Turnstile System Singapore: Access Control Integration

A turnstile system Singapore deployment fails far more often at the integration than at the hardware. Buildings buy a good flap turnstile, plug in a mismatched reader, and spend the next year fighting “the gate doesn’t open” tickets. This blog will walk you through how turnstiles talk to access control, RFID, and face recognition.

What “integration” actually means at a turnstile lane

Every product in the turnstile gate control system range available in Singapore ships as mechanical hardware, but a turnstile by itself is just a barrier with a motor and a sensor. The intelligence sits behind it: the credential reader on the housing, the controller panel that decides whether to release the lane, the access control software that holds the permission database, and (often) the visitor management or HR system that feeds names into that database. Whether it actually works on day one depends entirely on what the contractor wires into it.

The integration layer has three jobs. Read a credential. Decide if the credential is authorised for this lane at this time. Send a release signal to the turnstile and log the event. None of this happens inside the turnstile cabinet. It happens in the controller and in the access control software.

How a turnstile talks to access control

The reader sits on the turnstile housing. The controller sits in the IT room. The wire between them carries the credential.

Wiegand, OSDP, and why the wiring protocol matters

Wiegand is the older protocol, originally designed in the 1980s for swipe cards. It is one-way, unencrypted, and runs over a 4 to 6-wire cable. It still dominates Singapore commercial installs because almost every controller and reader supports it. The downside is that anyone who taps the cable can read the raw credential and clone a card.

OSDP (Open Supervised Device Protocol) is the modern replacement. It is bidirectional, AES-128 encrypted, and supports tamper detection on the cable itself. Specifying OSDP at procurement future-proofs the install for the next decade and makes credential cloning meaningfully harder. The penalty is that the controller, reader, and wiring must all support it; a mixed estate with one OSDP controller and Wiegand-only readers gains nothing.

The practical rule for any new Singapore turnstile project: insist on OSDP-capable hardware on both ends, even if commissioning runs initially on Wiegand. Upgrading later is a wiring revisit, not a controller swap.

Controller panel and credential decision

The controller panel holds the permission database (or syncs it from the access control server) and decides in real time whether a credential should release the lane. A typical controller in a Singapore office tower handles 4 to 16 lanes, runs anti-passback rules so the same card cannot enter twice without exiting, and logs every event to a central server.

Anti-passback matters at large sites. Without it, one card can be tailgated through multiple times. With it, a second swipe of the same card is rejected until the card has been read at an exit reader. This is the single most useful rule on a multi-lane gantry.

A solid controller stack pairs the turnstile with Soyal or ZKTeco access control hardware, since both brands have mature firmware for turnstile-specific features and strong integrator support in Singapore.

Dry contact, relay output, and physical wiring

Underneath the protocols, the actual signal that moves the turnstile is a dry contact closure. The controller sends a relay output to the turnstile’s input terminal, the input is treated as a “release” command, and the lane opens for one passage. Most turnstiles also expose status outputs back to the controller: lane occupied, lane direction, tailgate alarm, fault state. A complete integration uses all of these, not just the open command.

Cheap installs wire only the open command and skip the status returns. The result is a building that knows when a card was presented but has no idea whether the person walked through. For mustering reports during a fire drill, this is the difference between a useful headcount and a guess.

RFID credentials in a Singapore turnstile system

RFID is still the dominant credential type in Singapore offices and condos. Two frequencies matter.

125kHz versus 13.56MHz

125kHz proximity cards (often called EM cards) are the cheapest credential format and the easiest to clone. A SGD 50 hand-held cloner copies a 125kHz card in seconds, which is why no serious access control project in Singapore should be spec’d in 125kHz today.

13.56MHz cards (MIFARE Classic, MIFARE DESFire EV2 and EV3) use mutual authentication between card and reader, with cryptographic protection that makes cloning significantly harder. MIFARE DESFire EV3 is the current sensible default for new turnstile installs. It supports AES encryption, multiple application sectors per card (so the same card can hold a turnstile credential and a building lift credential), and is supported by every reputable access control brand.

Mobile credentials and BLE

Bluetooth Low Energy credentials are a growing alternative. The user’s phone holds the credential in an app, the reader picks it up over BLE, and the lane releases. This removes the cost of issuing physical cards and speeds onboarding for short-term contractors and serviced-office tenants. The trade-off is that BLE adds an authentication app to your IT support load. For an office tower deploying mobile credentials at scale, the math usually works. For a 60-unit condo, physical RFID is still the right call.

Face recognition at the turnstile

Face recognition is the most-asked-about feature in Singapore turnstile tenders today. It is also the feature that creates the most regulatory exposure if specified casually.

How face recognition actually works at the lane

A camera on the turnstile housing captures a face image. The local processor (or a server) extracts a biometric template, which is a mathematical representation of facial features rather than the photo itself. The template is matched against an enrolled-user database. If the match score crosses the threshold, the controller releases the lane.

The throughput trade-off is real. A modern 1:N face matching system handles 25 to 35 persons per minute in good lighting. In poor lighting (a back-lit lobby, harsh afternoon sun through glass), accuracy and throughput both drop. Pair the face recognition layer with a card or mobile credential as a fallback rather than relying on it alone.

PDPA compliance for biometric data

Face templates are personal data under Singapore’s Personal Data Protection Act, and the Personal Data Protection Commission’s Guide on the Responsible Use of Biometric Data in Security Applications is required reading for any MCST or building owner deploying face recognition at the turnstile. Key obligations: collect only what is needed, store templates rather than raw images, give occupants notice and a meaningful opt-out, and document a retention period. A face recognition turnstile rolled out without those controls is a PDPA enforcement case waiting to happen.

The practical implication for procurement is that the contractor should provide the data flow diagram, the template storage location, and the retention policy in writing before the system goes live. Verbal assurances do not satisfy the obligation.

When face recognition makes sense

Face recognition earns its cost in three settings: high-turnover contractor sites where issuing cards is impractical, premium offices where the lobby experience is part of the brand, and zones where the security threat justifies a second factor on top of a card. For a typical 200-tenant condo or a mid-sized office, RFID alone is usually sufficient and considerably cheaper to maintain.

Visitor management and mustering

Two further integration layers turn a turnstile from a barrier into a building-management asset.

Visitor management software issues temporary credentials (a QR code on the visitor’s phone, or a printed badge) that work at the turnstile for a set time window. The visitor walks in without a permanent card, the host is notified automatically, and the system logs the entry. This removes the manual front-desk lookup that wastes a security guard’s time.

Mustering reports use the turnstile log to produce a real-time list of who is inside the building during a fire alarm. The fire alarm panel triggers turnstiles to fail-safe, the access control system snapshots the current “inside” list, and the security team has a printable headcount within seconds. This is the use case that justifies the full status-return wiring described earlier. The principles are documented in the UK Health and Safety Executive’s powered-gates safety guidance.

For sites with intercom and video door entry deployed, the turnstile can be tied into the same backend as the intercom systems used across Singapore developments, so a visitor’s full journey, from gate intercom to lobby turnstile, runs on one platform.

Common integration mistakes

Three patterns show up repeatedly in Singapore turnstile projects.

The first is buying the turnstile and the access control system from different vendors and assuming they will integrate cleanly. They will not, until someone is paid to do the integration work. Specify in the tender that the turnstile contractor is responsible for integration, with a written commissioning checklist signed off by the building IT lead.

The second is skipping the status-return wiring to save SGD 200 of cable. The result is a turnstile that opens on credential read but never reports whether the person passed. Mustering, anti-passback, and tailgating alerts all break.

The third is treating face recognition as a hardware decision instead of a data decision. The hardware is the easy part. The data flow, template storage, retention policy, and PDPA notice are the work that protects the building from a complaint. A reputable after-sales service plan should include periodic review of these data controls.

Conclusion

A working turnstile system is a stack of correctly-specified parts: turnstile, reader, controller, software, and credential. Get any one wrong and the whole system underdelivers. Specify OSDP wiring, MIFARE DESFire credentials, full status returns, and a written integration scope, and the system disappears into the background of the building.

Speak to the Enforce team for an integration audit on your existing turnstile estate, or a fully-scoped specification for a new build, with the wiring, credentials, and data layer matched to your site’s security profile.

Frequently asked questions

What protocol should a Singapore turnstile use to talk to the access control system?

OSDP (Open Supervised Device Protocol) is the modern standard, with AES-128 encryption and bidirectional tamper detection. Wiegand is still common in older Singapore installs but is unencrypted and easier to clone. Specify OSDP-capable readers and controllers at procurement, even if the initial commissioning runs on Wiegand.

Can RFID and face recognition work on the same turnstile lane?

Yes, and it is the sensible architecture. A multi-modal reader handles the MIFARE DESFire card as primary credential and uses face recognition as a fallback or as a second factor for high-security zones. Both feed into the same controller and software, so logs, anti-passback rules, and mustering reports stay unified.

Is face recognition at a Singapore turnstile legal under PDPA?

Yes, when implemented correctly. The Personal Data Protection Commission’s Guide on the Responsible Use of Biometric Data in Security Applications sets out the obligations: collect only necessary data, store templates rather than raw images, provide notice, document a retention period, and offer a meaningful alternative. MCSTs and building owners are explicitly named in the guide.

What happens to the turnstile during a fire alarm?

The fire alarm panel sends a signal to the access control controller, which forces every turnstile to fail-safe. Arms drop, wings open, and the lane is free. The integration must be tested at commissioning, not assumed from a brochure. The handover certificate should record the test event, the response time, and the manual override procedure if the controller itself fails.

How long does access control credential migration take?

For a 500-user building moving from 125kHz EM cards to MIFARE DESFire EV3, expect three to six weeks for credential issuance, reader replacement, and database migration. The work is mostly logistical (collecting old cards, distributing new ones) rather than technical. Run the migration outside peak business windows and stage one entrance at a time.