Welcome to the SecAware blog

I spy with my beady eye ...

12 May 2016

Treating computer room fire risks

I wrote the following in response to a simple enquiry to the ISO27k Forum concerning data centre fire suppression this morning.

Following the Montreal Protocol agreement in the 1980’s, manufacture of the CFC extinguishant gases commonly known as “Halon” ceased before 1994. Although Halon is a highly effective extinguishant that works at relatively low concentrations (8%), has low toxicity and leaves no nasty residues, it is an extremely harmful “greenhouse gas”. In the upper atmosphere (stratosphere), CFCs are slowly (over decades) broken down by sunlight to release free chlorine or bromine which destroys ozone, subjecting the earth’s surface to increasing amounts of harmful UV radiation.

Halon made before 1994 is still being recycled from old stocks, making it increasingly rare and costly and hence limited to specific applications by organizations that can afford it, if it is not totally banned by national laws. Everything possible should be done to avoid releasing the gas unnecessarily – especially accidental triggering or inept servicing/installation/testing of suppression equipment.

Carbon dioxide, water mist or extinguishants using HFCs are normally used today for full-flood applications. HFCs are also “greenhouse gases” but are less harmful than CFCs – so they are permitted under a raft of legal constraints unless/until something better comes along. The same point about avoiding unnecessary releases applies here.

Aside from full-flood extinguishants and fire suppression, other treatments for fire risks are well worth exploring and exploiting – for instance:
  • An holistic “systems” approach to the specification, architecture, design, installation, use, management and maintenance of all the computer room facilities and services, as a coherent suite, that takes due account of the associated information risks;
  • A complete 24x7 ban on smoking in the area (obviously!) plus other sources of ignition (e.g. welding and plumbing using gas torches, ‘temporary’ mains extension cables and adapters, overloaded racks, dust build-up on fans and filters, and old equipment generally, especially if it has had a hard life at high loads and temperatures);
  • Fire alarm + power interlocks (e.g. powering down air conditioners early in the response sequence to avoid fanning the flames, or conversely leaving them running to disperse the extinguishant);
  • Proactively removing or replacing flammable materials in or near the computer room (especially volatile solvents, paper, cardboard and plastics – such as paint, computer manuals, backup tapes, ordinary PVC-covered cables and spare/stored IT equipment – oh and lead-acid batteries that emit hydrogen);
  • Using internal slab-to-slab partition walls, if not separate buildings, to isolate areas with additional controls over air conditioning flows between them;
  • Improved fire detection (e.g. high sensitivity aspirating systems with local and remote/monitored alarms, in-rack detectors and others strategically placed, regular competent testing plus the use of thermal imaging cameras to identify hotspots);
  • Rapid, effective fire response (e.g. fire training for workers including security guards and maintenance people) including suitable policies, procedures, awareness, training and exercises;
  • Fire insurance (with care over the suitability, insurer, coverage, terms and conditions, limitations etc.);
  • Business continuity planning (e.g. resilience, dual-live, failover and DR arrangements);
  • Fire avoidance (e.g. using cloud services, not locating the data centre in an area prone to bush fires or surrounded by volcanoes – Aucklanders take note!);
  • Regular fire/safety inspections by competent people, with action plans and funding and support to make suggested improvements (!);
  • Proactive power consumption and temperature monitoring (hinting at the value of metrics);
  • and so forth. 
Patently, there is a lot to consider here, besides full-flood extinguishants. In other words, take advice from competent professional experts. The few hints I’ve given here are nowhere near sufficient in practice, and I’m just an experienced amateur in this domain.

Most of all, don’t forget that people, especially “knowledge workers”, are extremely valuable but vulnerable information assets, hence our health and safety or welfare qualifies as an information security control as well as a legal and ethical obligation. As a simple example, ‘fire points’ (with the appropriate types of extinguishers for use by suitably-trained people) should ideally be located near designated and protected fire exits, not tucked away deep inside the room so that anyone brave/foolhardy enough to fight a small fire with a hand-held extinguisher has ready access to a clear escape route, first and foremost.

Kind regards,

PS By the way, computer room and general building air conditioners should not be using CFCs either.

No comments:

Post a Comment