Skip to content

Putting Vendors to the Test

WE’VE ALL BEEN THROUGH IT. It comes time to replace or upgrade security systems, and vendors swoop in with techno-jargon, high promises, and Pollyanna scenarios. But inevitably something is missing: They’ve ignored your company’s specific situation and needs. At the heart of the problem is that sales people tend to know more about their own product’s features than they do about how it can be integrated into an existing system. It is up to the security director, therefore, to make sure that those real-world installation issues are addressed up front.

Just determining that the system is high quality or that it offers state-of-the-art technology is not enough. It is crucial that the vendor be able to install the system correctly, troubleshoot any problems, provide hardware in a timely manner, and promptly respond to service calls.

It’s also critical to follow up as the project progresses and reaches completion to ensure that all of those expectations are being met. The way to do that is to inspect and test the installation at the completion of the project. This process is called commissioning.

The commissioning process is really an opportunity for the vendor to prove that the equipment works. Commissioning entails having all the parties involved—the electrical contractor, the security vendor, the general contractor, and so on—test every door, panel, camera, and other component of the system. If the test results are acceptable, responsibility for the system is turned over to the owner, and product warranties go into effect.

Key components of commissioning include: setting parameters for the test, standardizing testing procedures, making vendors accountable, and documenting and comparing test results. When these elements are performed properly, numerous benefits will result.

Set Test Parameters

The first step is to know what standard the system will be tested against. Essentially, those requirements will have been determined up front in the bid process, and they will have been spelled out in the contract. Our security requirements at Cincinnati Children’s Hospital Medical Center (CCHMC) are based on historical incident data, industry standards and codes (such as the National Fire Protection Association Life Safety Code and local building and fire codes), individual facility needs, and security risk assessments.

Focusing on the broad performance standards laid out up front and testing against those helps to focus the commissioning test on the big picture—the overall functionality of the system and the general functional objectives or requirements. For example, a functional requirement might be to control access to the facility and audit access to sensitive restricted areas within the facility, such that head counts can be established through a combination of card readers, other access control electronics, and effective procedures.

The security team will also want to use the traditional punch list as an important supplemental tool for checking the system, but they should never fall into the trap of thinking that once they’ve checked everything off the list, the test is complete.

The problem with that approach is that the sum of all these parts doesn’t always make a functional whole, especially when multiple vendors and systems are involved.

Someone has to be responsible for making sure that all the parts function together. To address that problem at CCHMC, we now use both the punch list and the full up-and-running system check to complete the commissioning process. Previously, items were checked off the punch list but no full system check was performed.

Security personnel should also make sure that each vendor gets its own punch list. Up to eight different vendors might work on a single item (an electrician, a carpenter, and a security-system installer could work on a door, for example), so a punch list should be “vendor identified.” That is, each vendor who works on an item is required to compile its own to-do list.

Each contractor is responsible for independently fulfilling every item on the list. But the parties must be required to bring all their efforts together in the end to make sure that their work is compatible and that everything works as intended.

Standardize Procedures Testing procedures must be standardized, so there is a consistent baseline for comparison. And it is important to note that the vendors are your partners in this testing process. They should not just be brought in at the end and handed test criteria.

In our case, the security department (called protective services) worked with the access control vendor, the CCTV vendor, the construction services department, and representatives from two construction contractors working at the medical center to establish the means by which equipment would be tested. The CCTV vendor, for example, helped develop CCTV items to include in the test, such as whether camera views were obstructed by anything, whether pan/tilt/zoom control was adequate, and other issues affecting the cameras.

Similarly, the access control vendor provided insight on how to test each door. For example, generally perimeter doors would be tested for card-reader functionality, open/closed status, and motion-detector alarm status, which indicates when doors are forced open.

In the process of working out the test procedures and standards, this vendor helped us understand what events might cause the system to alarm and gave us input on “best practice” testing procedures for the equipment.

That meant, for example, opening every alarmed door—not just a random sampling—to determine whether the security dispatch center received an alarm, whether the alarm matched the door, whether the location indicated on the monitors was accurate, whether the card swiped past the reader triggered the image of the cardholder to appear on a screen in the dispatch center, or whether a strobe activated, as intended. We then closed each alarmed door to check that alarms were cleared and strobes turned off, among other functions.

Construction services and the construction vendors helped us identify certain cases where code issues would have to be factored into the test parameters and procedures. For example, local building codes forbid locking fire exits from the inside, even in the hospital’s psychiatric facility, whose patients are at highest risk of trying to escape. However, code allows for egress to be delayed by 15 seconds, and the hospital has a variance that allows a 30-second delay. During the test of the exit doors in that facility, we had to make sure to comply with these provisions by testing the delay time. We also made sure that a fire alarm would override any locked door.

Equipment should be tested not only against the company’s criteria for what the project is supposed to accomplish but also against the performance standards put forth in the vendor’s literature. The buyer should, therefore, ask suppliers for the manufacturer specifications and for any related documentation.

This information can then be used in developing tests. We do this by working up a form with a series of questions tied to what the system performance should be. For example, one question asks whether a traffic arm/security gate lowers after the proper amount of time.

Work done on any one project will help with subsequent projects. In our case, the testing standards and procedures that we developed on this job have become functional requirements and specifications for future jobs.

Standardizing how you will test is only half the battle. You also need to standardize whom you will test. The answer is: everyone. In other words, it’s human nature to trust a contractor or vendor that you’ve worked with for a long time, but that’s a bad idea. To maintain the integrity of the process, companies must be consistent with all contractors and vendors.


Anyone who has worked with multiple vendors knows the situation: Whenever equipment does not work properly, the vendor who sold it, the manufacturer who made it, and the installers who put it in do not accept the blame easily. It is important that there be accountability. Without a commissioning process, however, client companies end up taking on the problem themselves.

At CCHMC, before we had instituted a commissioning process, we had door alarms and glass-break detectors at one of our off-site locations. They were installed, but they were never programmed or tested. Consequently, the system did not function as intended, but it proved difficult to get the vendor back to address the problems.

The reality of the business world is that vendor project managers are normally spread so thin that there is little time for follow-up. The goal of the vendor is to sell the equipment, install it, and move on to the next project. They often overpromise and underdeliver.

With the commissioning process, that situation cannot arise, because the contract provides both that the vendor will not be fully paid until the system passes the test and that the warranty on new systems won’t take effect until that process is satisfactorily completed. Our contracts also specify that the project is not complete until the vendor work is approved by appropriate authorities, such as the local fire department, which requires permits for certain installations.


Test results should be compared and documented at the end of each testing phase and verified by the system owner or representative. Through such a formalized report, test results can be tracked at a later date.

It is important to have a form that is functional as well as informative to document the test results. In our case, the original form required long narrative answers to general questions. Some of the questions were repetitive.

To streamline the form, questions were rephrased so that respondents could check off “yes” or “no,” without any explanation. Another improvement was to remove unnecessary questions. After close scrutiny that no important information would be left out, redundant questions were removed. We then left some room for exposition for respondents who felt that questions did not give them the chance to provide some critical information.


In our experience, the commissioning process has identified problems with approximately three-quarters of the card readers and doors that we checked. As one example, the hospital never used to check whether doors could be remotely unlocked from the security dispatch center. Once we started testing for that, we discovered that a few officers stationed at the dispatch center lacked access privileges to perform that function. Making sure that all officers can do so has become a step in the commissioning process.

In another example, the commissioning process enlightened us to a problem with a card reader at a certain door. The reader sent the right commands to the door—release and relock—but there was a short delay before the magnet would release the door. By that time, the relock function had kicked in, so a user couldn’t get through the door. The timing sequence was adjusted before the reader and door were put into use.

Problems are also typically found with the delayed-egress function of emergency exit doors. That issue came to light when a large boy in the psychiatric unit hit the egress bar on an emergency exit door hard enough to defeat the lock (the door wasn’t supposed to open immediately unless a fire alarm had been activated).

The boy did no damage and was unable to escape the building, but the event resulted in the manufacturer redesigning the door, and we added forced-exit testing to the commissioning process.

Using the commissioning process, we have been able to preempt these types of problems that could otherwise have plagued the new systems. In so doing, we’ve also been able to give employees confidence in those systems.

That has been especially significant for our hospital, because there has been considerable expansion and employees have been moved to new locations throughout the hospital’s 10 satellite buildings. Some employees resist being moved and are extremely sensitive to any perceived downgrade in their environment. Equipment failures can demoralize staff and add to their dissatisfaction.

Vendors benefit from the commissioning process as well. At first vendors may see commissioning as a delay on closing their project, but after they put the process in place and have a chance to become interactive, they will start to see the benefits for themselves. For example, because we address all of the problems up front, vendors are not likely to be hounded to return and address issues after they think they’ve finished a project. It also helps them gain a long-term client.

The commissioning process has also helped the hospital ensure that it handles all security projects consistently by forcing it to develop standards for both performance and testing. Similarly, it has led to the consistent treatment of vendors.

The commissioning process serves as a final milestone in any project and helps establish a warranty cycle start point. It has brought peace of mind that the hospital’s newly purchased security equipment works as promised and that a system failure is actually a failure, not an inability to work properly in the first place. That has yielded better overall satisfaction from all parties who interact with the system and from those it was designed to protect.

Geoffrey M. Jung is security system technician for Cincinnati Children’s Hospital Medical Center and a member of ASIS International.

Ronald J. Morris, CPP, is senior director of protective services at the same institution. He is also a member of ASIS.

Mary Alice Hogan is the access control supervisor at the medical center.