I wrote the following in response to a simple enquiry to the ISO27k Forum concerning data centre fire suppression this morning.
Following the Montreal Protocol agreement in
the 1980’s, manufacture of the CFC extinguishant gases commonly known as
“Halon” ceased before 1994. Although Halon is a highly effective
extinguishant that works at relatively low concentrations (8%), has low toxicity
and leaves no nasty residues, it is an extremely harmful “greenhouse
gas”. In the upper atmosphere (stratosphere), CFCs are slowly (over
decades) broken down by sunlight to release free chlorine or bromine which
destroys ozone, subjecting the earth’s surface to increasing amounts of harmful
UV radiation.
See https://en.wikipedia.org/wiki/Bromochlorodifluoromethane
and http://www.bcairquality.ca/101/ozone-depletion-causes.html
and http://www.enviropedia.org.uk/Ozone_Depletion/ODCs.php (among others).
Halon made before 1994 is still being
recycled from old stocks, making it increasingly rare and costly and hence
limited to specific applications by organizations that can afford it, if it is
not totally banned by national laws. Everything possible should be done
to avoid releasing the gas unnecessarily – especially accidental triggering or inept
servicing/installation/testing of suppression equipment.
Carbon dioxide, water mist or extinguishants
using HFCs are normally used today for full-flood applications. HFCs are
also “greenhouse gases” but are less harmful than CFCs – so they are permitted
under a raft of legal constraints unless/until something better comes
along. The same point about avoiding unnecessary releases applies here.
Aside from full-flood extinguishants and fire suppression, other
treatments for fire risks are well worth exploring and
exploiting – for instance:
- An holistic “systems” approach to the specification, architecture, design, installation, use, management and maintenance of all the computer room facilities and services, as a coherent suite, that takes due account of the associated information risks;
- A complete 24x7 ban on smoking in the area (obviously!) plus other sources of ignition (e.g. welding and plumbing using gas torches, ‘temporary’ mains extension cables and adapters, overloaded racks, dust build-up on fans and filters, and old equipment generally, especially if it has had a hard life at high loads and temperatures);
- Fire alarm + power interlocks (e.g. powering down air conditioners early in the response sequence to avoid fanning the flames, or conversely leaving them running to disperse the extinguishant);
- Proactively removing or replacing flammable materials in or near the computer room (especially volatile solvents, paper, cardboard and plastics – such as paint, computer manuals, backup tapes, ordinary PVC-covered cables and spare/stored IT equipment – oh and lead-acid batteries that emit hydrogen);
- Using internal slab-to-slab partition walls, if not separate buildings, to isolate areas with additional controls over air conditioning flows between them;
- Improved fire detection (e.g. high sensitivity aspirating systems with local and remote/monitored alarms, in-rack detectors and others strategically placed, regular competent testing plus the use of thermal imaging cameras to identify hotspots);
- Rapid, effective fire response (e.g. fire training for workers including security guards and maintenance people) including suitable policies, procedures, awareness, training and exercises;
- Fire insurance (with care over the suitability, insurer, coverage, terms and conditions, limitations etc.);
- Business continuity planning (e.g. resilience, dual-live, failover and DR arrangements);
- Fire avoidance (e.g. using cloud services, not locating the data centre in an area prone to bush fires or surrounded by volcanoes – Aucklanders take note!);
- Regular fire/safety inspections by competent people, with action plans and funding and support to make suggested improvements (!);
- Proactive power consumption and temperature monitoring (hinting at the value of metrics);
- and so forth.
Most of all, don’t forget that people,
especially “knowledge workers”, are extremely valuable but vulnerable
information assets, hence our health and safety or welfare qualifies as an
information security control as well as a legal and ethical obligation. As a simple example, ‘fire points’ (with the appropriate types of extinguishers
for use by suitably-trained people) should ideally be located near designated
and protected fire exits, not tucked away deep inside the room so that anyone
brave/foolhardy enough to fight a small fire with a hand-held extinguisher has
ready access to a clear escape route, first and foremost.
Kind regards,
Gary (Gary@isect.com)
PS By the way, computer room and general building air conditioners
should not be using CFCs either.
