knob

14

stopped and the hand repositioned to attain a new grasp of the knob

14

prior to the next turn. If the knob

14

turns more than what a normal hand/wrist will permit, the lock could be operated by a dialer or similar device. To sense this and to prevent the lock

10

from opening, the amount of knob rotation without a stop may be detected. This feature of the invention is illustrated in

FIG. 19

, which is a more detailed expansion of operation

414

of FIG.

16

.

After power-on in operation

300

, the signals from the sensor

34

a

are monitored and it is determined whether the knob

14

has stopped turning, in decision

302

. If the determination of decision

302

is that the knob

14

has not stopped turning, then the logic control flow loops back to just prior to decision

302

and the signal output of the sensor

34

a

is again monitored. This loop continues until the knob

14

is detected as having stopped turning. When the knob

14

has stopped the logic flow branches out of the loop to decision

304

where the number of signals/pulses generated since the last knob stop is determined and compared with a fixed number of pulses. The fixed number of pulses could be the number of pulses sent by sensor

34

during rotation of the knob

14

by at least 1.33 turns or at least 480 degrees.

If the knob has rotated more than the predetermined amount without a stop of the knob the flow is directed to operation

306

where the lock electronics

18

are signaled to not open, even if the correct combination is entered. Operation

306

could be the Lightning Error subroutine, previously discussed. When the dial

14

has rotated less than the predetermined amount the program continues.

As described above, the operation of the lock

10

by a person may not be inhibited, while the operation of the lock

10

by a dialer or other similar device could be inhibited because the lock will not respond to the correct combination after the knob is rotated for more than the predetermined number of pulses from sensor

34

a

without stopping.

Variable Incrementation of the Display

To further inhibit utilization of a dialer, the lock

10

could be provided with a scheme of varying the number of pulses from knob position sensor

34

that are required to update the display

18

to cause it to display the next larger number. The benefit of this scheme is that as the speed of rotation of the knob

14

of the lock

10

increases, the rate of change of the displayed numerals increases until the rate of change is set by the fastest rotational rate and then the relationship of the rate of change of the displayed characters and/or numbers to the number of pulses from the knob position detector

31

remains constant for the remainder of that rotational movement of the knob

14

, until the knob stops, even if the rotational speed of the knob slows during later stages of rotation this feature reduces the correlation of the number change rate on the display

18

and the extent of rotation of the knob

14

.

FIG. 21

is a flow diagram which represents the decisions made by the microprocessor

44

on an interrupt basis to determine the speed at which the knob

14

is being turned, which then may be used to set rates at which the numbers are changed. Returning to

FIG. 2

, the knob position detector

31

outputs pulses on lines

38

and

40

. The phase

1

line

38

conveys pulses, which are used to indicate rotational displacement of the knob

14

. The knob position detector may be configured such that a full rotation of the knob

14

may cause the sensor

34

a

to send a number of signals/pulses. This number could be approximately

28

pulses. The number of pulses sent by the knob position detector

31

, however, could vary depending on the indicator

32

and sensor

34

selected.

The pulses on the phase

1

line

38

may be connected to an interrupt bit in the microprocessor

44

. Accordingly, each pulse may interrupt the microprocessor

44

. The interrupt may be used to start and stop timers and counters.

As each speed criteria is met in ascending order of speed, that speed indicator may be set and retained for the remainder of the knob turn; while the speed indicator is not reduced if the knob slows down during that knob turn, the speed indicator may be increased as speed increases.

A further filter to eliminate spurious conditions which could lead to unreliable results is that the middle and high speed indicators in the microprocessor

44

could be locked out or rendered ineffective unless at least a predetermined number, for example

10

, phase

1

pulses have been detected by the microprocessor

44

since the last valid knob stop. This filtering of the inputs insures that the middle and high-speed operation of the display

18

is prevented during quick short burst rotation of the knob

14

.

The microprocessor

44

has within it a counter that could be designated as the combination counter, which counts the numbers and the numbers are displayed on display

18

, as well as being available for the internal processing of the number and/or character for use in the combination. The combination counter may be incremented, based on the number of pulses received by the microprocessor

44

. The number of pulses can vary based on the knob speed as decided by the voting scheme described above.

Exemplary conditions for changing the combination counter are presented tabularly below.

SPEED CHART

SPEED

TIME INTERNAL BETWEEN

PULSES PER

FLAG

PULSES MINIMUM

COMBINATION COUNT

Lock out

7.5 msec

1

High

7.50 msec

1

Middle

25.00 msec

2.5

Low

129.15 msec

4-7

The lock out flag may set during the actual opening cycle of the lock

10

(turning the knob

14

to retract the bolt

26

from strike

56

), to inhibit the bolt

26

from being retracted if the knob

14

is turned too fast. If the bolt

26

is engaged with the bolt retractor

50

when the knob is being turned too fast, physical damage, binding, or malfunction in the mechanical bolt retraction assembly may result.

The incrementing of the combination counter may be accomplished for the first four pulses of a turn in the low speed and then thereafter with each seven pulses. This scheme provides the operator a visual feedback early in the operation at these speeds and then slows the incrementing to the desired rate thereafter, for the same knob turn.

The counter and the display could be incremented by one unit for each 2.5 pulses if the interpulse time interval is less than 2.5 msec but more than 7.5 msec and the middle speed flag is set.

In the high-speed mode or operation, all numbers and/or characters may be sent to the display

18

. Due to the response time of the display and the ability of the human eye to receive and process images only at relatively slow speeds, it may appear that numbers are being skipped by the display

18

. Alternatively, in the high-speed mode not all numbers could be sent to display

18

resulting in skipped numbers but faster response.

For a better understanding of the logic operations necessary to control the speed of the change of the combination counter and display

18

, reference is made to FIG.

21

. The interpulse time period may be determined by the detection and voting scheme described above. Thus, the time value could be compared in decision

450

to the time interval standard for the lock out mode, i.e., 7.5 msec, and if the interpulse time is less than the standard, the lock out speed flag is set in operation

452

. Following the setting of the lock out speed flag, the high speed flag may be set in operation

456

. When the interpulse time standard for the high speed flag is longer than that selected for the high speed lock, then the high speed interpulse time would be checked in decision

454

. If the measured interpulse time is less than that specified for the high speed flag in decision

454

, then the high speed flag could be set :in operation

456

.

If the time period is greater than the lock out or high speed mode time standard, then the flow is from decision

454

or

450

to decision

458

where the interpulse time period could be compared to the middle speed time standard. When the interpulse time is less than the middle speed setting, the flow branches to operation

460

where the middle speed flag is set. Similarly, the interpulse time period may be compared to the slow speed time standard and the appropriate speed flags set.

The setting of a speed flag results when the flow is diverted from the series of decisions

450

,

454

,

458

, and

462

. The flow is then through flag setting operations

452

,

456

,

460

, and

464

as appropriate with the resulting setting of all flags for speeds slower that the first satisfied speed condition.

Referring to decision

462

, if the interpulse time interval is greater than a preprogrammed time, for example, 129.15 msec, then the only remaining choice of speeds may be creep speed and the creep speed flag is set in operation

466

. The flow from operation

466

could be back to the main flow of the program.

As the knob

14

is turned the microprocessor

44

not only receives the pulses but after determining the speed at which the knob

14

may be turning, then may update or increment the combination counter. This updating may be accomplished by the logic control operations represented by the flow diagram of

FIG. 22

illustrating of the Count.Flo subroutine.

As the pulse flow into the microprocessor

44

continues, the flags of the microprocessor

44

may be checked to ascertain if the speed has been determined by the voting scheme as described above. The microprocessor

44

could check the high-speed flag in decision

502

. If the high speed flag is set, the microprocessor

44

could update the combination counter by one unit for each pulse received from the knob position sensor

34

a

, as represented by operation

504

. If the high-speed flag has not been set then the middle speed flag may be tested to see if it has been set in decision

506

. When the middle speed flag has been set, as determined in decision

506

, the combination counter could be updated by two units for each five pulses as represented by operation

508

.

Similarly, if the flag for the middle speed is not set, a decision

510

may be made as to whether this could be the initial knob rotation at a low speed in this knob turn. If this decision operation results in a negative determination, then the knob

14

may have been rotated at a low speed previously in this knob turn and the combination counter may be incremented by one unit for each 'seven pulses sent by the knob position sensor

34

, as represented by operation

512

.

When the result of decision

510

is in the affirmative, the flow is to operation

514

where the combination counter could be updated by one unit for each four pulses received by the microprocessor

44

.

Following the updating of the combination counter, in response to any of the speed flags set or not set the control may revert back to the main logic control of the lock

10

.

Backup Feature

The backup feature is important in that it gives the operator a way to recover from an erroneously dialed number. The feature does not compromise the security of the lock since the operation of the lock is to back up the number by a fixed number of units upon any knob reversal, for example, four or ten units when entering a combination element. Thus, the backing up of the displayed numbers and/or characters on the display

18

does not indicate to the attacker that he has approached a combination since any reversal of the knob may result in backing up the same amount. While the generator is generating power the microprocessor

44

may not accept any input from the position detector

31

.

Additionally, this feature may permit an operator to recall and reenter the previous combination element. This second back up feature may be utilized by reversing the rotation of knob

14

after entering a combination element and before rotating knob

14

to enter a subsequent combination element.

When entering the combination, the operator may turn the knob

14

too far and pass the target number of the combination. While the knob

14

may be turned additional revolutions and the target number selected and displayed, the lock may permit the operator to reverse the knob direction for a short displacement with the combination element displayed and contained in the combination counter changed by a predetermined amount. After the combination element backs up, the knob

14

may then be turned in the clockwise direction to again approach the target number and/or character of the combination. The logic control of this function uses two interrupt routines illustrated in

FIGS. 23A and 23B

.

With reference now to

FIG. 23A

, the Generate Power is activated when the microprocessor

44

detects power generation by generator

29

. The interrupt is represented by terminator

1250

. This interrupt starts a timer in operation

1252

. This timer may last at least 300 milliseconds to ensure that the operator really wants to back up. The timer can be set for approximately 600 milliseconds. The interrupt may also set a Back Up Switch or bit “ON” in operation

1252

. Thereafter the interrupt will exit to the main program flow.

FIG. 23B

illustrates the functional flow of the Timer Interrupt that decrements the combination counter and display by a fixed amount, for example, four or ten. Periodically the main program flow is interrupted to check the status of various timers. This interrupt is represented by terminator

1260

. The interrupt checks the timer in decision

1262

. If the timer is still running if a count down timer is used or has not reached end of the count the interrupt will exit and flow would return to the main program flow. When the timer has expired, the flow branches to decision

1264

where the microprocessor

44

checks the Back Up switch. If the Back Up switch is “OFF”, then the interrupt would return the flow to the main program. When the Back Up switch is “ON”, the combination counter and the display

18

are decremented by a fixed amount in operation

1266

. Thereafter the interrupt would exit.

Knob Position Interrupt

In order to determine the position of knob

14

, microprocessor

44

may be interrupted by; each signal/pulse transmitted by sensor

34

a

. Additionally, when generator

29

provides power to lock

10

, sensors

34

may turn “OFF” to minimize power consumption and prevent erroneous lock operation. The GMR interrupt shown in

FIG. 24

can perform these functions. Each time the sensor

31

a sends a signal to microprocessor

44

the main program flow can be interrupted. This interruption is represented by terminator

550

. After the microprocessor

44

is interrupted the microprocessor

44

may check to see if generator

29

is producing power. Alternatively, microprocessor

44

could check the Back Up switch set by the Generate Power interrupt show in FIG.

23

A.

If generator

29

is not providing power, then the numbers on display

18

and in the combination counter may be incremented by the Speed.Flo interrupt in operation

560

. When generator

29

provides power to lock

10

during the interrupt the microprocessor

44

shuts down sensor

31

a

. Thereafter the interrupt exits and flow may return to the main program flow.

Error and Seal Counters

Referring back to

FIG. 5

, the operation of the audit and error counters and the display of their contents will be described. After providing power to lock

10

, the microprocessor can check to see if the lock startup may be due to a power on entry in decision

816

. The generation of power for more than a fixed time period, for example, 2.8 seconds, may be checked at decision

819

. If power has been generated for less than the fixed time period, then the flow may branch back to decision

818

. However, if power has been generated for more than the fixed time period, the flow could move to operation

820

, which displays the audit counter contents on display

18

. The audit counter may count the number of times that the lock has been opened successfully.

The contents of the audit counter can be displayed on the display

18

, while power continues to be generated. When power generation ceases, as detected in operation

820

, the error counter could be checked to ascertain if the value stored therein may be greater than or equal to a predetermined value, for example three, in operation

822

. If the value in the error counter is greater than or equal to this value, then the error counter contents may be displayed in operation

824

. The displayed number is the count of times that the lock

10

has been dialed for access without successfully opening it or when one of the security features has blocked the lock

10

from opening. The count is from the last successful opening of the lock

10

.

The flow may move to the remaining program flow where the combination for the lock is allowed to be entered as discussed previously.

After entry of the combination, decisions

856

(FIG.

9

),

876

(FIG.

10

), or

890

and

896

(

FIG. 11

) compare the entered combination and the authorized combination and if they compare true, the lock is conditioned to unlock in operation

868

.

Since the error counter only accumulates the count of erroneous entry attempts since the last successful opening of the lock

10

, with the compare true on the combination, the error counter may be reset as in operation

970

(FIG.

17

). Similarly, the audit counter counts successful combination entries, and the audit counter may be updated by incrementing its contents, also in operation

970

.

Should the combination not compare true in decisions

856

,

876

,

890

, and

896

, the error counter is incremented in operation

860

to reflect the erroneous entry attempt. After the incrementing of the audit or error counters, the routine ends and the lock awaits any further input by the operator. As discussed earlier, if left unattended for a sufficient amount of time the lock will power down.

The combination of the error and audit counters provide a reliable, easily accessed, easily understood indication that the lock has been operated; and if the numbers are different, may indicate failure or success by the attacker.

Lost Combination Resetting

The serial number of the lock may be used as a temporary combination to open the lock and thus allow the setting of a new combination. This allows for circumstances where locks are placed in inventory and records of combinations are misplaced or memories lapse and no one remembers the combination of an inventory lock.

Referring to

FIG. 25

, to open the lock so that the normal change combination procedure may then be used, the change key

60

is inserted in the lock

10

. The lock

10

, when powered on, operation

650

, may detect the presence of the change key

60

in ports

62

of the microprocessor

44

, in operation

652

.

If the change key

60

is detected, the open flag in the memory of the microprocessor

44

is checked in operation

654

. If the open flag is on, the serial number is not allowed by operation

656

as a combination, because the lock is open and was presumably opened with a correct and known combination. However, if the open flag or bit is not on, indicating that the lock

10

is locked, then the lock

10

is conditioned to accept the serial number of the lock

10

as a substitute combination, in operation

658

. This may be accomplished by the setting of a flag which then allows the comparing of the serial number which is stored in a memory associated with microprocessor

44

, with the entered combination, rather than comparing the authorized combination.

When the change key

60

is not in the lock

10

, as ascertained in operation

652

, the open bit may be reset in operation

660

and the combination entered is compared with the authorized combination in operation

622

. If good, the lock is unlocked and the open bit is set in operation

664

. If the combination is not good the logic flow branches back to the beginning of the routine to await further input.

This scheme does not compromise the security of the lock since the lock must be accessible for the insertion of the change key while the lock is locked, i.e., when the combination may be scrambled and the open bit is reset. This prevents the convert insertion of the change key

60

when a safe or vault is open and the return at a later time to open the safe or vault

12

with the combination that might be changed using the serial number of the lock.

The insertion of the change key

60

into the ports

62

creates a condition that prevents the resetting of the open bit. As seen from operations

654

and

658

, the open bit must be reset for the serial number to be allowed in lieu of the authorized combination in the combination change procedure.

Covert Entry and Resset

If the bolt

26

of lock

10

is moved/opened without the lock being powered and an authorized combination entered, the lock

10

may be disabled from opening until entry of a covert entry (CE) reset combination or bypassing this feature. Additionally, if the bolt

26

of lock

10

is not withdrawn within a fixed period of time, for example, ten seconds, after the motor

46

has placed the lock in condition for bolt withdrawal, the lock may also be disabled. The reset combination can be a six-digit combination, however, the CE reset combination may have any desired length and may utilize numbers, characters and/or symbols.

Referring now to

FIG. 26

that illustrates one functional flow chart for setting the Covert Entry (CE) detect switch/flag. A second functional flow chart is provided in FIG.

27

.

The covert detect power on the functional flow chart provided in

FIG. 26

illustrates turning on the microprocessor

44

to set the CE flag “ON” if the bolt

26

is moved without entering the authorized combination. When microprocessor

44

turns on, the bolt power supply may be checked in decision

1420

. If the bolt power supply is “OFF” a normal power on entry start up may be accomplished, as previously described.

When the bolt power supply is “ON”, microprocessor

44

can be turned on due to the bolt movement. Therefore, the microprocessor

44

may check the status of bolt

26

in decision

1422

. If the bolt is open, then the flow moves to decision

1424

where microprocessor

44

checks the bolt open switch. If the bolt open switch is “ON”, then the lock

10

may power down. The bolt

26

open with the open switch “ON” is a normal condition and the microprocessor

44

is not required to take any action.

Similarly when the bolt is extended, the microprocessor

44

will also check the bolt open switch in decision

1426

. If the bolt open switch is “ON”, then the microprocessor may power down. The bolt extended and the bolt open switch “ON” is also a normal condition and microprocessor is not required to take any further action and the bolt open switch will be reset and the lock powered down.

In both of the conditions described above the position of the bolt matched the expected status of the bolt-open switch. However, when the bolt is open and the bolt open switch is “OFF” or the bolt is extended and the bolt open switch is “OFF”, the microprocessor

44

may set the CE flag “ON” and shut down in terminator

1428

.

With reference now to the functional flow chart shown in

FIG. 27

showing the setting of the CE flag if the bolt

26

is not withdrawn within a fixed time of firing motor

46

. Normal operation of lock

10

including firing motor

46

and starting a timer is represented by terminator

1430

. After firing motor

46

the program flow may loop between checking the timer in decision

1432

and checking the condition of bolt

26

in decision

1434

. If the bolt

26

is opened before the timer expires, for example, 10 seconds, the lock

10

may power down. When the timer expires before the bolt is withdrawn, the lock

10

may be in an unsecured condition since anyone can now withdraw the bolt

26

by rotating knob

14

. Therefore, in order to indicate this unsecured condition the microprocessor sets the CE flag to “ON” in operation

1436

. Thereafter the lock

10

could power down.

Referring to

FIG. 28

, when the lock

10

is powered by the rotation of generator

29

as represented by terminator

1400

, and “CE” is displayed on display

18

, represented by block

1402

lock

10

may be reset before opening lock

10

or the CE lock out feature bypassed. The microprocessor

44

checks to see if the lock

10

was powered a minimal time, for example, greater than 2.8 seconds as shown in operation

1406

. If the lock

10

was not powered for this minimum time then the lock

10

may permit a combination to be entered. This entry however, may not open the lock

10

. When the lock

10

has been powered for the minimum time the error and audit counters may be displayed as discussed above. Then the operator can enter one or more numbers, characters and/or symbols, typically “99”, and the “CE” reset combination as shown in block

1408

. The number, “99” in this case, may serve as a trigger that a reset combination is being entered. When the reset combination is entered, the lock

10

will check the “CE” reset combination for a match in operation

1410

. When there is a match then the “CE” detect flag is reset and the SA-CE switch is set “ON” if the SA detect flag is “ON” in block

1412

. If the combinations do not match the operator must start the reset process from the beginning.

Surreptious Attempt Reset

If an operator enters a set number, for example, 15, of consecutive incorrect combinations the lock

10

may be disabled until the entry of a CE reset combination. The reset combination typically is a six digit combination, however, the reset combination may have any length desired and may utilize numbers, characters and/or symbols.

Referring to

FIG. 29

, when the lock

10

is powered by the rotation or generator

29

as represented by terminator

1300

, and “SA” is displayed on display

18

, represented by block

1302

lock

10

may be reset in order to employ the authorized combination to open lock

10

. The microprocessor

44

could check to see if the lock was powered a minimal time, for example, greater than 2.8 seconds, as shown in decision

1304

. If the lock was not powered for this minimum time then the lock may permit a combination to be entered. This entry, however, may not open the lock

10

.

When the lock

10

has been powered for the minimum time the error and audit counters may be displayed as discussed above. Then the operator can enter one or more numbers, characters and/or symbols, typically “99”, followed by the “CE” reset combination as shown in block

1308

followed by the authorized combination in block

1312

. The microprocessor may check to ensure that both combinations were entered in the same power cycle in operation

1310

. If the lock turns off then the proceeding steps may be repeated when the lock

10

again is powered. When both the reset combination and the authorized combination were entered without the lock

10

turning off, the lock

10

will check the combinations for a match also in operation

1312

. When there is a match then the “SA” detect flag can be reset in operation

410

of FIG.

16

. If the combinations do not match, the operator may start the reset process from the beginning.

The foregoing routines that implement the functions and features operate within the system operations of the lock as is represented in FIG.

5

and the Figures referred to from FIG.

5

.

The exemplary embodiment of this invention implements the control operations and hence the functions and operational features of the lock

10

in microcode in a microprocessor

44

of the type sold by OKI Electric Industries Company, Ltd., under the designation 80C5IF. Other microprocessors by other manufactures may be substituted for the preferred device so long as the characteristics of the substituted device meet the needs of the lock

10

.

The control of the microprocessor

44

is by microcode which is written according to the constraints defined by the device manufacturer and which are readily available from the device manufacturer of choice. Any skilled code writer may code the microcode, given a program listing. The program listing may be prepared for the device of choice, following the constraints required by the particular microprocessor device chosen. The logic and operational flow diagrams contained in

FIGS. 5-29

are applicable to any microprocessor and accordingly, teach one of skill in programming the necessary operations to operate the lock. The organization of the logic flows is exemplary and may be modified according to the desire of the programmer and code writer.

The foregoing is an exemplary embodiment of the invention. It is recognized that changes and modifications may be made to the embodiment of the invention without departing from the scope and the spirit of the invention and such changes and modifications reside within the scope of the claims below.

Number	Name	Date	Kind
4917022	Ogasawara et al.	Apr 1990	A
5061923	Miller et al.	Oct 1991	A
5517184	Miller et al.	May 1996	A
5684457	Miller et al.	Nov 1997	A
5777559	Dawson et al.	Jul 1998	A
5881589	Clark et al.	Mar 1999	A
5973624	Miller et al.	Oct 1999	A

High security electronic combination lock

Information

Patent Number

Date Filed

Date Issued

Inventors

Original Assignees

Examiners

Agents

CPC

US Classifications

Field of Search

US

International Classifications

Abstract

Description

Claims

Parent Case Info

US Referenced Citations (7)

Foreign Referenced Citations (1)

Provisional Applications (1)