Sector

Lightning risk assessment for data centres

A data centre can lose service to thousands of users from a single induced surge, with no fire and no direct strike anywhere on the building. That puts continuity of service, not the structure itself, at the centre of the assessment. This guide explains why data centres are an extreme case for lightning risk, which risks dominate, and how an IEC 62305 study has to be shaped around the electronics inside.

A data centre can lose service without anything catching fire and without a single direct strike on the building. One surge induced on an incoming power or data line is enough to reach the racks and take down internal systems, and the outage that follows hits every user the facility serves. That is why the asset a data centre has to protect is continuity of service, not the structure, and why an IEC 62305 risk assessment for one looks different from an assessment of an ordinary building.

The standard and its method do not change for a data centre; what changes is where the risk sits. The value and the vulnerability are in the electronics, so the failure of internal systems from a strike-induced surge becomes the central concern, the risks tied to loss of service and economic loss carry the weight, and the many lines entering the building become the paths the engineer has to worry about most. This guide explains why data centres are an extreme case, which risks dominate, why internal-system failure leads, how incoming lines drive the result, how the assessment supports uptime expectations, and what makes modelling one different in practice.

What is different

Why a data centre is an extreme case

The same IEC 62305 method applies, but three things about a data centre move the assessment away from the ordinary-building case and put the electronics at the centre of it.

Continuity is the asset. What a data centre cannot afford to lose is service, not the building. A few seconds of interrupted power or a failed switch can stop everything the facility delivers, so the assessment is really about keeping internal systems running, not about the shell around them.
A surge alone can take it down. No direct strike is needed. A nearby strike to the ground or to a service line drives a surge onto the cables that enter the building, and that surge can destroy electronics deep inside without any fire or physical damage to point to afterwards.
Many lines, dense electronics. A facility connected to power feeds and a large number of data and telecom lines, packed with racks across many rooms, has far more surge entry paths and far more to lose than a simple structure. The risk is spread across all of them.
Which risks lead

The frequency of damage and economic loss carry the weight

IEC 62305 produces a risk of loss of human life, R, and a separate frequency of damage, F, for the availability of the internal systems, and it recognises the loss categories L1 to L4 (loss of human life, loss of service to the public, loss of cultural heritage and economic loss). For most occupied buildings the risk R leads, because the worst outcome of a strike is harm to the people inside. A data centre shifts that balance. The buildings are often lightly staffed or unmanned, but they deliver a service that many people and businesses depend on, and an interruption is expensive by the hour.

So the frequency of damage F, the availability of the internal systems, and the economic loss usually carry the most weight in a data centre study. An outage affects every customer the facility serves, and the frequency of damage measures how often a strike would cause it, while the cost of that downtime, lost transactions, broken service-level commitments, recovery work, is the economic loss weighed alongside. The risk of loss of human life R still has to be assessed and still has to pass, because staff and visitors can be present, but it is rarely the figure that decides the protection. This is close to the reverse of a hospital or a crowded public building, where life safety is the whole point, and it changes which loss the assessment is really driving down.

New to how the risk R and the frequency of damage F are built? The IEC 62305-2 risk method sets out how each is assembled from its components, and what is IEC 62305 covers the damage and loss model the risks rest on.

The central concern

Why internal-system failure is the heart of it

The standard groups what a strike can do into three types of damage: injury to people from touch and step voltages (D1), physical damage such as fire or explosion (D2), and the failure of electrical and electronic systems caused by the lightning electromagnetic pulse, or LEMP (D3). In most buildings the first two lead the assessment. In a data centre the value sits in the racks, so D3, the loss of internal systems, is the damage type that carries the risk, and the whole study is shaped around reducing the chance and the consequence of that failure.

LEMP is the mechanism. A strike radiates an electromagnetic field that induces surges on the wiring inside the building, and a surge arriving over an incoming line travels straight toward the equipment. Servers, switches and storage fail at low surge levels, far below what a strike can induce, so the protection of internal systems is not a refinement here. It is where the risk is won or lost.

This is where the assessment credits the protection measures. Coordinated surge protective devices on the incoming lines clamp the surge in stages before it reaches the equipment. A thorough equipotential bonding network stops dangerous voltage differences from building up between racks, cabinets and the building steel. Shielding of the most sensitive cable routes and rooms reduces how much of the field couples onto the wiring in the first place. And a lightning protection zone (LPZ) scheme divides the building into zones that step the surge environment down as you move inward, so the racks sit in the most protected zone of all. Part 4 of the standard sets out exactly how these measures work together against LEMP, and the risk method gives the engineer credit for them by lowering the probability of internal-system damage.

For how the surge protective devices are graded and coordinated, see SPD types under IEC 62305, and for the zone scheme itself see lightning protection zones (LPZ).

The entry paths

Incoming lines are how the surge gets in

A data centre is one of the most heavily connected buildings there is. Beyond its power feeds it takes in a large number of data and telecom lines, often from more than one provider and over more than one route for redundancy. Every one of those connections is a path a strike-induced surge can travel along into the facility, which is why the lines, rather than the roof, are usually where the assessment finds most of the risk.

Two properties of each line drive its contribution. The length of a line sets how much of the surrounding ground a strike near it can couple into the cable, so a long external run collects more than a short one. The routing, whether the line runs overhead or buried, screened or unscreened, alongside other services or alone, changes how much of a nearby strike actually reaches the building. Together these set the line-related risk components, and on a facility with many long connected lines those components often outweigh the risk from a direct strike on the structure itself.

This is the part of the IEC 62305 method that a single occupied building rarely stresses and that a data centre stresses hard, much as a telecom site does for the lines feeding its equipment shelter. Getting the count, the lengths and the routing of the connected lines right, and the SPDs that protect each entry, is what decides the answer for this kind of facility.

Protection

The measures that move the result

For a data centre the protection that matters is mostly about keeping surges away from the electronics. The assessment decides which measures a facility needs and where, so the spend lands on the entries and zones that carry the risk.

Coordinated SPDs on every entry. Surge protective devices on the incoming power and data lines, sized for the chosen protection level and coordinated so each stage hands the surge down to the next. With so many lines entering, this is usually the single most effective set of measures, because the lines are where the surge arrives.
A thorough bonding network. An equipotential bonding system tying the racks, cabinets, cable trays and building steel together gives a surge a common reference and stops the voltage differences that destroy equipment. Without solid bonding the SPDs have nothing dependable to clamp against.
Shielding and a zone scheme. Screening sensitive cable routes and rooms, and dividing the building into lightning protection zones that step the surge environment down inward, reduces what ever reaches the racks before any device has to clamp it. The most sensitive equipment sits in the most protected zone.
Protection that fits the risk. The assessment decides which measures a given facility actually needs, so a critical entry is not left under-protected while a low-risk one is over-specified. The numbers, not a blanket rule, place the protection where the risk is.
Resilience

How the assessment supports uptime expectations

Data centres are built and sold on availability. Uptime tiers and the redundancy behind them, duplicated power paths, backup generation, redundant cooling, exist to keep service running through a fault. Lightning is one of the threats to that availability, and it is one the redundant mechanical and electrical design does not fully answer, because an induced surge can reach equipment on more than one power path at once.

An IEC 62305 assessment supports the availability target by putting a number on it. It estimates how often a strike-related event could cause an outage and shows that the surge protection, bonding, shielding and zoning bring that frequency below an acceptable level. It does not replace the redundant power and cooling that uptime tiers are built on, and it is not the same exercise as a tier certification. What it gives is the recognised evidence that the lightning threat to continuity has been assessed on the numbers and controlled, rather than left as an assumption that the building is probably fine.

In practice

What makes modelling a data centre different

Four features of a real facility push the model away from the simple single-box case and have to be reflected for the answer to hold up.

A large footprint. A big building over a wide plot has a large collection area, so it gathers more strikes near and on it over a year than a compact structure. The geometry of the building feeds straight into how often a dangerous event is expected.
Rooftop plant. Chillers, dry coolers and other mechanical plant on the roof are exposed equipment in their own right, with their own cabling running back into the building, and the assessment has to account for that exposure rather than treating the roof as bare.
Dense internal systems. The value and the vulnerability are concentrated in racks across many rooms, so the loss tied to internal-system failure is high and the protection of those systems carries most of the assessment.
Many connected lines. Power feeds plus a large number of data and telecom lines mean the risk is spread across many entries, and each has to be modelled with its own length and routing rather than rolled into one figure.
How Lumex handles it

A data centre, modelled to the clause

Lumex models a data centre as a structure with its zones, its incoming power and data lines and its protection measures, then runs the IEC 62305-2 method across them. It shows how coordinated SPDs, bonding, shielding and the zone scheme bring the risk of internal-system loss below the tolerable level, and it lets an engineer add lines, adjust their lengths and routing, and see the line-related risk move, which is exactly the part of the picture a heavily connected facility lives or dies on. Every figure traces back to the clause behind it, so an operator, auditor or insurer can follow the reasoning rather than take a single number on trust.

New to the standard? Start with what is IEC 62305, then see the Lumex platform for how a facility is assessed end to end.

Get started today

Assess a data centre to the
clause, and file it the same day

Contact our team