Rules and Guidelines
Want to participate in the discussions? Please read our Community Rules and Guidelines. Need some help? Visit Support and Answers.

  • State Helpful Answer
  • Replies 18 replies
  • Subscribers 23 subscribers
  • Views 1029 views
  • Users 0 members are here
Options
You may also be interested in

Clarification on the use of RCDs with Automatic Transfer Switches in industrial server panels

DeanR

I'm involved in a back-and-forth with a customer over the design of an industrial server panel using an APC AP4421A rackmount Automatic Transfer Switch. The purpose of the ATS is to keep the server running should one of the two incoming 230 V AC supplies fail.

The current schematic, which goes back to before my time started at this job, has the RCD on the single output of the ATS. The reasoning behind this is as follows:

  • Should an operator touch a live conductor, the imbalance between the two phases would trip the RCD and the whole circuit is then isolated.

The customer is insisting that the RCD should be at the input to the ATS and on each supply. The reasoning as to why this shouldn't be implemented and why the original circuit was designed as it is, is thus:

  • Should an operator touch a live conductor, the imbalance between the two phases would trip the RCD. The ATS would then detect the first supply dropping out and switch to the second supply, continuing the exposure of the operator to the live circuit before the second RCD would trip.

Now I understand that the scenario above where the first RCD trips, the ATS would switch and then the second RCD trips would take tens of milliseconds, and the function of the RCDs would still be as intended.

A couple of important points: the panel is locked during normal operation and access restricted to qualified personnel. We are not privy to any safety devices that are installed upstream on the dual incoming supplies and neither are we in control of that.

I don't have access to any standards to refer back to, hence I'm looking for knowledge here (and in the background enquiring if we can purchase the standards below, which I believe are correct in this instance).

  • IEC 60364: Low voltage electrical installations
  • IEC 61439: Low‑voltage switchgear and controlgear assemblies.

Any practical advice is greatly appreciated and if any clarification is required, I can help with that.

Thank you for reading.

  • 0 in reply to DShutt

    No, there is just one single transfer switch through which the two incoming 230VAC are fed into one 230VAC for the entirety of the panel. So yes, you are correct in that there is a single point of failure in the RCD (or the ATS) that could effectively shut down the entire panel. This is the customer's query.

    There are other 230VAC powered equipment in the panel, such as AC/DC converters and mains powered Ethernet switches - these don't have dual power supplies like the servers do.

    As for a reliability/availability assessment, I don't think this exists. I'm ultimately inheriting this design from another engineer so learning as I go with it, hence asking for advice here.

  • 0 in reply to DeanR
    DeanR said:
    As for a reliability/availability assessment, I don't think this exists. I'm ultimately inheriting this design from another engineer so learning as I go with it, hence asking for advice here.

    So if power supply 1 goes down, the servers remain running but nobody can talk to them because the ethernet switches are out? 

  • 0 in reply to DeanR

    Depends what kind of shock risk you're talking about - if it's "normal" people without tools just pressing buttons or handling flexes or plugging in or unplugging things, or someone with a screwdriver talking lids off things and gaining access to hazardous live parts.

    If it's the latter case then RCDs are of limited help since a screwdriver gives access to pre-RCD conductors as well the ability to get a shock between downstream live conductors (e.g. L+N) which is equally fatal but won't trip the RCD. You need other measures to deal with those cases (competence, isolation etc.), by which point you've normally covered hazards from L-PE shocks in such cases as well.

    30mA RCDs can be useful where damage to flexes or appliances is likely and won't necessarily be spotted in time - the classic example being lawn mowers or hedge clippers cutting though flexes. These days we expect RCDs on general purpose socket outlets too - helps cover the cases where flexes might be damaged or cores exposed (e.g. get pulled out through plug cord grips), appliances suffering significant damage to their cases or general user stupidity. I would have thought that in a rack mount environment such risks could be mitigated in other ways (e.g. no sharp edges, flexes routed/dressed so they can't get caught in sliding rails or doors), general work procedures so that damaged equipment is identified and not used.

    Besides if you have a rack with multiple items of Class I equipment (each of which can have leakage currents of anything up to (from memory) 3.5mA per item) - a 30mA RCD will be as much use as a chocolate fire guard (as it's liable to trip at anything over 15mA and BS 7671 demands leakage currents kept below 9mA).

    Also if it's resilience you want, not only do you not want a common RCD for multiple items of equipment, you don't want them sharing overcurrent protection either. (The main failure I saw in rack mounted servers was the PSUs failing and shorting out the supply). So power distribution units with individually fused output definitely have their place - especially where single PSU network gear is involved (and even then be wary of small rated fuses still not discriminating with higher rated MCBs upstream).

      - Andy. 

  • +1 in reply to DeanR

    If I was the customer it would certainly prompt me to ask questions if the independent supplies were not preserved all the way through to equipment which could accommodate them.

    Overall, it is really difficult to comment without understanding the overall reliability / availability goal.  If high availability is really important then there is an argument for duplicating the ethernet switches with two separate connections to the customer's network (or eliminating them and asking the customer to provide all the ethernet connections you need - it is their problem then!).  For the AC/DC converters these could be duplicated, one on each mains supply with the outputs paralleled (assuming the correct choice of converter).

    The best approach depends on whether the goal is to survive any single point of failure or just a specific list of failures which are deemed to be likely which is why I asked about reliability / availability studies - there is no point in going to the nth degree if it isn't required.  If you have reliability data then you can start to put together some models for various different configurations to try and assess which gives you the best overall availability.

  • 0 in reply to Simon Barker

    No, the Ethernet switch remains running as the ATS will have switched the secondary supply in.

  • 0 in reply to DShutt
    DShutt said:
    The best approach depends on whether the goal is to survive any single point of failure or just a specific list of failures which are deemed to be likely which is why I asked about reliability / availability studies - there is no point in going to the nth degree if it isn't required.

    I think this is probably key. It will be worth taking a step back and trying to determine this. When it comes to the reliability/availability stuff, that's a whole new can of worms for me to open. Thanks for allowing me to clarify the few ambiguous points and explaining things clearly for me.

  • 0 in reply to Chris Pearson

    Also try your local reference library to see about escalating up the national library chain until you find someone who has on-line access (In the past I used the Glasgow Mitchell Library - not sure if it's still a Scottish option), or your local universities, or someone's Alumni facilities.

  • 0
    DeanR said:
    Should an operator touch a live conductor, the imbalance between the two phases would trip the RCD. The ATS would then detect the first supply dropping out and switch to the second supply, continuing the exposure of the operator to the live circuit before the second RCD would trip.

    If an operator touches a live conductor, in the UK there is at least one breach of legislation, unless that is the result of an electrical fault (unlikely unless a cable is severed ... this can be addressed with selection of appropriate cable types that are more robust). The RCD won't prevent that, and the RCD is not intended specifically for that purpose unless the equipment is accidentally damaged.

    The RCD does not offer protection against unsafe working practices contrary to safe systems of work according to relevant health & safety legislation in the UK.

Community Rules & Guidelines