Minimizing risks and securing economic benefits with clear testing strategies

By Dominik Rockenfeld, Project Planning at Prior1, and Herbert Kirchbeck, gVEFK for Prior1

Risk assessment (RA) for data centers saves lives and ensures operations. Clear responsibilities, optimized inspection intervals, and targeted protective measures significantly reduce the risk of personal injury. At the same time, downtime risks are reduced, costly shutdowns are avoided, and insurance conditions may be improved. Those who approach their GBU professionally not only fulfill their legal obligations, but also gain measurable operational safety and economic added value.

Many operators of data centers and server rooms underestimate a key risk: if there is no up-to-date, professional risk assessment, the management or, in the case of public authorities, the heads of departments are liable in the event of an emergency. The obligation is clearly regulated: Section 5 of the Occupational Safety and Health Act (ArbSchG) and the Industrial Safety Regulation (BetrSichV) require a risk assessment for every workplace – including in the IT sector – regardless of the size of the company. All relevant hazards must be assessed, from the structural design and the technology used to the qualifications of the personnel (1).

This is particularly challenging in data centers, where highly complex electrical systems, fire protection systems, and special operating equipment come together. Anyone who is unable to perform these tasks themselves must assign them to a “responsible electrical specialist” (VEFK) in accordance with DIN VDE 1000-10. This person prepares the risk assessments, sets inspection intervals, defines protective measures, and ensures regular training. They work independently and can be held personally liable in the event of violations (2), but this does not release the management from overall responsibility.

However, many companies do not have a VEFK. In practice, this leads to risk assessments being incomplete, outdated, or non-existent, with corresponding safety and liability risks.

From electricity to extinguishing gas: Typical sources of danger in the server room

Data centers are highly dense technical environments. They consist of electrical systems, emergency power generators, UPS systems, air conditioning, leak monitoring, fire alarm and extinguishing systems, access controls, and video surveillance. This infrastructure harbors a variety of sources of danger, which are systematically recorded and evaluated in a server room risk assessment. The aim is to derive specific protective measures that ensure both personal safety and operational safety.

Electrical hazards

The primary risks include electric shock and arc flashes. Arc flash events can cause serious injuries and fires due to thermal radiation and contact with hot substances (3).

In data centers, classic residual current circuit breakers (RCCBs) are not used due to the high availability requirements. Instead, residual current monitoring systems (RCMs) are used – provided that this is ensured by a risk assessment in accordance with standards. RCM systems can detect and report fault currents, but cannot automatically switch off. This allows for a controlled response to faults, but requires that only persons with electrical training enter these rooms and evaluate RCM data. In addition, all commissioning and repair work must be carried out or supervised by a qualified electrician.

The risk is further increased in confined server rooms, where limited freedom of movement and a conductive environment promote electrical accidents (3).

Thermal hazards

High rack densities and inadequate cooling can lead to dangerous overheating, which endangers both the technology and personnel.

Fire and hazardous material risks

The use of extinguishing gases, flammable refrigerants, or lithium-ion batteries poses a significant risk of fire and, depending on the substance, also of explosion.

Mechanical hazards

Moving parts of UPS systems, air conditioning units, and battery systems can cause injuries if they are not adequately secured or maintained.

The risk assessment for the server room identifies these sources of danger and derives protective measures to ensure personal safety and operational reliability.

A systematic approach to a secure IT environment

When Prior1 is commissioned to carry out a risk assessment for the IT area, the process begins with a kick-off workshop. During this workshop, objectives are set, all relevant systems and processes are recorded, and responsibilities are clearly assigned, from power supply and cooling to security systems and organizational processes such as shift work or the use of external service providers.

On this basis, the responsible electrician assesses the risks using a risk matrix or methods such as FMEA (Failure Mode and Effects Analysis) or FMECA (Failure Mode, Effects, and Criticality Analysis). This results in specific inspection intervals and protective measures: from daily visual inspections and monthly functional tests to annual inspections in accordance with VDE 0105-100 or VdS guidelines. The inspections and their intervals, both metrological and visual, are defined in the GBU. DGUV and VDE provide the following recommendations as guidance: Portable equipment such as computers, cables, or coffee machines should be inspected every 24 months if the error rate exceeds two percent per year. Fixed electrical installations may be operated for a maximum of four years without inspection (4). Significantly shorter intervals are required in the case of increased use. These guidelines can be extended or reduced by the GBU within the framework of legal requirements.

Typical protective measures specified within the framework of a GBU include, for example:

• Installation of additional fire protection sensors or gas warning systems.
• Optimization of cooling and adjustment of air flow in high-density racks.
• Implementation of clear access regulations for electrically sensitive areas.
• Retrofitting of leakage monitoring systems.
• Training employees in safe behavior when fire extinguishing systems are triggered.
• Adjusting or supplementing UPS and emergency power concepts.
• Introducing a structured testing and maintenance plan.

All tests are carried out by a qualified electrician and, if necessary, supported by trained personnel. The test intervals determined within the GBU are also evaluated during the GBU test. Companies have the choice of implementing the recommended protective measures and tests with their own personnel or outsourcing these tasks to service providers. Smaller companies in particular often do not have their own electrician and benefit from having this responsibility taken on externally.

From costs to benefits: Why risk assessment pays off – and protects people

A risk assessment is not an additional bureaucratic burden; it is a preventive investment in personal safety and the systemic resilience of the company. It reduces the liability risks for management and the authorities. Secondly, it is an effective protection against the enormous financial consequences of failures, which can quickly run into six or even seven figures in data centers.

In its “Annual Outage Analysis 2024” (5), the Uptime Institute showed how serious the financial consequences can be: 54 percent reported that their last significant outage cost more than $100,000; for 16 percent, the damage was even more than $1 million. Four out of five respondents are convinced that these outages could have been avoided with better management, clear processes, and optimized configuration. An international study conducted by the ITIC Institute in 2024 underscores this dimension: 93 percent of large companies estimate the cost of one hour of IT downtime at over $300,000, 48 percent at more than $1 million, and 23 percent at over $5 million. (6) In practice, companies often achieve a return on investment (ROI) for a professional risk assessment after preventing just one outage lasting several hours. Even a single outage lasting several hours can therefore justify the investment in a thorough risk assessment many times over. Even if no outage occurs, the risk assessment usually pays for itself within a few years through a comprehensive testing and maintenance concept.

A systematic GBU lays the foundation for preventive maintenance and more resilient structures. It reduces the risk of personal injury and downtime and minimizes follow-up costs. It can also improve insurance terms and prevent contractual penalties for SLA violations.

Vision for the future: AI, sustainability, and new technologies

Changes in the IT industry are placing new demands on risk assessment in the IT sector. Higher rack densities, edge computing locations, and liquid cooling increase complexity and require adapted inspection cycles. Sustainability is becoming a strategic issue: the Energy Efficiency Act and the EU NIS2 Directive require operators to be more transparent and robust. Sensors, IoT systems, and AI-supported analysis help to identify risks early on and optimize inspection cycles, but they do not replace the responsibility of the electrician. An international comparison shows that German rules are strict and the level of safety is high, but inspections are rare. This makes a vibrant safety culture all the more important. Investments in reliability, fire protection, hazardous materials, and other protective measures pay off in lower downtime costs and greater confidence.

Conclusion: Greater safety and economic benefits

Risk assessments are both a legal requirement and a strategic tool for data centers and server rooms. A well-founded risk assessment of server rooms in accordance with the ArbSchG and BetrSichV creates transparency about sources of danger, defines protective measures, ensures personal safety, and increases operational safety. A responsible electrician takes over the technical management and relieves the burden on the management. Regular inspections in accordance with DGUV V3 and clear inspection intervals ensure that defects are detected in good time. The economic argument is strong: high downtime costs, strict service levels, and increasing complexity make preventive safety strategies indispensable. Even one avoided failure amortizes the investment. Those who view risk assessment as an investment protect people, ensure reliability, and strengthen competitiveness.