IP CCTV Solutions

In 2003 Scottish Communications recognised that the CCTV market place was going to mirror the technological advances seen in video quality, compression and transmission within the broadcast industry and acknowledged that the IT sectors progression with bandwidth availability would see CCTV migrate towards IP.

This technological revolution was embraced, with a proactive approach to specifying and proposing IP solutions and latterly High Definition (HD) IP solutions.  This approach has ensured that Scottish Communications remain at the forefront of the CCTV industry and are ideally placed as we approach the point in 2011 where IP CCTV sales are expected to overtake Analogue.

Scottish Communications are fully trained specifiers and installers for all the major suppliers of IP CCTV including, but not limited to; IndigoVision, Sanyo, Pelco, Fast and Sony IP systems.

Why IP Video?
The advantages of IP Video can best be highlighted by looking at the disadvantages of analogue CCTV. In many ways traditional coax or fibre based video systems are limited. Installation costs over large areas are prohibitive and the number of monitoring stations is limited due to the investment required to replicate costly switching infrastructure. The analog matrix is the component that provides control room flexibility for analog CCTV systems, but this too cannot be easily expanded without adding new hardware and it is location dependent. Therefore overall scalability, i.e. the cost of expansion, is poor. Even though the introduction of DVRs has improved the recording capabilities of analog CCTV, these too are limited. They have to be physically installed near the analog matrix, and frame rate and image quality is often compromised. Businesses want a single, scalable, integrated solution which provides high-quality video surveillance across any number of their offices or sites – this is what IP Video delivers.

For enterprise systems IP Video also offers a high level of redundancy. In the event of an emergency the control and monitoring capability can be easily transferred to any other point on the network either on or off site. Redundant networks allow the system to keep operating even if one link or switch goes down and redundant NVRs allow recordings to survive even if one recorder fails or is destroyed.  These features allow IP Video systems to deliver a level of integrity far higher than is possible with analog CCTV systems.

Having everything based around a network allows system wide diagnostics to ensure everything is running smoothly. Every device can be continuously monitored and an alarm raised if anything fails. This is not possible with an analog system where camera feeds have to be manually monitored to ensure trouble-free operation and the potential exists for a fault to go unnoticed for a long period of time. This is particularly an issue with DVRs, as a fault will not necessarily be flagged and recordings for all cameras could be lost, again for a long period of time. Analogue systems can implement limited diagnostics but this depends on the different components used and is not an integral part of the system.

Building an IP System
The key component in an analog CCTV system is the matrix. In an IP system, the network and the software controlling it becomes the so called ‘virtual matrix’. IP Video systems operate over standard corporate networks. As these typically span entire organizations, so can IP Video systems connected to them. As the traditional control room equipment can be replaced by a PC it is possible, and often desirable, to be able to monitor live and recorded video from any camera from any point on the network. Each camera is connected to the network via a transmitter/receiver unit that compresses the analog video into DVD quality MPEG-4 digital video or H.264 for transmission over the network. The digital video can then be viewed, analyzed and recorded. This is achieved with Windows based PCs running video and alarm management software and Networked Video Recorders (NVRs) that are installed around the network (see Video Recording below).

As access to the system is available from any PC connected to the network, IP Video systems implement sophisticated ‘User Profiles’ to manage this. These restrict or enable access for users on a camera by camera basis. The transmitter/receiver units allow any type of CCTV camera to be connected to the network, ensuring existing equipment can be fully utilized.  However, for new installations one option is an IP Camera or Dome. These combine a professional full-function high-quality CCTV colour camera with an IP Video transmitter/receiver in one unit, which can be connected directly to the network. Significant cost savings can be achieved by employing the integrated camera units in place of traditional analog video cameras and a separate IP transmitter/receiver unit.

Designing a System - Network Requirements
Manufacturers of IP Video equipment provide excellent tools for helping security and IT professionals design digital CCTV systems and in particular compute the bandwidth requirements of the network. It’s fundamentally a very simple process; decide how many cameras are required, decide what video quality for viewing and recording is required and decide how many days of recording are needed. These can then be used to calculate how much bandwidth and recording storage is required. Each device connected to the network is then assigned an IP address, ensuring they are all on the same sub-net and can therefore ‘see’ each other. The ‘Site Builder’ software tools provided then interrogate the network and discover all the appropriate devices and automatically build a site database and recording schedule. In many cases the bandwidth requirements can be easily accommodated on the existing corporate LAN/WAN, giving the proposed IP Video system another significant advantage over analog CCTV by removing the need for additional cabling. This also means the network can be shared with the normal IT traffic and facilities such as Voice-over-IP. IP Video has many clever features which ensure that the bandwidth impact is kept to a minimum. Positioning NVRs locally to relevant camera clusters can reduce network traffic and improve redundancy. The compressed video can be transmitted across the network using TCP, UDP Unicast or UDP Multicast protocols. The advantage of Multicast is that it uses the same amount of network traffic for 1000 operators to view a camera as it would for one operator. Some manufacturers use clever scene algorithms designed to reduce network traffic. This facility relies on processing data at the camera IP transmitter/receiver unit. If no movement is detected in the camera scene then the bandwidth used is dramatically reduced. This feature is most effective in places where low activity occurs, such as in corridors, on fire escapes, or in buildings which are unoccupied at night. Searching recorded video can be a time-consuming activity with a corresponding increase in network traffic. However, clever search facilities can be provided by the video and alarm management. The typical NVR solution simply requires a PC platform and hard disk storage. However, for more demanding fault tolerant applications NVRs can be packaged in stand-alone units with removable hard disk drives. Transmitter/receiver modules transmit MPEG-4 or H.264 quality digital video, audio and control data over the IP Network software. The system can analyze movement in a scene and display images that represent frames from recordings containing the specified movement. Clicking on one of the images then replays that section of video. This feature can search 24 hours of recorded video and display the thumbnails in just a few seconds. Changing the search variables allows the operator to sift through vast quantities of recorded material quickly and efficiently. The use of clever search facitities allows a vast amount of video to be analyzed with little extra impact on the network.

Digital Video Recording
It is important to differentiate between Digital Video Recorders (DVRs) and Networked Video recorders (NVRs), as both are often termed ‘digital’. A DVR digitally compresses analogue video feeds and stores them on a hard-drive, the term ‘digital’ referring to the compression and storage technology, not the transmitted video images. The DVR therefore has to be located near the analogue feeds. In contrast an NVR stores digital images directly from the IP Network. Therefore the most obvious difference between the DVR and NVR is that the DVR records analogue streams from analogue cameras, whereas the NVR records video streams that have already been encoded at the cameras. Thus you find no video connectors anywhere on a NVR; its inputs and outputs are IP data, comprising of compressed and encoded video.

NVRs can be either PC software based or dedicated stand-alone units. The huge advantage of an architecture based on NVRs is that they can be located anywhere on a network – at the monitoring centre, adjacent to camera clusters, on the edge of a network or collected together in a hardened environment. In use their location is transparent to an operator; the recorded video stream from any camera can be viewed by any operator at any point on the network. NVRs record and replay simultaneously and recordings on any one machine can be remotely viewed by a number of authorized operators spread across the network simultaneously, all totally independently and without affecting each other.

The independence of physical location is an important factor. By calculating the required network traffic and strategically placing NVRs accordingly, the impact of video streaming on bandwidth usage can be minimized. Typically an NVR might be placed near (in network terms, not necessarily physically) a camera cluster so that the load is carried by the local LAN capable of absorbing it easily, thus saving capacity on other, perhaps more restricted, parts of the network. “Mirroring” techniques are now often used to duplicate the recording of video streams on additional NVRs located at different parts of the network, which provides a high level of protection against network failure; if one part goes down the other is there as a backup. You can have as many NVRs across a system as you like - there is no requirement for additional video cabling.

Evidence from the NVR can be exported in the standard MPEG-4 format allowing it to be viewed by any 3rd party viewer such as QuickTime or Windows Media Player. However, the exported video includes encryption and watermarking to allow extremely secure detection of tampering such as frame removal, reordering or modification.

Storing IP Video Data
There are typically two different approaches to storing data in an IP Video system. A centralized architecture uses a master database usually located in the central control room or head office. A distributed architecture spreads the data around the Security Management system generally keeping it close to where it is produced or needed.

The stored data can be categorized into two types - Configuration and Live.

Configuration data is site information specifying the design and make-up of the Security Management system. Examples of configuration data include lists of cameras, lists of users, user permissions, site structure, and maps representing the layout of the system and licensing information. After the initial installation and commissioning stages of a Security Management system, configuration data is not routinely changed. It is however routinely accessed by operators e.g. when logging in to the system.

Live data is typically CCTV video recordings and alarm information. Live data is accessed continuously during normal Security Management operations, either by devices recording the data or operators reviewing the data.

Configuration data is usually held in a database called the Site Database. This makes it easy for administrators to make and manage changes; however it also creates a problem. When an administrator makes a change to the Site Database how do the users, distributed throughout the Security Management system, get the change?

The obvious and easy solution is to have the Site Database held centrally on a master database server and have all users access the master server over the network. This is called a centralized architecture.

Many systems use a centralized architecture for storing more than just configuration data. They may also use it for storing live data such as video recordings or alarm data.

Centralized Architecture
Figure 1 shows a Security Management system consisting of one or more sites each with its own Local Area Network (LAN) connected to a central office. The central office is also where the Central File Server is located, hosting the Site Database. Also in the central office are Network Video Recorders (NVRs) for recording CCTV video and alarm data.
Every camera and workstation in each remote office must regularly, and in some cases continuously, communicate with the central office in order to check for changes and updates in the Site Database. This includes checking for valid licenses or storing recording and alarm data.

A centralized architecture causes four major problems:

• Cost - All users continuously communicate with the central office. On a LAN that means buying expensive high-end switches and on a Wide Area Network (WAN) it means using up precious bandwidth.
• Reliability and Resilience - What happens when the WAN or core LAN switch breaks? Remote users can be left stranded with no access to the live and recorded video from cameras which are actually located locally to them on a working LAN.
• Single point of failure - What happens if the server hosting the Site Database fails? All users of the system rely on access to the Site Database. For example, to get login credentials verified or license permissions checked. If the Site Database server fails, the whole Security Management system goes down.
• Scalability - As more cameras and users get added to each remote office and as more remote offices get added to the network, everything gets congested. The local LAN’s, WAN links and Central Server all get congested coping with increasing levels of traffic checking for Site Database changes, valid licensing and storing recordings and alarms.

Distributed Architecture
Figure 2 shows how the same Security Management network can be constructed using distributed databases.

Distributing Configuration Data 
To distribute configuration data, each remote workstation can keep a local cache of the Site Database. Configuration data does not change very frequently. This means the information can be synchronized between the Central Server and the remote workstations either according to a managed schedule or on-demand when a change happens.

In the event that the Central Server, a core LAN switch or the WAN fails, users at workstations can continue to work using their locally cached Site Database.

Distributing Licensing Data
Rather than holding license information centrally in the Central Server, individual components of the Security Management system can hold their own licenses. For example, cameras can hold information in their on-board memory about allowed viewing and recording resolutions, or allowed frame rates. They can also hold information on which features are enabled such as advanced motion analytics.

Such a model, where the sources of the valuable data (the cameras and recorders) contain their own licenses, means that the cameras and recorders never need to talk to the Central Server. Because the data sources have their own distributed licenses, this frees up the data viewing applications, running on each workstation, from requiring any license at all. An operator can’t view video if the camera or recorder won’t let him. This means none of the workstations need to check licensing conditions with the Central Server.

Distributing Live Data
Rather than continuously streaming recording and alarm data back from the remote sites to the central site across the WAN, it would be much better to keep the data locally on the LAN. One or more local NVRs at each remote site would reduce traffic across the WAN and allow users at the remote sites to access recordings and alarms even when the WAN is not available.

Of course the central office is often where alarm management happens across the whole Security Management system so users in the central office can still access the remote NVRs in the event of an alarm or incident investigation. Usually when this happens they only need to playback or export certain portions of video from certain cameras and don’t need to access the full 24x7 recordings that have been made of all cameras at the remote site.

Less then 0.1% of video ever gets looked at, so why waste valuable WAN bandwidth unnecessarily? Just use the WAN to restore the pertinent recorded video data when required.

Solving the Problems of a Centralized Architecture
The four major problems associated with a centralized architecture are overcome with a distributed architecture:

• Cost - Precious WAN bandwidth is not used for continuous communication with all remote devices. Instead configuration data is distributed in a managed way. In the event of an operational incident, only the live CCTV video that is required needs be streamed across the WAN or extended LAN. The need to check license data across the network is removed entirely. Cost-effective core network switches can be specified to cope with reduced network loads.
• Reliability and Resilience - A potential source of failure in the Security Management network is the WAN. Money can be spent on increasing the reliability of the WAN connections but it is much more effective to distribute the data so that users still have a working Security Management system even if the WAN connections fail.
• Single Point of failure - Another source of failure in a Security Management system is the data stores – either the Central Server hosting the Site Database or the recorders. Again, money can be spent on increasing the power and reliability of those machines but it is much more effective to distribute the data stores so that users still have a working Security Management system even if those components fail.
• Scalability - With a distributed architecture additional cameras and users can be added to a local office with minimal increase in WAN traffic, the video is streamed and recorded locally. Similarly, if another remote office is added it is just a duplicate of existing offices with local LAN and storage. For even larger systems multiple Central Servers can be distributed and synchronized adding yet another layer of distribution and resilience.
• Enterprise IP CCTV Systems
  A distributed architecture is a fundamental requirement for large enterprise systems with thousands of cameras spread across many locations. Sometimes these locations will be geographically dispersed across sites, cities or even countries e.g. a large corporation, city surveillance, rail network or road system. Sometimes there may be one large location with a high density of cameras split into different groups of cameras e.g. casinos or airports. Even though it is a fundamental requirement for enterprise systems, it is still important for smaller systems. Figure 3 shows a typical layout of a large distributed Security Management system.

• Large systems will also usually have a central control room from where the whole system can be monitored. Some systems will have several central control rooms. The entire network is linked by a WAN, which may use leased lines, wireless connections, DSL connections, satellite links and even the public Internet.
• Under a distributed architecture, each location or group of cameras has a local file server and all workstations at that location have local caches. The master configuration database is held in a central control room on a central server. Each location will also have a local file server. The local file servers are all synchronized with the central master database.
• At each location, individual workstations communicate only to their local file server, never to the central server in the main control room. In addition, each workstation maintains a local cache of the configuration data. Also, each location has sufficient local storage in the form of NVRs to record all the locally produced video and alarm data, reducing the traffic on the WAN.
• If the central server fails or the WAN link breaks, operators always have local caches of the Site Database so they can still access any devices on their LAN. In addition, by distributing the recording capability, operators local to an incident will always have access to live video, recorded video and alarm data for their local cameras, even if communication with the central office is down.