There appears to be a major issue of non-compliance with both the NFPA and UL codes by a long list of alarm panel manufacturers in the industry — despite being UL listed —and a group of security professionals in September took the drastic step of notifying the Consumer Product Safety Commission about it.
Jeff Zwirn, president of IDS Research & Development, noticed in his work as a forensic alarm expert that if the data-bus circuit of these alarm panels is damaged in any way, the alarm system is unable to communicate the alarm condition to the central monitoring station or audibly alert those within the property of life safety dangers such as smoke and carbon monoxide, or intrusion.
When he first noticed this issue, he believed it could have catastrophic consequences, but did not realize it made the alarm panels non-compliant to UL and NFPA codes. So he went about developing a product to fix the issue: The Interceptor. First introduced at ISC West 2017, it is a microprocessor designed to eliminate alleged vulnerabilities in the data-bus.
But at the beginning of 2019, Zwirn learned that this alleged defect made the alarm panels non-compliant with UL 985, UL 1023 and NFPA 72. So in April 2019, he released a detailed expert forensic report with a review of the issues and standards, which can be found in the "Additional Readings" section to the right. The report was sent to UL on April 30 and to Intertek on May 1.
The report reads:
"Fundamentally, once the data-bus circuit wiring leaves the control panel housing it exposes the entire alarm system to catastrophic and instantaneous failure upon this data-bus circuit wiring becoming faulted, impeded or shorted by fire in any location where the data-bus circuit wiring is installed throughout the home and as it relates to all data-bus connected devices, equipment or wiring which are remote from the control unit and are installed throughout the household occupancy."
After receiving what he thought were "unsatisfactory" responses from UL and Intertek, Zwirn decided to send an additional complaint to the Consumer Product Safety Commission (CPSC) on Sept. 20, asking the organization to investigate his claims of non-conformity. Along with the complaint, the CPSC received videos made by Zwirn showing the alleged vulnerabilities, a peer review report from former staff liaison to the NFPA Merton Bunker, and documented life and property losses where the identified alarm control panels were installed and failed, according to Zwirn.
The CPSC is currently investigating these claims, and if it decides to place a recall, it could be the largest in industry history, requiring the replacement of tens of millions of alarm panels installed in the past 20 years. In the first week of October 2019, the CPSC notified all of the manufacturers listed in Zwirn's complaint of the potential vulnerability, according to Keith Jentoft, president of The Interceptor Project.
"Whether it’s done by the CSPC, the manufacturers, UL or through some form of litigation, change has to happen now," Zwirn said. "It’s unacceptable for people to rely on a burglar and fire alarm system and for it to not comply with the codes and standards required. There is a special position of trust that occurs between the alarm company and a subscriber, and they’re family, because of what’s at risk."
In an Oct. 9 email to SDM, a UL spokesperson shared the following statement:
"UL’s public mission is to promote safer working and living environments for all people. We make every effort to confirm that UL-certified products meet stringent safety requirements, including opening a Product Incident Report for any issue that comes to our attention. Consistent with our usual policies regarding product safety matters, when UL received the alarm system claims, UL immediately opened a Product Incident Report and began an investigation. During such investigations, certification documentation is reviewed, products are often re-tested, and if any issues are found, UL works with the product manufacturer to resolve the issues. In some instances, a public notice may be issued. Based on the investigation completed thus far, no safety issues have been identified. The investigation is still ongoing."
But on Oct. 16, UL sent another statement to customers stating that while they are still investigating the allegations of non-conformity, no safety issues have yet been identified.
"UL sees no imminent hazard despite the assertions currently in the market," the statement, credited to Kevin Faltin, vice president of building and life safety technologies at UL, read. "The current standards address reasonably foreseeable hazards, faults or misuse not intentional disablement of a life safety device. Those making claims have their own commercial interest in driving concern. The requirements being suggested around attack by fire and/or malicious intrusion inside the protected area are currently not mandated by the applicable standards or code. New suggested requirements could be brought to the attention of the Standard Technical Panel. Those making claims are part of the STP and have not brought suggested revisions to the STP’s attention to-date."
The Interceptor Project sent a statement in response out yesterday, on Oct. 17, insisting the statement from UL is incorrect.
"All roads lead back to NFPA 72 and the written and established requirements are clear that short circuits in any of the alarm secondary devices or circuits shall not render the unit inoperable," the statement reads. "NFPA 72 establishes the baseline. In clause 1.1 the UL 985 standard points back to compliance with NFPA 72. In clause 1.4 the UL 1023 standard points to compliance with UL 985 (which points back to NFPA 72). The expert report and video(s) clearly show a vulnerability resulting in the immediate shut-down of the alarm and the alarm initiating devices thus creating a significant Life Safety Concern to the millions of consumers who rely on these systems for protection."
The Interceptor Project statement also points out that there are plenty of reasonably foreseeable hazards which could cause a short circuit in the data-bus, including rodents and fire.
"A short circuit is a short circuit regardless of how it is created," the Interceptor Project statement continues. "UL is wrong to assert that the NFPA and UL standards allow specific short circuits created one way to shut down the alarm system while only prohibiting some short circuits created other ways from shutting it down. To NFPA, a short circuit caused by a rodent is no different than a short circuit caused by an environmental issue if both can result in loss of life because the alarm system shuts down. NFPA 72 makes no such distinction regarding short circuits killing alarm systems and neither does real life. The only one attempting to make such a distinction is UL."
Jentoft, who took on the role of president of The Interceptor Project in May 2019 after feeling disturbed by the alleged non-compliance of these alarm panels, said he was surprised to read the statement from UL after hearing so little from them for so long.
"If you watch the videos Jeff took, the test [to see if the alarm panels are code compliant] is really simple — it doesn't take 100 days to do," Jentoft said. "Manufacturers paid UL thousands of dollars to test their products and they said they already did, and now everybody's stuck, and their explanation that some circuit shorts are okay is not what the standard says. They had over 100 days and that was the best they could come up with."
Jentoft is the former president of RSI Videofied, a company that gained notoriety by its claim that PIRs are essentially “blind” without the integration of a surveillance camera and which was sold to Honeywell in 2016. He also established the Partnership for Priority Verified Alarm Response (PPVAR).
Resideo, one of the manufacturers identified as allegedly having non-compliant panels, sent a statement about these claims to SDM on Oct. 9.
"Resideo takes compliance with standards seriously and the design, testing and marking of our new products to meet market requirements are among our core competencies," the statement read. "All of our products meet the UL standards with which they are marked at the time of sale."
Peter M. Goldring, a security consultant and expert witness with 35 years of experience in the industry, sees these alleged issues of non-compliance as no surprise.
"The manufacturers certainly knew about this, and UL knew about it for months," Goldring said. "This is the symptom of a greater lackadaisical industry approach towards standards and compliance. When I was a kid I grew up at my family's UL-listed monitoring station, and it was a big deal if you didn't comply or follow the procedures and policies to the letter of the law. They audited you and took away your certification, and there were financial ramifications. Now UL has lost that edge."
Many, however, say that jumping to the conclusion of a recall is premature at this point.
"It’s premature for ESA to comment on this issue at this time,” said Merlin Guilbeau, CEO of the Electronic Security Association (ESA) in an emailed statement to SDM.
Multiple other industry organizations declined to comment as well. Today, on Oct. 18, The Monitoring Association (TMA) sent an email to its members about the allegations.
"TMA is a professional trade association committed to the protection of life and property and are closely watching this unfold and waiting for UL and the manufacturers to release their findings," the email read. "UL is a reliable and trusted source of safety standards across the security industry for best practices. TMA and its members are aware of the alarm panel issue and awaiting results of the UL research into this matter."
While UL has criticized Zwirn for his potential conflict of interest due to The Interceptor Project, he says he simply found a solution to what he saw as a dangerous problem.
"When the smoke detector was invented, was that a conflict of interest?" Zwirn asks. "The Interceptor is the fix — it makes control panels compliant to UL and NFPA standards.
Jentoft said he and Zwirn decided to take down The Interceptor Project website last week so as to not seem as if they are taking advantage of this situation. Jentoft also said The Interceptor is not available for purchase at the moment; his current mission as president is to sell the license to the product.
"The industry itself developed the NFPA 72 standard," Jentoft said. "It's a consensus-based standard, and it's in the code because they decided as an industry that if you have a short on the data-bus it should not take the fire alarm system out. Is Jeff the bad guy for making a product that fixes the problem and putting it up for sale and saving a person’s life? I thought we were in the business of saving people’s lives."
Both Zwirn and Jentoft said they are hopeful that the industry will take steps to solve this alleged issue before anything has to be done legally.
"In a certain sense this is a Pandora’s Box situation where you can’t put it back in the bag, because now if anybody dies because of this issue — and there have been deaths because of this already — there’s no way anybody could claim they didn’t know," Jentoft said.
This is a developing story.
Here below are videos produced by Zwirn, showing the alleged faults in the alarm panels: