Feed Dual Supply Servers from Two UPSs

[asaini]

I’m designing a UPS system for treatment plant critical loads that includes: PLCs, SCADA servers, control panels, and some instrumentation.

I have been asked by the owner to provide two separate UPSs to feed the dual supply servers from two separate panels.

Do you have any suggestion on pro/con or any problems/issues of such feed system?

 

[davidbeach]

If they are paying for all dual power supply equipment, why would you even consider a common source of supply? The whole point of dual power supplies is to eliminate single points of failure.

 

[alehman]

This is common and preferred practice for high reliability operations. For best reliability the UPS's should be powered from different utility sources.

Alan
----
"It’s always fun to do the impossible." - Walt Disney

 

[DanEE]

No problems per se with a complete dual rail backup power system.. Just make sure you have a good quality installer/installation.

We have installed one for a data center including two generators, two UPS systems with power from each system run to the racks particularly for the CISCO dual power supply network equipment. This system came about due to data center growth with the second system being put in to accomodate the growth.

One caveat: we have a very sharp, long term IT engineer who knows this system well and keeps the systems balanced and manages the loading in an environment of constant change that occurs in most data centers. Also he is keen on documentation and procedures to avoid human error. Even with all that the center was dropped once as noted below. Without him, I suspect things could be much worse.

An inadequately trained fire system technician showed up to do the fire system maintenance checks and he dropped the entire data center. The fire alarm panel is set up to EPO both power systems in the event of a fire and he proved that part of the system works as designed!

This design can really make maintenance and changes much easier since either system will keep the center running.

 

[alehman]

Dan,
I'll bet the fire alarm service tech never comes back. Do you know why the EPO on fire alarm? That seems like a risky situation.

Alan
----
"It’s always fun to do the impossible." - Walt Disney

 

[Electic]

I believe most of the major UPS suppliers have packaged units that can operate in parallel for N+1 reliability. I would call the local vendor for a quote for their package including external maintenance bypass switch and any other equipment that might require a special configuration.

It is also recommended to describe the desired operation, to be part of the factory warranteed specification. For example, if one of the units must carry the full load, or if you must turn the units on and off without disturbing the load, there may be needed aux contacts on the switch to put the units on internal bypass to prevent a backfeed into the invertor during switching. Make sure the supplier understands that you will be switching these units on and off line without reading instructions during commissioning, that he should warrant.

Finally, these installations often have a backup generator in the likely case that only one utility service is available. Make sure the current waveform is compatible with generator output or the generator will need to be greatly oversized. IGBT switching UPS's seem to be more generator tolerant than other switching (true on line) UPS's

 

[ScottyUK]

Electic,

Redundant parallel units share a common output bus, a single failure point. Dual independent systems avoid that weakness by effectively moving the common load bus into the load itself. Of course dual independent systems rely on loads having built in dual power supplies, otherwise they are just a pair of single-source UPSs.


----------------------------------

If we learn from our mistakes I'm getting a great education!

 

[sibeen]

There is of course one caveat to all this:

Just because a computer is dual corded doesn't always mean the supplies are redundant.

I ran into this a few years ago where the client was under the impression that redundancy was implied by the dual input. The failure of one of the busses feeding his computer equipment quickly dissillusioned him

A few vendors are now going away from the N + N ( A + B,) or whatever you want to call it, topology as some high end servers are now becoming tri corded (three supplies) none of which are redundant.

 

[ScottyUK]

Sibeen,

What is the purpose of having a dual or triple input server with non-redundant supplies? Operationally it sounds like there's no benefit over a single power cable.

My cynical view says it is just to enable the server to be plugged in standard socket outlets, even if it takes two or three of them, and then for the IT gonks to complain when the distribution system trips in protest at being overloaded. Tell me I'm wrong!

----------------------------------

If we learn from our mistakes I'm getting a great education!

 

[davidbeach]

Multiple, non-redundant power supplies is just a way to reduce the overall reliability of the equipment. If you have three and can operate on two, you gain some increase in reliability, but having two and only needing one is the best.

 

[asaini]

Thanks everyone for your valuable input and timely help!

 

[rbulsara]

sibeen is right to the extent that not all multi-cord devices have redundnat power supplies. Many use multiple power supply for capacity and still be able to keep the cost down by using multiple inexpensive power supplies. Also keeps the inventory down.

Not many IT managers can be convinced of a pull the plug test on their dual cord servers. A few who did that I know of had some surprises. It is always good to ask if the multiple power supplies (and hence the cords) are there for redundancy or capacity.


Rafiq Bulsara

http://www.srengineersct.com

 

[DanEE]

quote: Dan,
I'll bet the fire alarm service tech never comes back. Do you know why the EPO on fire alarm? That seems like a risky situation.

---------------------------------------

It is a risky situation, but what the customer wanted. Today's EPO requirements certainly contradict redundancies built into a system to avoid an unintentional electrical shutdown. I'm sure we could have a long, in-depth discussion on that topic alone. I grew up with them in IBM mainframe environments and have seen the requirements get pushed by other interests, not so sure in the right direction.

This site does have captive keylock switches, with the keys under strict management accountability, that will prevent the power system from being EPO'd while fire alarm panel testing/work is being performed. In this case, they also forgot to put it in EPO lockout mode. This same mistake also started the countdown for Halon discharge. There is a horn with one minute warning before the Halon discharge starts.. Fortunately the IT guy got to the panel and hit the halon discharge override button..

Having a multiple buttons at the a door exit is asking for human error. At some locations you have to press a green button before opening the exit door to avoid setting off the security alarm.. Some locations have handicap automatic door opener buttons, and then there's the red EPO button on the same wall that will bring the entire room down.

Way back in the early mainframe days, the computer room EPO buttons were on columns or walls high up for visibility, out of traffic areas, and I believe, a requirement that nothing else be on the wall in close proximity. The mainframes themselves were designed with their own EPO function controlled by a red pull out switch at the main console and with cabling to all attached devices for EPO shutdown.

Much like a major electical switchroom, you really have to control who has access.

 

[rcw retired EE]

Careful layout is needed for the A & B power to prevent a PLC on Power Source A with I/O or an HMI on B.

The usual place this happens is in the operator consoles where several computers are used as HMI's. The monitors, modems, routers, computers, and other devices all have plugs going to plug strips. The computer's on source A, the monitor or communication device ends up on source B. A single failure on either power supply takes out the operator stations. The plant may still run but the operators are blind.

 

[DanEE]

Quote:Careful layout is needed for the A & B power to prevent a PLC on Power Source A with I/O or an HMI on B.
-------------------------------------

The power systems installer certainly should be vigilant to make sure the grounding system is solid between the two systems to prevent any significant ground shift from occuring.

And as mentioned you need to know your systems data interfaces to know which ones would not be tolerant of any ground shift noise. Basicly if the data interface has ground wires in it, I would not want it connecting hardware from the A side to the B side. e.g. old style parallel printer port, VGA/SVGA, SCSI, etc.

Ethernet, since it is a differential signal depending on longitudinal balance, and not ground reference, is especially resilient.

Dual rail power systems like that used in the CISCO 4500 family of course are designed with dual power sources in mind.

Lastly some CISCO configurations depend on multiple supplies to meet the total power requirement and not just for redundancy, and it's not obvious in looking which is the case, another situation where the IT folks really need to know their systems. Some of the CISCO boxes have 4 120VAC power cords coming out of them. 2 power supplies can be needed based on installed options to meet minimum load, the other 2 for redundancy.