Now that the dot.com bubble has been dimmed by history, it is interesting to reflect on how mission criti-cal buildings have influenced BAS design. Looking back at the crazy days of the late ’90s, we may recall that it was not a good time to put quality thinking into how best to control a mission critical facility. Many projects struggled with both short schedules (and we know what design/construction aspect suffers the most when this happens) and overly ambitious uptime criteria (everyone was vying for bragging rights on the greatest “number of 9’s”). Fortunately, data centers have continued to be built and generally have had more realistic approaches to balancing cost and quality and now energy efficiency.
What’s interesting about mission critical facility design is that it forces the controls designer to ponder questions about a specialized BAS design (just like health care and labs, but in a very different manner) than for the typical commercial facility. In many ways, data centers come closest to blurring the line be-tween commercial and industrial controls in our industry. So what are the controls issues that make mis-sion critical facilities so unique? Simply put, the requirement for virtually no HVAC downtime requires sys-tems that are redundant and failsafe. But what does this really mean to the controls designer? While we might expect to find the answer to these questions from industry groups such as the Uptime Institute that defines criteria for “Tier 1, 2, etc.,” the issues of controls and automation are not clearly addressed.
CONTROLS REDUNDANCYRedundancy seems like a straightforward concept to mechanical design, but when applied to controls it gets much more complicated. For example, we know that mechanically an N+1 chiller plant has one more chiller installed than is needed to meet the load. But what controls redundancy is required for an N+1 de-sign? Here are some things to consider:
- Shouldn’t each chiller and its associated pumps, cooling tower, etc., be controlled by a dedicated BAS controller? On the other hand, what if each chiller system require so many points of control that more than one controller is required - if so, does the required controller-to-controller communications degrade re-dundancy?
- Since the chiller plant typically feeds a common, variable-flow chilled water loop, how many differential pressure sensors should there be, and to which of the above controllers should they be connected? For example, if there is only one sensor and the controller to which it is connected fails then so much for me-chanical redundancy, but how many sensors are needed?
- Should the controllers contain redundant common control sequences? For example, the common chilled water pump VFD/pressure control sequence - what if the controller in which that sequence resides fails? Shouldn’t there be a redundant version of that control sequence in more than one controller?
- Should each of the above controllers be fed by a completely separate UPS-backed power source? If so, how many separate power sources are important for, say, a chiller plant with four chillers?
FAILSAFE AS ITS OWN GOAL?Failsafe is a design goal that can mean different things to different people. In mission critical design, it generally means that when a controls or communications component fails the controlled system should not stop operating (within reason of course). Again, here are some alternatives to consider concerning failsafe:
- If a controller fails should the point interfaces be designed so that the equipment continues to operate in the same state after the failure (which might require latching relays) or should equipment just be wired to fail on (but to what speed should a VFD fail)?
- Or, should each chiller be served by two completely redundant controllers, so that when one controller fails the other one takes over? Does this then mean that controls failsafe is really controls redundancy? And does this possibly introduce more problems than it solves?