Rules and Guidelines
Want to participate in the discussions? Please read our Community Rules and Guidelines. Need some help? Visit Support and Answers.

  • State Helpful Answer
  • Replies 18 replies
  • Subscribers 23 subscribers
  • Views 1028 views
  • Users 0 members are here
Options
You may also be interested in

Clarification on the use of RCDs with Automatic Transfer Switches in industrial server panels

DeanR

I'm involved in a back-and-forth with a customer over the design of an industrial server panel using an APC AP4421A rackmount Automatic Transfer Switch. The purpose of the ATS is to keep the server running should one of the two incoming 230 V AC supplies fail.

The current schematic, which goes back to before my time started at this job, has the RCD on the single output of the ATS. The reasoning behind this is as follows:

  • Should an operator touch a live conductor, the imbalance between the two phases would trip the RCD and the whole circuit is then isolated.

The customer is insisting that the RCD should be at the input to the ATS and on each supply. The reasoning as to why this shouldn't be implemented and why the original circuit was designed as it is, is thus:

  • Should an operator touch a live conductor, the imbalance between the two phases would trip the RCD. The ATS would then detect the first supply dropping out and switch to the second supply, continuing the exposure of the operator to the live circuit before the second RCD would trip.

Now I understand that the scenario above where the first RCD trips, the ATS would switch and then the second RCD trips would take tens of milliseconds, and the function of the RCDs would still be as intended.

A couple of important points: the panel is locked during normal operation and access restricted to qualified personnel. We are not privy to any safety devices that are installed upstream on the dual incoming supplies and neither are we in control of that.

I don't have access to any standards to refer back to, hence I'm looking for knowledge here (and in the background enquiring if we can purchase the standards below, which I believe are correct in this instance).

  • IEC 60364: Low voltage electrical installations
  • IEC 61439: Low‑voltage switchgear and controlgear assemblies.

Any practical advice is greatly appreciated and if any clarification is required, I can help with that.

Thank you for reading.

  • 0

    Hi,

    The design is flawed, the server should have separately fed dual redundant power supplies with a RCD on each and no need for the extra point of failure presented by the transfer switch.

    I don't think it is acceptable to have a design where, if a RCD trips, there is an automatic switch to another supply which can have a second attempt at electrocuting someone.

    Arguably there should be RCDs on both incoming supplies and on the output of the switch with mechanical interlinking so that the tripping of any one RCD would trip all three, otherwise the transfer switch itself is not RCD protected.

  • 0

    I wonder if there's any need for RCDs at all (presuming it's not a TT installation) - ADS can usually be provided by overcurent protective devices and large racks often have protective conductor currents high enough to make 30mA RCDs a non-starter.

    I'd agree dual redundant PSUs are usually the better approach - although that's not always an option - there's usually some little item (usually network related) that only had one power inlet. ATS can also be useful for allowing supplies to be switched for maintenance and the like. I used to make a lot of use of a system that was a combined ATS and sequential start - solved a lot of inrush problems.

    If you are wanting an RCD for additional protection, then two that have to trip one after the other seems dodgy to me. At 250mA (or 150mA in some cases) it's required to trip in 40ms - and although when tested an RCD will usually do so within half that time, there's no guaranteed it'll do reliably under all conditions (say different ambient temperatures or slightly different supply voltages) - the manufacturer will only guarantee 40ms for one. Plus there's the unknown effect of shock-gap-another-shock pattern on the human body as the ATS changes over - as far as I know there's no research on the effect of that - so the normal assumptions to prevent ventricular fibrillation may not even hold.

       - Andy.

  • 0
    DeanR said:

    in the background enquiring if we can purchase the standards below, which I believe are correct in this instance).

    • IEC 60364: Low voltage electrical installations
    • IEC 61439: Low‑voltage switchgear and controlgear assemblies.

    I hope that you have deep pockets. The problem is that you may obtain a standard and then find that it does not address the matter in hand.

    BS EN IEC 61439 can be purchased from BSI here.

    A subscription seems to be necessary for IEC 60364.

  • 0 in reply to Chris Pearson

    IEC 60364: Low voltage electrical installations

    Isn't that the one (or at least HD version) implemented as BS 7671 in the UK?

      - Andy.

  • 0 in reply to AJJewsbury

    I believe that you are correct - see page 20 of BOB and Appendix 1.

  • 0 in reply to DShutt

    Having re-read my opening lines, I might not have been clear enough. The panel is supplied with two 230VAC supplies, described in the customer's spec as being "UPS redundant". We are putting the ATS in there as the panel is going to be installed on an gas platform and the integrity of these supplies can't be verified. At least if there's two supplies and an ATS, the server stands more of a chance of staying up if there's an outage. That's the theory behind it, anyway.

    DShutt said:
    I don't think it is acceptable to have a design where, if a RCD trips, there is an automatic switch to another supply which can have a second attempt at electrocuting someone.

    That's the reasoning why the single RCD is on the output of the ATS.

  • 0 in reply to AJJewsbury
    AJJewsbury said:
    I wonder if there's any need for RCDs at all

    I started considering this, because from what I understand is in IEC 60364, shock risk can be managed through:

    • Controlled access
    • Safe systems of work
    • Isolation procedures
    • Competent persons

    I'm not sure if this would be the correct route to go down.

  • 0 in reply to DeanR

    Maybe I was not clear - you can buy servers which contain two separate 230V power supplies with redundancy achieved at the DC level within the server (e.g. SYS-622B-TRT | 2U | SuperServer | Products | Supermicro (a completely random and fairly high-end example)) .  This provides continued operation in the event that either a 230V feed fails or a server power supply itself fails and means that there is no need for a mains transfer switch.  This is the "normal" way of powering servers in datacentres with redundant power sources.

    If that solution doesn't fit then you can achieve the same yourself with a couple of 230V to low voltage (e.g. 24V) converters, some kind of low voltage DC switch (which might be simple diodes) and a DC powered server - this might be more suited to the case where the server is a low power industrial PC in a control system environment rather than a datacentre type server.  Obviously this solution requires different design expertise so might not fit with your organisation's capabilities.

  • 0 in reply to DShutt

    Ah right, I get you. The servers in the panel are Dell R360 and they have dual power supplies as you describe. There are two servers in the panel, one being primary and the other secondary, both in sync with up to date values etc. We're trying to maximise redundancy to make the panel as robust as possible.

  • 0 in reply to DeanR

    So you don't need the transfer switch for the servers, or are there four transfer switches, one for each of the four power supplies across the two servers?  A single transfer switch (and the RCD that started this discussion!) introduces a single point of failure you wouldn't otherwise have for the servers.  I can understand its use for other items in the panel which don't have dual supplies but you haven't mentioned any of those.

    Is there a reliability / availability assessment which clarifies exactly why the transfer switch is there?  If the server power supplies are of significantly lower reliability than the transfer switch (plus RCD) then I can perhaps see an argument for its presence - has that work been done?

Community Rules & Guidelines