Rules and Guidelines
Want to participate in the discussions? Please read our Community Rules and Guidelines. Need some help? Visit Support and Answers.

  • State Helpful Answer
  • Replies 16 replies
  • Subscribers 22 subscribers
  • Views 378 views
  • Users 0 members are here
Options
You may also be interested in

Clarification on the use of RCDs with Automatic Transfer Switches in industrial server panels

DeanR

I'm involved in a back-and-forth with a customer over the design of an industrial server panel using an APC AP4421A rackmount Automatic Transfer Switch. The purpose of the ATS is to keep the server running should one of the two incoming 230 V AC supplies fail.

The current schematic, which goes back to before my time started at this job, has the RCD on the single output of the ATS. The reasoning behind this is as follows:

  • Should an operator touch a live conductor, the imbalance between the two phases would trip the RCD and the whole circuit is then isolated.

The customer is insisting that the RCD should be at the input to the ATS and on each supply. The reasoning as to why this shouldn't be implemented and why the original circuit was designed as it is, is thus:

  • Should an operator touch a live conductor, the imbalance between the two phases would trip the RCD. The ATS would then detect the first supply dropping out and switch to the second supply, continuing the exposure of the operator to the live circuit before the second RCD would trip.

Now I understand that the scenario above where the first RCD trips, the ATS would switch and then the second RCD trips would take tens of milliseconds, and the function of the RCDs would still be as intended.

A couple of important points: the panel is locked during normal operation and access restricted to qualified personnel. We are not privy to any safety devices that are installed upstream on the dual incoming supplies and neither are we in control of that.

I don't have access to any standards to refer back to, hence I'm looking for knowledge here (and in the background enquiring if we can purchase the standards below, which I believe are correct in this instance).

  • IEC 60364: Low voltage electrical installations
  • IEC 61439: Low‑voltage switchgear and controlgear assemblies.

Any practical advice is greatly appreciated and if any clarification is required, I can help with that.

Thank you for reading.

Parents
  • 0

    Hi,

    The design is flawed, the server should have separately fed dual redundant power supplies with a RCD on each and no need for the extra point of failure presented by the transfer switch.

    I don't think it is acceptable to have a design where, if a RCD trips, there is an automatic switch to another supply which can have a second attempt at electrocuting someone.

    Arguably there should be RCDs on both incoming supplies and on the output of the switch with mechanical interlinking so that the tripping of any one RCD would trip all three, otherwise the transfer switch itself is not RCD protected.

Reply
  • 0

    Hi,

    The design is flawed, the server should have separately fed dual redundant power supplies with a RCD on each and no need for the extra point of failure presented by the transfer switch.

    I don't think it is acceptable to have a design where, if a RCD trips, there is an automatic switch to another supply which can have a second attempt at electrocuting someone.

    Arguably there should be RCDs on both incoming supplies and on the output of the switch with mechanical interlinking so that the tripping of any one RCD would trip all three, otherwise the transfer switch itself is not RCD protected.

Children
  • 0 in reply to DShutt

    Having re-read my opening lines, I might not have been clear enough. The panel is supplied with two 230VAC supplies, described in the customer's spec as being "UPS redundant". We are putting the ATS in there as the panel is going to be installed on an gas platform and the integrity of these supplies can't be verified. At least if there's two supplies and an ATS, the server stands more of a chance of staying up if there's an outage. That's the theory behind it, anyway.

    DShutt said:
    I don't think it is acceptable to have a design where, if a RCD trips, there is an automatic switch to another supply which can have a second attempt at electrocuting someone.

    That's the reasoning why the single RCD is on the output of the ATS.

  • 0 in reply to DeanR

    Maybe I was not clear - you can buy servers which contain two separate 230V power supplies with redundancy achieved at the DC level within the server (e.g. SYS-622B-TRT | 2U | SuperServer | Products | Supermicro (a completely random and fairly high-end example)) .  This provides continued operation in the event that either a 230V feed fails or a server power supply itself fails and means that there is no need for a mains transfer switch.  This is the "normal" way of powering servers in datacentres with redundant power sources.

    If that solution doesn't fit then you can achieve the same yourself with a couple of 230V to low voltage (e.g. 24V) converters, some kind of low voltage DC switch (which might be simple diodes) and a DC powered server - this might be more suited to the case where the server is a low power industrial PC in a control system environment rather than a datacentre type server.  Obviously this solution requires different design expertise so might not fit with your organisation's capabilities.

  • 0 in reply to DShutt

    Ah right, I get you. The servers in the panel are Dell R360 and they have dual power supplies as you describe. There are two servers in the panel, one being primary and the other secondary, both in sync with up to date values etc. We're trying to maximise redundancy to make the panel as robust as possible.

  • 0 in reply to DeanR

    So you don't need the transfer switch for the servers, or are there four transfer switches, one for each of the four power supplies across the two servers?  A single transfer switch (and the RCD that started this discussion!) introduces a single point of failure you wouldn't otherwise have for the servers.  I can understand its use for other items in the panel which don't have dual supplies but you haven't mentioned any of those.

    Is there a reliability / availability assessment which clarifies exactly why the transfer switch is there?  If the server power supplies are of significantly lower reliability than the transfer switch (plus RCD) then I can perhaps see an argument for its presence - has that work been done?

  • 0 in reply to DShutt

    No, there is just one single transfer switch through which the two incoming 230VAC are fed into one 230VAC for the entirety of the panel. So yes, you are correct in that there is a single point of failure in the RCD (or the ATS) that could effectively shut down the entire panel. This is the customer's query.

    There are other 230VAC powered equipment in the panel, such as AC/DC converters and mains powered Ethernet switches - these don't have dual power supplies like the servers do.

    As for a reliability/availability assessment, I don't think this exists. I'm ultimately inheriting this design from another engineer so learning as I go with it, hence asking for advice here.

  • 0 in reply to DeanR
    DeanR said:
    As for a reliability/availability assessment, I don't think this exists. I'm ultimately inheriting this design from another engineer so learning as I go with it, hence asking for advice here.

    So if power supply 1 goes down, the servers remain running but nobody can talk to them because the ethernet switches are out? 

  • +1 in reply to DeanR

    If I was the customer it would certainly prompt me to ask questions if the independent supplies were not preserved all the way through to equipment which could accommodate them.

    Overall, it is really difficult to comment without understanding the overall reliability / availability goal.  If high availability is really important then there is an argument for duplicating the ethernet switches with two separate connections to the customer's network (or eliminating them and asking the customer to provide all the ethernet connections you need - it is their problem then!).  For the AC/DC converters these could be duplicated, one on each mains supply with the outputs paralleled (assuming the correct choice of converter).

    The best approach depends on whether the goal is to survive any single point of failure or just a specific list of failures which are deemed to be likely which is why I asked about reliability / availability studies - there is no point in going to the nth degree if it isn't required.  If you have reliability data then you can start to put together some models for various different configurations to try and assess which gives you the best overall availability.

  • 0 in reply to Simon Barker

    No, the Ethernet switch remains running as the ATS will have switched the secondary supply in.

  • 0 in reply to DShutt
    DShutt said:
    The best approach depends on whether the goal is to survive any single point of failure or just a specific list of failures which are deemed to be likely which is why I asked about reliability / availability studies - there is no point in going to the nth degree if it isn't required.

    I think this is probably key. It will be worth taking a step back and trying to determine this. When it comes to the reliability/availability stuff, that's a whole new can of worms for me to open. Thanks for allowing me to clarify the few ambiguous points and explaining things clearly for me.

Community Rules & Guidelines