What regulations govern data center operations?

Posted by on Dec 4, 2014 in Facilities Management, Training | 1 comment

What Regulations Govern Data Center Operations?

In the United States, various codes and regulations protect the environment and keep workers safe. There are several types of environmental compliance requirements that pertain specifically to data center operations, each requirement varying based on the size and type of data center involved. But unfortunately, data center managers can become so focused on what it takes to ensure uptime that these environmental and health and safety compliance requirements can get overlooked. There are fines for noncompliance that can amount to hundreds of thousands of dollars and, in certain circumstances, a manager can be held personally liable for a violation.

Environmental regulations common to data center operations

One environmental regulation applies to diesel fuel storage. If you store diesel fuel for your emergency generators in excess of 1,320 gallons, you are required to perform an evaluation to determine if your data center falls under Spill Prevention, Control and Countermeasure (SPCC) plans. The plan includes spill prevention and cleanup procedures, inspection protocols, recordkeeping, and training and may require that a professional engineer, or PE, sign off on the plan.

Another requirement relates to generators or UPS systems common to data centers. Depending on the type of fuel combusted, the year of installation and its horsepower, the generator may be subject to Clean Air Act regulations including emission limits, operational restrictions, and maintenance and testing requirements. In addition, generator fuel storage tanks and certain types of batteries may require reporting under the hazardous chemical inventory reporting requirements of the SARA Title III Emergency Planning and Community Right-To-Know Act (EPCRA).

In order to keep the servers in a cool environment, many data centers have HVAC systems and some install fire-suppressant systems that use halons. Both cooling and fire-suppression systems may employ chemicals that are regulated under the Environmental Protection Agency’s Ozone Depleting Substance (ODS) rules. As a result, generators, UPS systems and equipment containing ODSs may require development of management plans and annual hazardous inventory reports in order to comply with the Clean Air Act and EPCRA.

Employee health and safety regulations

Environmental compliance is not the only area of regulatory compliance that impacts data center operations, however. Employee health and safety requirements under federal and state OSHA regulations must be considered as well. There are a host of standards that impact the critical facilities team such as control of hazardous energy, emergency action plans, hazard communication, noise, thermal stress, permit-required confined space, and fall protection – but this is not an exhaustive list.

Regulatory enforcement

Environmental citations are dependent on federal and state regulations. Based on federal programs, violations can carry hefty, daily fines as illustrated below. Failure to comply with the contingency planning (SPCC) requirements of the Clean Water Act carries a civil penalty of up to $25,000 per day of violation.

The Environmental Protection Agency (EPA) designed the underground storage tank (UST) program to be implemented by the states. In states without approved programs, UST owners and operators remain subject to federal standards, in addition to any state regulations that may apply. States with approved programs have primary enforcement authority. However, the state may request enforcement assistance from the EPA or the EPA may assume enforcement authority if the state has not taken action. The EPA may also issue information requests, warning letters, notices of violation (NOVs), field citations, or administrative orders, and seek judicial injunctions to compel compliance. Penalties for noncompliance may be assessed up to $32,500 per tank per day. Criminal penalties may be assessed for knowing and willful violations.

New Source Performance Standards (NSPS), National Emission Standards for Hazardous Air Pollutants, state implementation plans, new source review, and Title V permits all have federally enforceable limitations and conditions. The EPA may issue a compliance order or issue an administrative penalty order up to $32,500 per day for each violation. The EPA may also bring a civil action seeking a permanent or temporary injunction and/or a civil penalty not to exceed $32,500 per day for each violation. Field citations can be issued up to $6,500 per violation by EPA inspectors for minor violations.

To enforce the emergency planning notification requirements of EPCRA section 302 (Emergency Planning Notification), the EPA may issue a compliance order to a facility owner or operator.  If a commercial facility fails to obey a compliance order, EPA can bring suit in federal district court for a civil penalty of up to $25,000 for each day on which failure to comply continues. Any covered facility that fails to comply with the reporting requirements of EPCRA section 312 (concerning emergency and hazardous chemical inventory forms) or section 313 (concerning toxic chemical release forms) is liable for a civil penalty not to exceed $25,000 for each violation. Each day a violation continues shall constitute a separate violation.

OSHA inspections can be initiated for several reasons, however, the most likely inspections required for operating data centers are typically 1) catastrophes or fatal accidents (electrocutions/falls/explosions) or 2) employee complaints and referrals. Outcomes include the Multi-Employer Standard which states, even if a contractor you hired to manage the data center receives citations, the host employer (you) can also receive a citation.

Two examples illustrate this point:

  • First, a data center owner was cited one serious violation with a maximum proposed fine of $7,000 for requiring their contractor to work on live electrical panels. The contractor was issued six serious violations with proposed fines of $34,000.
  • A second example involved a data center (host employer) who hired a contractor to manage the facility operations. An employee of the contractor filed a complaint with OSHA regarding a host employer’s employee working on an electrical panel.  Following the OSHA inspection, the host employer was cited for not properly training their employees and the contractor was not cited. Furthermore, if the situation occurs again or is not properly abated, the costs of citations can increase tenfold.

In addition to regulatory citations, there is the negative impact to your company’s brand.  If a catastrophic event, spill, explosion or death, occurs at the site, it will hit the media and could negatively impact the local or national reputation of your brand, which would most likely lead to additional financial impact.

There is further financial impact for serious environmental issues and injuries including cost of clean-up for environmental violations, medical costs, and other indirect costs  such as overtime costs and litigation associated with personal injury and, depending on the cause, equipment repair or lost revenue from downtime.

[A note from Terry: In the case where a data center owner or management team does not have the expertise to ensure compliance with regulation, it has been my experience that finding an outside consultant is the best strategy. As you can see, the fines are quite expensive; but outsourcing this type of service helps ensure that the various regulations are met while management remains focused on what it takes to run the facility efficiently.]

This is a guest post from Lee Foley, CIH, CSP. Lee consults on health and safety issues in mission critical environments. She can be reached at lfoley@eqm.com.

One Comment

  1. Thanks for sharing the common sense reminders that are normally included in most MOC locations, Admin Properties as well. There are many types of training available, especially if you’re working for or consulting for a large financial operation center or banks in general. The SOX, SAS and revised versions of the same internal and external audits. Outside agencies i.e. OSHA, Fire, Police, City and County requirements in addition to state and federal regulations as well. My first start when evaluating these types of companies is A. Types of MEP B. Storage of specific quantities, including; Fire Life Safety containment, pre-action and Access control. The SPCC plans are as stated, a general requirement for most diesel fuel AST or UST diesel storage, including belly tank and day tank monitoring and testing and most important, the logging of these inspections, assignment or included in specific job titles, whom is responsible? Ultimately, it’s always the FM or PM. Regardless of any attempted separation of the Engineering/Facilities/Security and Safety and Facilities/Janitorial personnel. The PM should be responsible for all of the items mentioned in the guest post. A good start as a PM or FM is the client’s requirements, i.e. as mentioned uptime requirements, the risks and benefits of doing or not doing specific things as a result of business specific practices. Regardless, it is the PM’s responsibility to coordinate the learning and training sessions, whereas not only to include the Engineers or OE’s working in these locations but everyone that enters the property has a right to know, typically posted as a minimum in lobbies, to include the fire life safety logs, the diesel fuel consumption, fireman’s RED book, that contains all internal and external property maps, the specific rooms that contain the hazardous material, including the battery or sulfuric acid content, the location of such with inverted access plans, directing or having available for all agencies that could end up at your door for inspections. This list is short and can go on forever, however, a second resource, post client review and data collections is with the companies insurance company; meet and greet, review of the liabilities put in place by the property owner and or the tenants that reside in leased properties, triple-net, where your still required to maintain all these items listed above. Typical insurance companies, i.e. Liberty Mutual, will have their minimum safety related standards, anything you do above and beyond the minimum standards, required an annual review to determine if the assets that are insured, are being maintained above the standard, which in my experience has lowered the annual cost of the insurance company premiums significantly.

Leave a Comment

Your email address will not be published. Required fields are marked *