S 1.56 Emergency power system

Initiation responsibility: Head of IT, Head of Specialised Department, IT Security Officer

Implementation responsibility: Building Services

Measures for supplying emergency power to the computer centre must be implemented to supplement the primary supply of power from the network of a power utility company (PUC) when the availability requirements are high.

The secondary power supply of a computer centre usually consists of a central UPS for the computer centre and an emergency power supply (EPS). If permitted by the local conditions and the requirements profile for the availability of the computer centre, a second power feed-in from the network of a second power utility company could perform this backup function instead of using an EPS.

While a UPS (see S 1.70 Central uninterruptible power supply) can supply power in case of power fluctuations or brief power failures, an emergency power system will be able to handle longer power failures.

When specifying the size of the emergency power supply, it should be ensured that its rated output is higher than the power consumption of the computer centre when operating under a full load. This ensures that the emergency power system will also be able to provide the power needed when several consumers start up at the same time.

The fuel level of an EPS must be checked regularly, and there should be enough fuel available for at least 48 hours of operation. If the availability requirements are high or very high, this figure may easily increase up to 120 hours. When specifying the amount of fuel to keep in reserve, consideration must be given to whether or not it is technically and logistically possible to refuel while the EPS is operating. When examining the technical feasibility, it is must be examined if sediment in the tank that is stirred-up when refilling the tank may lead to failures (such as clogged filters), especially in the case of EPSs running on diesel. In terms of the logistic feasibility, it is necessary to check if the refilling operation itself could be hampered by a power failure, for example.

Depending on the availability requirements of the IT supplied with power by the EPS, a simple EPS may be adequate or it may be necessary to use a redundantly designed system. If a redundant design is necessary, N+1 redundancy will offer adequate protection against a failure of the EPS itself. If redundancy also needs to be guaranteed when performing maintenance on an EPS, then N+2 redundancy must be implemented.

Additional information on the subject of redundancy and the closely related aspects of modularity and scalability can be found in S 1.52 Redundancy, modularity, and scalability in the technical infrastructure.

It is not always possible to actually install 2 additional units to achieve operational and maintenance redundancy. Since it is generally possible to plan maintenance well enough in advance, the second unit could be used as a mobile EPS and connected temporarily when needed. A mobile EPS can be held in reserve in the organisation itself or can be leased from an external service provider. In this case, corresponding SLAs must be drawn up with the service provider.

An EPS is essential for maintaining IT operations in the case of longer power failures of the primary power supply system. Its protection requirement is the same as the protection requirement of the IT it supplies power to. Special attention should be paid in this case to protecting it against fire and water as well as against access by unauthorised persons.

In order to obtain appropriate protection against fires, it is virtually indispensable to place each of the EPS units in separate fire zones. This is the only way to prevent the other units from failing during a fire shortly after one of the units fails.

Two things are essential to sustain the protective effect of the emergency power supply:

Regular maintenance must be performed on an EPS to sustain the protective effect of the EPS. The EPS must be maintained according to the maintenance interval specified by the manufacturer of the EPS. Load and functional tests should be conducted when performing maintenance.

Tests conducted under realistic conditions are particularly important. This is the only way to reliably determine if all the components for supplying power in an emergency work together properly. The common practice of shutting off the mains power supply from the utility company only after the EPS has powered up successfully does not provide any information on whether or not this will automatically work in the event of an emergency. The only way to determine if the emergency power supply will actually work in an emergency is to perform a hard shutdown of the mains supply during live operations. Similarly, the only way to reliably check if normal operations will be resumed is to switch the mains power supply back on again and check if all components automatically return to the standby state. Test runs should be conducted at least once every two years.

Review questions:

© Federal Office for Information Security. All rights reserved.