EUROCONTROL - HIGH-AVAILABILITY ELECTRICAL POWER
FOR UNCOMPROMISED AIR-TRAFFIC SAFETY
Case study of a high-availability electrical installation
designed for secure maintenance and power extension
Yves De Raeymaeker Pasquale Castellana
Sales manager Engineering Division
MGE UPS Systems EUROCONTROL
Boulevard Paepsemlaan, 18 Rue de la Fusée, 96
1070 Brussels - Belgium 1130 Brussels - Belgium
Yves.deraeymaeker@ pasquale.catellana
mgeups.com @eurocontrol.int
Abstract
Reliability is a watchword in the Internet world
and in mission-critical industrial and service-
sector processes such as air-traffic control.
For this reason, the Haren site of
EUROCONTROL, the European air-traffic control
organisation, was initially equipped with UPSs.
Though highly reliable, the installation was
difficult to service and maintenance was not
possible without a reduction in the reliability of
key components in the UPS system.
Taking advantage of new possibilities offered by
static-transfer switches, EUROCONTROL
upgraded its installation to keep safety in line with
steadily growing air traffic. The new multi-source
configuration features full redundancy for secure
maintenance and continuous supply from the
highest quality source.
Project design and implementation, carried out in
close cooperation with MGE UPS SYSTEMS and
benefiting from its vast experience in high-
availability installations, succeeded in the difficult
reorganisation of the electrical system on the
critical computer site in Haren.
The installation is "power secure" and all
transfers from one source to the other are totally
transparent to users.
What is more, the new architecture enables
gradual upgrades. The initial investment can be
adapted to start-up goals with later investments
ensuring smooth response to future needs
without any interruption in the supply of power.
Peter Krol Jean-François Christin
Engineering Division Technical Marketing Manager
EUROCONTROL MGE UPS Systems
Rue de la Fusée, 96 140, avenue Jean Kuntzmann
1130 Brussels - Belgium ZIRST – Montbonnot St Martin
peter.krol 38334 St Ismier Cedex – France
@eurocontrol.int jean-francois.christin@mgeups.com
1. EUROCONTROL, meeting the
air-safety challenge in Europe
EUROCONTROL
EUROCONTROL [1], the European air-traffic
control organisation with 32 member states,
works primarily on creating a single air-traffic
control system for all of Europe. A unified system
is the only way to meet the challenges, now and
in the future, that face the entire aeronautic
community, that is handling steadily increasing
air traffic while ensuring maximum safety,
reducing costs and protecting the environment.
Fig. 1. EUROCONTROL for safe European
skies.
EUROCONTROL (EC) formulates, coordinates
and plans European-wide short and long term
air-traffic strategies as well as the resulting plans
of action. This collective effort involves:
• national regulatory authorities;
• air-navigation service providers;
• users of civil and military air space;
• the industrial sector;
• other European institutions.
A noteworthy group of 2000 experts in a number
of European countries provide the requisite
technical and operational know-how. They make
sure that the new air-traffic control projects and
concepts are actually implemented in control
centres, aircraft and airports.

Fig. 1. EUROCONTROL site in Haren
(Zaventem), near Brussels.
CFMU - traffic management
At EUROCONTROL (EC), the CFMU (Central
Flow Management Unit) is the central
organisation in charge of managing air traffic.
Located at EC headquarters in Haren, near
Brussels, it is in charge of balancing demand and
available control capacities, thus helping to
reduce congestion in European air space.
The CFMU supplies ATFM (Air Traffic Flow
Management) services in the air space of the
member states. The main goals, within the
framework of approved ATFM policy and
principles, are to create and maintain the highest
level of service quality for:
• users of its Air Traffic Services (ATS), i.e.
provision of flight-plan data, optimum use of
available capacity, smoothing of traffic and
protection against overloads;
• Aircraft Operators (AO) requiring its services,
i.e. advice on flight planning, reduction of
penalties due to congestion.
The CFMU supplies both operational and
strategic services 24/365. Its operations rooms
participate in the daily management of air traffic
in cooperation with operations rooms of the Area
Control Centres (ACC) set up throughout Europe
and with which it is in constant communication.
Flow managers continuously monitor the air-
traffic situation in Europe to detect load and
capacity changes, delays, congestion, and
unused slots and to ensure fairness in flow
management.
On the basis of the monitoring activities and
tactical analyses, managers assign and update
slots, propose personalised rerouting solutions
and redirect flow using pertinent information,
while continuously ensuring the balance between
demand and capacity.
The CFMU continuously improves its tools and
procedures, with its main goals being to:
• improve checks on flight plans using a
database covering all European air space;
• supply the Flow Management Positions (FMP)
with the best means to monitor traffic;
• help aircraft operators in making decisions;
• inform its partners on the real situation.
Computers - a vital tool requiring
reliable electrical power
CFMU operations rooms manage 26000 flights
per day on the average and are continuously in
real time contact with the ACCs throughout
Europe.
The computer room, the nerve centre of the
system, must never shut down and a backup
supply of electrical power is clearly a necessity.
Reliability is a watchword in the Internet world
and in mission-critical industrial and service-
sector processes such as air-traffic control.. This
need has led to widespread use of multi-source
configurations with full redundancy for secure
maintenance and continuous supply from the
highest quality source.
The availability of an electrical installation
depends essentially on three key factors:
• availability of utility power;
• source autonomy and reliability (UPSs, engine
generator sets);
• installation architecture and its level of
redundancy.
It is notably through redundancy, using Upsilon
STS static transfer switches from MGE UPS
SYSTEMS, that the Haren site, already equipped
with an electrical installation protected by UPSs,
further improved power availability (1) and totally
secured the installation with respect to
maintenance operations.
(1) Availability is the probability that an installation will be
capable of supplying energy having the necessary quality at
a given time. It is expressed as:
MTTR
Availability (%) = (1 − ) x 100
MTBF
- MTTR: mean time to repair (includes fault detection, repair
and return to service).
- MTBF: mean time between failures.
An availability of 99.9% implies non-availability of 0.1%
(0.001). A level of 100%, i.e. an MTTR equal to zero (instant
repair) or an infinite MTBF (no failures) is statistically
impossible. The lower the MTTR and the higher the MTBF,
the better the availability.
The levels required today for continuous applications such as
the Internet are 99.9999% (six nines), corresponding to a
level on non-availability equal to 10-5.
 MTBF MTBF unit was sufficient to supply the load.
• Non-availability was calculated as 3.83 x 10-6.
MTTR MTTR • The backup time was ten minutes.

G1 G2 G3 G4
CT.1 CT.2 CT.3
time

1st fault 2nd fault 3rd fault

MLVS 1 Q12 MLVS E Q4 Q14

Repair Repair Repair

Maintenance or repair time
MLVS N/E 1
Fig. 3. Availability, MTTR, MTBF. 800A
Q6
▼
Q7
Q1 Q2 Q3 Q4

2. Initial electrical installation 800A 800A 800A 2000A

Description
EPS5000 EPS5000 EPS5000 N/S
400kVA 400kVA 400kVA
General criteria 1200kVA

Technical specifications for the initial UPS

system at Haren required:
• MTBF = five years for outages > five minutes;
• MTBF = one year for outages between one and
five minutes;
• No loss of data.
To meet these high requirements, a UPS system
was designed. See figure 4 below.
MLVS U 1
Q16 Q2 80A U-PF-01

MV supply Q3 80A UWC1-3

Q4 80A
• One-point supply by the Electrabel utility, with Q5 100A
UWC4-6
UWC7-8
three 11 kV/400 V - 1120 kVA transformers Q6 100A
PDU1

available.
Q7 100A
PDU2
Q8 100A

• Supply conditions comply with standard

PDU3
Q9 100A
PDU4

EN 50160 governing energy quality. Q10 100A

Q11 100A
PDU5

PDU6
Q12 100A
PDU9
Main LV supply Q13 100A
PDU11
Q14 100A
• One normal source switchboard (MLVS 1), Q15 100A
PDU12

PDU14
supplied by the transformers. Q17 100A
PDU7

• One emergency source switchboard (MLVS E),

Q18 100A
PDU8
Q19 100A
PDU10
supplied by four (1000 kVA each) engine Q20 100A
PDU13

generator sets. The total start-up and

synchronisation time is under one minute (45 Fig. 4. The initial electrical installation.
seconds).

UPS LV switchboard Load switchboard

• One source-changeover switchboard
(MLVS N / MLVS E1) for switching between the
transformers and the engine generator sets.
• Four 800 A output circuits to the UPSs.
UPS system
• Three 400 kVA units in parallel and a 1200 kVA
centralised SSC (static-switch cubicle).
• Active 2+1 (or 1/3) redundancy, i.e. three units
share the load, but two are sufficient if
necessary.
• Given the 200 kVA load (66 kVA per unit),
redundancy was in fact 1+2 (or 2/3), i.e. a single
• One distribution switchboard (MLVS U 1), with
100 A output circuits to the Power Distribution
Units (PDU) supplying the computer servers.
Analysis of operation
Though very reliable, this installation offered
reduced servicing possibilities and maintenance
was not possible under de-energised conditions
or without a major drop in the reliability of key
components in the UPS system.
• MLVS 1 (transformers): servicing of each
transformer is possible, but supply possibilities
are downgraded.
• MLVS NE1 (source changeover): component Main LV supply
required to supply the UPS units. • Second switchboard (MLVS 2) supplied by the
• MLVS U1: opening an output circuit means the second set of transformers.
corresponding server is no longer supplied. • Use of the same switchboard supplied by the
Opening of the main switch Q16 means none of four 1000 kVA engine generator sets (MLVS E).
the loads are supplied.
Aware of its continuity-of-service requirements UPS LV switchboard
and on the basis of its past experience, • Second source-changeover switchboard, use of
EUROCONTROL looked into a new UPS system the same four 800 A circuit breakers plus four
when static transfer switches became available. more 800 A circuit breakers.

3. The new installation UPS system

• Replacement of previous system with three
Description 400 kVA Galaxy units, each with its own static
and maintenance bypasses for individual
servicing purposes.
General criteria
The initial availability criteria were maintained. • Two units (UPS 1 & 2) are the two sources for
The primary goal was to enable maintenance the downstream switchboards. The third unit
without a significant loss of reliability. (UPS 3) stands by to supply the bypass AC
A multiple-source system was selected. The inputs of the two others.
complete design study was carried out in close • Calculated non-availability reduced to 2.5 x 106.
collaboration with EUROCONTROL. Upgrades • The backup time remained ten minutes.
dealt with the following points in the installation
(fig. 5). Supply to the loads
• Second distribution switchboard (MLVS U1 and
CT.1 CT.2 CT.3
G1 G2 G3 G4
T2.1 T2.2 T2.3
U2), with 100 A output circuits supplying the
computers via an STS for each PDU secondary
MLVS 1 Q12 MLVS E Q4 Q14 MLVS 2 Q12 switchboard.
TD EPS EXT • When the STS sources are correctly set up,
800A
800A Q1
Q6
▼
Q7
MLVS N/E 1 MLVS N/E 2
Q7
▼
Q6
there are two supply routes for each server (dual
Q5 Q2 Q3 Q4 Q3 Q4 Q2 Q5
attach system, see figure 6):
- via MLVS U1 and MLVS U2 during normal
800A 800A 800A 800A 800A 800A 800A 800A

operation ( and set as preferred sources);

- via two outputs on MLVS U1 ( and ) or on
IN/UPS 3 IN/BP/UPS3

FAH FAH FAH

UPS1 UPS3 UPS2

Galaxy
IN/BP/UPS1
Galaxy
IN/BP/UPS2
Galaxy MLVS U2 ( and ) by switching the
400 kVA
UPS1
400 kVA
UPS3
400 kVA
UPS2 corresponding STS.
• STS switching is secured by synchronisation of
the UPS outputs, thus ensuring no-break
transfers. UPS 3 controls the two others via
MLVS U 1
Q16 Q2 80A U-PF-01 U-PF-01
MLVS U 2
80A Q2 Q16
synchronisation units
Q3 80A UWC1-3 UWC1-3 80A Q3
Preferred Alternate Alternate Preferred
Q4 80A 80A Q4
UWC4-6 STS 1 UWC4-6
STS 2
Q5 100A 100A 100A 100A Q5
UWC7-8 UWC7-8
Q6 100A 100A Q6
PDU1 PDU1
Q7 100A 100A Q7
PDU2 PDU2
Q8 100A 100A Q8
PDU3 PDU3
Q9 100A 100A Q9
PDU4 PDU 1 PDU 2 PDU4
Q10 100A 100A Q10
PDU5 PDU5
Q11 100A 100A Q11
PDU6 PDU6
Q12 100A 100A Q12
PDU9 PDU9
Q13 100A 100A Q13
PDU11 PDU11
Q14 100A 100A Q14
PDU12 PDU12
Q15 100A 100A Q15
PDU14 PDU14
SERVER
SERVEUR
Q17 100A 100A Q17
PDU7 PDU7
Q18 100A 100A Q18
PDU8 PDU8
Q19 100A 100A Q19
PDU10 PDU10
Q20 100A 100A Q20
PDU13 PDU13

Fig. 5. New electrical installation.

MV supply
• Two Electrabel supply points by creation of a
connection to a second set of three 11 kV/400 V -
1120 kVA transformers (MLVS 2) and another
connection to the engine generator sets (MLVS
E).
 MLVS NE1
UPS1 UPS3 UPS2
Sync Sync
MLVS U1
3 4
STS
1 2
STS
PDU PDU
Double attach
Server supply
Fig. 6. Dual-attach system.
Upgrade phases
The transition took place in four steps, the goal
being to avoid disturbing the computer systems.
• Creation of the second line with replacement of
an old UPS.
• Insertion of an isolated redundant UPS system
on the new line.
• Replacement of last old UPS.
• Insertion of the STS units.
Analysis of operation and of the
resulting advantages
The installation meets the goal of enhanced
reliability. Gradual installation upgrades are
possible in step with future needs. It also
eliminates the use of a single static switch
cubicle (SSC). A future improvement will be to
connect a load to the backup unit (UPS 3) to
ensure correct operation of the battery. The new
configuration provides the following advantages
as well.
Maintenance on all components without
significant loss of reliability
• Both supply lines, made up of MLVS 1, MLVS
NE1, UPS 1, MLVS U1 and MLVS 2, MLVS NE2,
UPS 2, MLVS U2, can be de-energised. The
MLVS NE2 remaining line maintains supply with sufficient
availability due to:
- the backup time of the UPS unit;
- UPS 3 standing by to back up the UPS unit;
- the engine generator set to back up the UPSs.
Maintenance is possible on all line components.
• Maintenance on each UPS unit is also possible,
without significant loss of reliability.
- Shutdown of either UPS 1 or UPS 2 leaves the
other still in operation, with UPS 3 standing by.
MLVS U2 - Shutdown of UPS 3 leaves both UPSs 1 and 2,
backed up by the engine generator set.
Test on each static bypass
The test is carried out via the backup unit (UPS3)
described above.
Shutdown of each PDU secondary
switchboard
Shutdown is possible if all downstream devices
1path
= possible supply
(4 paths in all) have a dual attach.
Under operating conditions, manual changeover
switches installed in the right places enable safe
maintenance on each switchboard without any
reduction in reliability or continuity of service.
4. Contribution of Upsilon STS
This configuration was made possible by the new
static transfer switches (30 to 600 A STSs) that
secure and optimise redundant supply systems.
Connected to two independent and redundant
sources, an STS supplies a set of devices. It
ensures no-break transfer from the preferred
source to an alternate source:
• either in automatic mode according to
predefined conditions (operation on preferred
source with automatic transfer back, selection of
best source, etc.);
• or in manual mode.
Transfer takes place:
• without source overlapping (break before make
technique), thus avoiding parallel connection of
sources during transfer and any risk of fault
propagation between the two sources;
• whatever the type of sources, which may be
different (UPSs, transformers, generator sets).
 • experts in installation audits and solutions;
Preferred source Alternate source

Upsilon STS • a training centre for customer personnel.

Control
electronics

6. Conclusion
Remote-controlled
switch

Static
switch

Close cooperation between EUROCONTROL

Bypass
and MGE UPS SYSTEMS made possible the
difficult reconfiguration of the electrical
installation on the critical computer site in Haren.
Loads The installation is "power secure" and all
Fig. 7. Upsilon STS from MGE UPS SYSTEMS. transfers from one source to the other are
transparent for users.
Upsilon STS transfers the load in 3 milliseconds, This upgrade benefits from Upsilon STSs, a key
i.e. three times faster than CBEMA (Computer component in the SMPE (Secure Maintenance &
Business Equipment Manufacturer’s Association) Power Extension) concept, that make gradual
recommendations stipulate (see figure 8). installation upgrades a possibility. The initial
Built-in bypass and disconnection functions investment can be adapted to start-up goals with
ensure safe servicing under no-load conditions. later investments ensuring smooth response to
Source redundancy maintains high availability future needs without any interruption in the
during maintenance or site upgrades. Upsilon supply of power.
STS transfers loads easily and safely from one
source to the other to isolate a part of the [1] EUROCONTROL
installation and work under no-load conditions. Haren - Belgium www.eurocontrol.int
The synchronisation units ensure perfect [2] L'ingénieur électricien
synchronisation between sources at all times. Article in CHR Couwenbergh, December 2002

voltage in %
400

300

200

Adjustable
Upsilon STS 106 %
100
87 %

0
0.001 0.01 0.1 0.5 1 10 100 1000
3 ms 10 ms 2s

Fig.8. CBEMA envelope and Upsilon STS

performance.

5. Close cooperation with

EUROCONTROL
Restructuring the electrical installation on a site
as critical as Haren required close cooperation
between the UPS supplier and the customer. The
supplier imperatively have solid experience in
high-availability installations.
An initial contact served to present STSs and
their many possibilities. This contact resulted in a
request to design a new configuration ensuring
maximum availability.
The applied know-how was backed up by
continuous presence on the site and a complete
support-services structure, including: