Original architecture holds key to true modularity in UPS technology

Original architecture

It’s universally accepted that critical systems – as found in datacentres, on industrial sites and within banking and medical environments – require electrical back-up to mitigate against power failure. The consequences of the failure of these critical systems can otherwise be severe financial loss or perhaps even a risk to life. An online ‘double conversion’ UPS (Uninterruptible Power Supply) is the usual electrical back-up solution in these environments and its main purpose, put simply, is to protect the load. The raison d’etre of the UPS is to ensure that there is no interruption in the supply of power and hence provide high availability or ‘uptime’ of the equipment being protected. An additional benefit and a secondary purpose of an online double conversion UPS is to minimize disturbances to the quality of the power delivered to the load.
For reasons of flexibility and adaptability it has become commonplace for online UPS systems to be sold as ‘modular’. In this context, ‘modular’ means that multiple power units are placed in parallel to achieve the total power output specification required. Modularity, in this instance, though does not necessarily mean fault-tolerance as the increased complexity of a modular solution can lead to a higher overall failure rate.
Given that the main function of a UPS is to protect the load connected to it, it is crucial that energy supply is free of disturbances and that power is available at all times, without interruptions.
Therefore, two questions become important. Firstly, how likely is it that disturbances in the power line will reach the load and secondly how likely is the UPS system to fail?
To answer the first question, we can assume that loads fed by bypass power sources are more susceptible to lower power quality and micro-outages, when compared to loads powered by online double conversion UPS systems. Therefore, maximizing the amount of time a UPS is running in online double conversion mode is crucial to guarantee the highest protection to the load. The decision of when to switch from online double conversion to bypass, when to switch back to double conversion or of when to run on batteries depends on the power quality. But what is often not considered is that it can also depend on the UPS architecture and on how control devices are programmed.
When compared to a single, large, stand-alone UPS, having racks full of identical parallel power modules may give some confidence to the specifier and the end user that there is plenty of ‘hardware back-up’ and no single point of failure. However, having more power modules does not necessarily guarantee the highest performance in terms of UPS power management and load protection.
Most typical modular UPSs have several unique and centralised components that represent a single point of failure such as the bypass, control logic or display. This means that, in a modular UPS system with one single control unit, in the case of a failure or malfunctioning of the CPU the entire system will fail, just as in a single stand-alone UPS. If you stand back and analyse the topic in its entirety, you might conclude that a single point of failure is fundamentally contrary to the main purpose of a UPS i.e. supporting

System Redundancy

Even with redundant systems with no single failure points, individual UPS module reliability must still be extremely high and repair time fast so that the risk of multiple failures is low enough to meet system availability specifications. Having excess capacity in a redundant ‘N+N’ configuration is a solution, but if the whole system must be bypassed to enable one module to be replaced, then there is still a significant risk in the event of total power loss from an AC supply interruption. ‘Hot swapping’ keeps the UPS system in operation with one UPS module disconnected but, there must be high confidence that a new replacement module is functioning and configured correctly to avoid any system ‘glitch’ as it is switched online.
Hot swapping an entire UPS module means that the MTTR (Mean Time To Repair) reduces considerably as there is no need to repair the system but only single modules in case of the failure of any component. In
the load and keeping power quality and availability to the highest level.
A single unique processor, in standalone and typical modular UPS, represents a threat to the system’s reliability. Therefore, the desired protection level that is required of the UPS can only be achieved through the overall electrical system architecture and not through the selection of one piece of equipment.
case of centralised systems, the user would need to bypass the entire unit if the problem is with a centralised component and not linked to a power module.
An additional consideration is that any single non- redundant circuit, interfacing to every module in the system, may represent a single point of failure. For example, if there is a common communication line that interfaces to every module, the control and monitoring of the entire system can be compromised in case of a failure in the centralised circuits.
In summary, an effective modular UPS system must comprise highly reliable products in an N+N configuration with guaranteed immunity to single- point failures, comprehensive monitoring and fast time to repair.

A different way of thinking

To achieve the ‘ideal, true-modular’ UPS system, Centiel SA has developed its DARA – Distributed Active Redundant Architecture – that is used with its CumulusPower range of products. The technology is based on the principle of each module being ‘Distributed’, that is, fully autonomous with its own inverter, static bypass unit, software/control logic, back-feed protection, battery charger and control panel (see DARA modular architecture in diagram below).
So, what is it about this approach which is so unusual? Firstly, the Distributed Active-Redundant Architecture is achieved through a “democratic” majority load transfer decision-making function that, in the event of a critical failure, will provide correct management of the load. In the event of a critical failure, every module will make a decision, by means of its logic circuit, as to whether the load should remain on the inverter or be transferred to the bypass. The load transfer will be conducted depending on the decision made by the majority of the modules. The modules are equipped with all hardware (power and control circuits) and all software (intelligence and monitoring) functions, which make them fully independent and capable of safely isolating themselves from the multi-module system whenever an internal fault occurs. The rest of the multi- module system will continue to provide protected power to the critical load without interruptions. The integration of all hardware and software in each module allows the elimination of all single points of failure that would compromise the system and the power to the load. The communication between the logic circuits of the modules is accomplished by means of a redundant communication BUS.
This Graphic shows the comparison between a typical ‘modular’ system with evident single failure points and the Centiel DARA approach, where the inherent isolation between functional blocks can be seen.

Each CumulusPower UPS module can take power from one of two three-phase AC inputs, typically main supply and diesel generator back-up but also from batteries, which can be common to several or specific to the module (in which case they would be in at least two parallel strings
with separate protection, fusing and isolating switch, for fault tolerance). Total battery voltage is flexible and selectable with typical installations using Valve Regulated Lead-Acid (VRLA) types or optionally nickel-cadmium or lithium-ion batteries.

Conclusion

The DARA approach offers both enhanced redundancy and the highest availability through its ‘truly modular’ capability. The beauty of the distributed architecture is that it offers a reduced MTTR (Mean Time To Repair) as it is possible to hot swap a module in case of the failure of a control unit and there is no requirement to switch the system to bypass or to battery power in the case of failure of the CPU. It also offers a high MTBF (Mean Time Between Failures) as
there is always a redundant circuit that will take over in case of failure.
This approach also offers the highest availability, with an industry high of ‘Nine nines’ 99.9999999 availability being achieved, as essentially each CumulusPower module is a complete UPS in its own right rather than just being a power module linked to a CPU as used in typical modular architecture.