What Regulations Govern Data Center Operations?

In the United States, various codes and regulations protect the environment and keep workers safe. There are several types of environmental compliance requirements that pertain specifically to data center operations, each requirement varying based on the size and type of data center involved. But unfortunately, data center managers can become so focused on what it takes to ensure uptime that these environmental and health and safety compliance requirements can get overlooked. There are fines for noncompliance that can amount to hundreds of thousands of dollars and, in certain circumstances, a manager can be held personally liable for a violation.

Environmental regulations common to data center operations

One environmental regulation applies to diesel fuel storage. If you store diesel fuel for your emergency generators in excess of 1,320 gallons, you are required to perform an evaluation to determine if your data center falls under Spill Prevention, Control and Countermeasure (SPCC) plans. The plan includes spill prevention and cleanup procedures, inspection protocols, recordkeeping, and training and may require that a professional engineer, or PE, sign off on the plan.

Another requirement relates to generators or UPS systems common to data centers. Depending on the type of fuel combusted, the year of installation and its horsepower, the generator may be subject to Clean Air Act regulations including emission limits, operational restrictions, and maintenance and testing requirements. In addition, generator fuel storage tanks and certain types of batteries may require reporting under the hazardous chemical inventory reporting requirements of the SARA Title III Emergency Planning and Community Right-To-Know Act (EPCRA).

In order to keep the servers in a cool environment, many data centers have HVAC systems and some install fire-suppressant systems that use halons. Both cooling and fire-suppression systems may employ chemicals that are regulated under the Environmental Protection Agency’s Ozone Depleting Substance (ODS) rules. As a result, generators, UPS systems and equipment containing ODSs may require development of management plans and annual hazardous inventory reports in order to comply with the Clean Air Act and EPCRA.

Employee health and safety regulations

Environmental compliance is not the only area of regulatory compliance that impacts data center operations, however. Employee health and safety requirements under federal and state OSHA regulations must be considered as well. There are a host of standards that impact the critical facilities team such as control of hazardous energy, emergency action plans, hazard communication, noise, thermal stress, permit-required confined space, and fall protection – but this is not an exhaustive list.

Regulatory enforcement

Environmental citations are dependent on federal and state regulations. Based on federal programs, violations can carry hefty, daily fines as illustrated below. Failure to comply with the contingency planning (SPCC) requirements of the Clean Water Act carries a civil penalty of up to $25,000 per day of violation.

The Environmental Protection Agency (EPA) designed the underground storage tank (UST) program to be implemented by the states. In states without approved programs, UST owners and operators remain subject to federal standards, in addition to any state regulations that may apply. States with approved programs have primary enforcement authority. However, the state may request enforcement assistance from the EPA or the EPA may assume enforcement authority if the state has not taken action. The EPA may also issue information requests, warning letters, notices of violation (NOVs), field citations, or administrative orders, and seek judicial injunctions to compel compliance. Penalties for noncompliance may be assessed up to $32,500 per tank per day. Criminal penalties may be assessed for knowing and willful violations.

New Source Performance Standards (NSPS), National Emission Standards for Hazardous Air Pollutants, state implementation plans, new source review, and Title V permits all have federally enforceable limitations and conditions. The EPA may issue a compliance order or issue an administrative penalty order up to $32,500 per day for each violation. The EPA may also bring a civil action seeking a permanent or temporary injunction and/or a civil penalty not to exceed $32,500 per day for each violation. Field citations can be issued up to $6,500 per violation by EPA inspectors for minor violations.

To enforce the emergency planning notification requirements of EPCRA section 302 (Emergency Planning Notification), the EPA may issue a compliance order to a facility owner or operator.  If a commercial facility fails to obey a compliance order, EPA can bring suit in federal district court for a civil penalty of up to $25,000 for each day on which failure to comply continues. Any covered facility that fails to comply with the reporting requirements of EPCRA section 312 (concerning emergency and hazardous chemical inventory forms) or section 313 (concerning toxic chemical release forms) is liable for a civil penalty not to exceed $25,000 for each violation. Each day a violation continues shall constitute a separate violation.

OSHA inspections can be initiated for several reasons, however, the most likely inspections required for operating data centers are typically 1) catastrophes or fatal accidents (electrocutions/falls/explosions) or 2) employee complaints and referrals. Outcomes include the Multi-Employer Standard which states, even if a contractor you hired to manage the data center receives citations, the host employer (you) can also receive a citation.

Two examples illustrate this point:

• First, a data center owner was cited one serious violation with a maximum proposed fine of $7,000 for requiring their contractor to work on live electrical panels. The contractor was issued six serious violations with proposed fines of $34,000.
• A second example involved a data center (host employer) who hired a contractor to manage the facility operations. An employee of the contractor filed a complaint with OSHA regarding a host employer’s employee working on an electrical panel.  Following the OSHA inspection, the host employer was cited for not properly training their employees and the contractor was not cited. Furthermore, if the situation occurs again or is not properly abated, the costs of citations can increase tenfold.

In addition to regulatory citations, there is the negative impact to your company’s brand.  If a catastrophic event, spill, explosion or death, occurs at the site, it will hit the media and could negatively impact the local or national reputation of your brand, which would most likely lead to additional financial impact.

There is further financial impact for serious environmental issues and injuries including cost of clean-up for environmental violations, medical costs, and other indirect costs  such as overtime costs and litigation associated with personal injury and, depending on the cause, equipment repair or lost revenue from downtime.

[A note from Terry: In the case where a data center owner or management team does not have the expertise to ensure compliance with regulation, it has been my experience that finding an outside consultant is the best strategy. As you can see, the fines are quite expensive; but outsourcing this type of service helps ensure that the various regulations are met while management remains focused on what it takes to run the facility efficiently.]

This is a guest post from Lee Foley, CIH, CSP. Lee consults on health and safety issues in mission critical environments. She can be reached at lfoley@eqm.com.