CHAPTER 2

Chapter 2 System Architecture

Introduction
This chapter defines the architecture of the Mark VI turbine control system,
including the system components, the three communication networks, and the
various levels of redundancy that are possible. It also discusses system reliability and
availability, and third-party connectivity to plant distributed control systems.

System Components
The following sections define the main subsystems making up the Mark VI control
system. These include the controllers, I/O packs or modules, terminal boards, power
distribution, cabinets, networks, operator interfaces, and the protection module.

Control Cabinet
The control cabinet contains either a single (simplex) Mark VI control module or
three TMR control modules. These are linked to their remote I/O by a single or triple
high speed I/O network called IONet, and are linked to the Unit Data Highway
(UDH) by their controller Ethernet port. Local or remote I/O is possible. The control
cabinet requires 120/240 V ac and/or 125 V dc power. This is converted to 125 V dc
to supply the modules.

I/O Cabinet
The I/O cabinet contains either single or triple interface modules. These are linked to
the controllers by IONet, and to the terminal boards by dedicated cables. The
terminal boards are in the I/O cabinet close to the interface modules. Power
requirements are 120/240 V ac and/or 125 V dc power.

GEH-6421N Mark VI Control System Guide Volume I Chapter 2 System Architecture 2-1
 Unit Data Highway (UDH)
The UDH connects the Mark VI control panels with the human machine interface
(HMI) or HMI/Data Server. The network media is unshielded twisted pair or fiber-
optic Ethernet. Redundant cable operation is optional and, if supplied, unit operation
continues even if one cable is faulted. Dual cable networks still comprise one logical
network. Similar to the plant data highway (PDH), the UDH can have redundant,
separately powered network switches, and fiber-optic communication.

Single mode cable (SMF) is now approved for the Mark VI UDH system. The
advantage of SMF over multi-mode cable (MMF) is the cables can be longer because
the signal attenuation per foot is less.

UDH command data is replicated to all three controllers. This data is read by the
master communication controller board (VCMI) and transmitted to the other
controllers. Only the UDH communicator transmits UDH data (refer to the section,
UDH Communicator).

Note The UDH network supports the Ethernet Global Data (EGD) protocol for
communication with other Mark VIs, HRSG, Exciter, Static Starter, and Balance of
Plant (BOP) control.

To Optional Customer Network Enterprise Layer

Router
HMI HMI HMI Field
Viewer Viewer Viewer Support
Supervisory Layer
PLANT DATA H IGHWAY
PLANT DATA H IGHWAY

HMI Servers

Control Layer
U NIT D ATA H IGHWAY
U NIT DATA H IGHWAY

Gas Turbine Steam Turbine Generator

Control TMR Control Protection BOP Exciter
Mark VI Mark VI Gen. 90-70 PLC EXCITER
Protect
Mark VI

Mark VI

Genius
IONet IONet
Bus
I/O Boards I/O Boards I/O Boards

Typical Mark VI Integrated Control System

2-2 Chapter 2 System Architecture GEH-6421N Mark VI Control System Guide Volume I
 Human-Machine Interface (HMI)
®
Typical HMIs are computers running the Windows operating system with
®
communication drivers for the data highways, and CIMPLICITY operator display
software. The operator initiates commands from the real-time graphic displays, and
views real-time turbine data and alarms on the CIMPLICITY graphic displays.
Detailed I/O diagnostics and system configuration are available using the toolbox
software. An HMI can be configured as a server or viewer, containing tools and
utility programs.

An HMI can be linked to one data highway, or redundant network interface boards
can be used to link the HMI to both data highways for greater reliability. The HMI
can be cabinet, control console, or table-mounted.

Servers

CIMPLICITY servers collect data on the UDH and use the PDH to communicate
with viewers. Multiple servers can be used to provide redundancy.

Note Redundant data servers are optional, and if supplied, communication with the
viewers continues even if one server fails.

Control Operator Interface (COI)

The COI consists of a set of product and application specific operator displays
running on a small panel computer (10.4 or 12.1 inch touch screen) hosting
embedded Windows operating system. The COI is used where the full capability of a
CIMPLICITY HMI is not required. The embedded Windows operating system uses
only the components of the operating system required for a specific application. This
results in all the power and development advantages of a Windows operating system
in a much smaller footprint. Development, installation or modification of requisition
content requires the toolbox. For details, refer to the appropriate toolbox
documentation.

The COI can be installed in many different configurations, depending on the product
line and specific requisition requirements. The only cabling requirements are for
power and for the Ethernet connection to the UDH. Network communication is
through the integrated auto-sensing 10/100BaseT Ethernet connection. Expansion
possibilities for the computer are limited, although it does support connection of
external devices through floppy disk drives (FDD), intelligent drive electronics
(IDE), and universal serial bus (USB) connections.

The COI can be directly connected to the Mark VI or Excitation Control System, or
it can be connected through an EGD Ethernet switch. A redundant topology is
available when the controller is ordered with a second Ethernet port.

GEH-6421N Mark VI Control System Guide Volume I Chapter 2 System Architecture 2-3
 Interface Features

EGD pages transmitted by the controller are used to drive numeric data displays. The
refresh rate depends on the rate at which the controller transmits the pages, and the
rate at which the COI refreshes the fields. Both are set at configuration time in the
toolbox.

The COI uses a touch screen, and no keyboard or mouse is provided. The color of
pushbuttons is driven by state feedback conditions. To change the state or condition,
press the button. The color of the button changes if the command is accepted and the
change implemented by the controller.

Touching an input numeric field on the COI touch screen displays a numeric keypad
for entering the desired number.

An Alarm Window is provided and an alarm is selected by touching it. Then

Acknowledge, Silence, Lock, or Unlock the alarm by pressing the corresponding
button. Multiple alarms can be selected by dragging through the alarm list. Pressing
the button then applies to all selected alarms.

Link to Distributed Control System (DCS)

External communication links are available to communicate with the plant DCS. A
serial communication link, using Modbus protocol (RTU binary), can be supplied
from an HMI or from a gateway controller. This allows the DCS operator access to
real time Mark VI data, and provides for discrete and analog commands to be passed
to the Mark VI control. In addition, an Ethernet link from the HMI supports periodic
data messages at rates consistent with operator response, plus sequence of events
(SOE) messages with data time tagged at a 1 ms resolution.

Plant Data Highway (PDH)

The optional PDH connects the CIMPLICITY HMI/data server with remote operator
stations, printers, historians, and other customer computers. It does not connect
directly to the Mark VI control. The media is UTP or fiber-optic Ethernet running at
10/100 Mbps, using the TCP/IP protocol. Redundant cables are required by some
systems, but these form part of one single logical network. The hardware consists of
two redundant Ethernet switches with optional fiber-optic outputs for longer
distances, such as to the central control room. On smaller systems, the PDH and the
UDH may physically be the same network, as long as there is no peer-to-peer control
on the UDH.

Operator Console
The turbine control console is a modular design, which can be expanded from two
monitors, with space for one operator, to four monitors, with space for three
operators. Printers can be table-mounted, or on pedestals under the counter. The full
size console is 5507.04 mm (18 ft 0 13/16 in) long, and 2233.6 mm (7 ft 3 15/16 in)
wide. The center section, with space for two monitors and a phone/printer bay, is a
small console 1828.8 mm (6 ft) wide.

2-4 Chapter 2 System Architecture GEH-6421N Mark VI Control System Guide Volume I
 EX2100 Exciter
The excitation control system supplies dc power to the field of the synchronous
generator. The exciter controls the generator ac terminal voltage and/or the reactive
volt-amperes by means of the field current.

The exciter is supplied in NEMA 1 freestanding floor-mounted indoor type metal

cabinets. The cabinet lineup consists of several cabinets bolted together.

Generator Protection
The generator protection system is mounted in a single, indoor, freestanding cabinet.
The enclosure is NEMA 1, and weighs 2500 lbs. The generator panel interfaces to
the Mark VI control with hard-wired I/O, and has an optional Modbus interface to
the HMI.

Static Starter Control System

The static starter control system is used to start a gas turbine by running the
generator as a starting motor. The static starter system is integrated into the control
system along with the excitation control system. The control supplies the run, torque,
and speed setpoint signals to the static starter, which operates in a closed loop control
mode to supply variable frequency power to the generator stator. The excitation
control system is controlled by the static starter to regulate the field current during
startup.

The control cabinet contains an Innovation Series controller in a Versa Module

Eurocard (VME) control rack. The controller provides the Ethernet link to the UDH
and the HMI, and communication ports for field control I/O and Modbus. The field
control I/O are used for temperature inputs and diagnostic variables.

The static starter cabinet is a ventilated NEMA 1 free-standing enclosure made of

12-gauge sheet steel on a rigid steel frame designed for indoor mounting.

GEH-6421N Mark VI Control System Guide Volume I Chapter 2 System Architecture 2-5
 Control Module
The control module is available as an integrated control and I/O module, or as a
stand-alone control module only. The integrated control and I/O rack can be either a
21-slot or 13-slot VME size. The 13-slot rack can accommodate all the boards for
control of a small turbine. The backplane has P1 and P2 connectors for the VME
boards. The P1 connectors communicate data across the backplane, and the P2
connectors communicate data between the board and DC-37 pin J3 and J4
connectors located directly beneath each board. Cables run from the J3 and J4
connectors to the terminal boards.

There can be one control module (simplex) or three TMR control modules. Each of
these configurations supports remote I/O over IONet. The simplex control modules
can be configured to support up to three independent parallel IONet systems for
higher I/O throughput. Multiple communication boards may be used in a control
module to increase the IONet throughput.

The following figure shows a 21-slot rack with a three-IONet VCMI communication
board, and a UCVx controller. The UCVx must go in slot 2. The remaining slots are
filled with I/O boards.

Controller UCVx Fan I/O Processor

(slot 2) Boards

x x x x x x x x x x x x x x x x x x x x x
VME Chassis,
21 slots
Power
Supply
UDH
Port

VCMI
Communication
Board, with
One or Three
IONet Ports
x x x x x x x x x x x x x x x x x x x x x

Note: This rack is for the UCVx controller, connectors Connectors for Cables to
J302 and J402 are not present. UCVB and UCVD Terminal Boards (J3 & J4)
controllers can be used in this rack.
Control Module with Control, Communication, and I/O Boards

2-6 Chapter 2 System Architecture GEH-6421N Mark VI Control System Guide Volume I
 The I/O racks and the I/O processor boards are shielded to control EMI/RFI
emissions. This shielding also protects the processor boards against interference from
external sources.

Do not plug the UCVx controller into any rack that has
J302 and J402 connectors.

The stand-alone controller module is a VME rack with the UCVx controller board,
VCMI communication board, and VDSK interface board as shown in the following
figure. This version is for remote I/O systems. The rack is powered by an integrated
power supply.

VDSK supplies 24 V dc to the cooling fan mounted under the rack, and monitors the
Power Distribution Module (PDM) through the 37-pin connector on the front. The
VDSK board is ribbon-cabled in the back to the VCMI to transmit the PDM
diagnostics.

VCMI Communication Board with Controller Interface Board

Three IONet Ports (VCMI with One UCVx VDSK
IONet is for Simplex systems)

x x x x

VME Rack

POWER
SUPPLY

Power Supply

x x x x

Cooling Fan Fan 24 Vdc

behind Panel Power
Rack with Controller, VCMI, and VDSK (No I/O Boards)

GEH-6421N Mark VI Control System Guide Volume I Chapter 2 System Architecture 2-7
 Interface Module
The interface module houses the I/O boards remote from the control module. The
rack, shown in the following figure is similar to the control module VME rack, but
without the controller, interface board VDSK, and cooling fan. Each I/O board
occupies one or two slots in the module and has a backplane connection to a pair of
DC-37 pin connectors mounted on an apron beneath the VME rack. Cables run from
the connectors to the terminal boards. Most I/O boards can be removed, with power
removed, and replaced without disconnecting any signal or power cable.

Communication with the module is through a VCMI communication board with a

single IONet port, located in the left slot. The module backplane contains a plug
wired to slot 1, which is read by the communication board to obtain the identity of
the module on the IONet.

VME Chassis, I/O Processor

21 slots Boards

VCMI
Communication x x x x x x x x x x x x x x x x x x x x x

Board with one

IONet Port Power
Supply

IONet Link
to Control
Module

x x x x x x x x x x x x x x x x x x x x x

Note: Slot 2 cannot be used for an I/O

processor board; it is reserved for a J3 & J4 Connectors for Cables
controller board to Terminal Boards
Interface Module with VCMI and I/O Boards

2-8 Chapter 2 System Architecture GEH-6421N Mark VI Control System Guide Volume I
 Controller
The controller is a single-slot VME board, housing a high-speed processor, DRAM,
flash memory, cache, an Ethernet port, and two serial RS-232C ports. It must always
be inserted in slot 2 of an I/O rack designed to accommodate it. These racks can be
identified by the fact that there are no J3 and J4 connectors under slot 2. The
controller provides communication with the UDH through the Ethernet port, and
supports a low-level diagnostic monitor on the COM1 serial port. The base software
includes appropriate portions of the existing Turbine Block Library of control
functions for the steam, gas, and Land-Marine aero-derivative (LM) products. The
controller can run its program at up to 100 Hz, (10 ms frame rate), depending on the
size of the system configuration.

External data is transferred to/from the controller over the VME bus by the VCMI
communication board. In a simplex system, the data consists of the process I/O from
the I/O boards, and in a TMR system, it consists of voted I/O. Refer to GEH-6421,
Volume II.

Typical Mark VI Controller (UCVx)

Status LEDs
STATUS

VMEbus SYSFAIL
Monitor Port for GE use
Flash Activity
S
V
Power Status
G
Keyboard/mouse port A
for GE use
M
/
COM1 RS-232C Port for K
Initial Controller Setup; C
COM2 RS-232C Port for O
M
Serial communication 1:2 Ethernet Status LEDs

L Active
A
N
Ethernet Port for Unit Data Link
RST
Highway Communication
P
C Notice: To connect
M batteries, user to set jumper
I E8 to pins 7-8 ("IN") and
P
jumper E10 to ("IN")
M
E
Z
Z
A
N
I
N
E

UCVE
H2A
x

UCVx Controller Front Cabinet

GEH-6421N Mark VI Control System Guide Volume I Chapter 2 System Architecture 2-9
 VCMI Communication Board
The VCMI board in the control and interface module communicates internally to the
I/O boards in its rack, and to the other VCMI boards through the IONet. There are
two versions, one with one Ethernet IONet port for simplex systems, and the other
with three Ethernet ports for TMR systems. Simplex systems have one control
module connected to one or more interface modules using a single cable. The VCMI
with three separate IONet ports is used in TMR systems for communication with the
three I/O channels Rx, Sx, and Tx, and with the two other control modules. This is
shown in the following figure.

Software Implemented Fault Tolerance (SIFT) voting is implemented in the VCMI

board. Input data from each of the IONet connections is voted in each of the R, S,
and T VCMI boards. The results are passed to the control signal database in the
controllers (labeled UCVx in the diagram) through the backplane VME bus.

Control Module R0
VCMI Board
with V U
Three IONet C C I/O
Ports M V Boards
I X
IONet - T to other Control, Interface, & Protection Modules
IONet - S to other Control, Interface, & Protection Modules

IONet - R

Interface Module R1
VCMI Board with V
One IONet Port C I/O
M Boards
I

IONet to other
Interface Modules &
Protection Module
VCMI Boards providing I/O Communication and I/O Voting

In TMR mode, the VCMI voter in the control module is always the master of the
IONet and also provides the IONet clock. Time-synchronous messages from the time
source on the UDH are sent to the controllers and then to the VCMIs. All input data
from a single rack is sent in one or more IONet packets (approximately 1500 bytes
per packet maximum). The VCMI in the control module broadcasts all data for all
remote racks in one packet, and each VCMI in the remote rack extracts the
appropriate data from the packet.

2-10 Chapter 2 System Architecture GEH-6421N Mark VI Control System Guide Volume I
 IONet
The IONet connection on the VCMI is a BNC for 10Base2 Ethernet. The interface
circuit is high impedance that allows T tap connections with a 50 ! terminal at the
first and last node. The cabling distances are restricted to 185 meters (607 ft) per
segment with up to eight nodes, using RG-58C/U or equivalent cable.

The Link Layer protocol is IEEE 802.3 standard Ethernet. The application layer
protocol uses Asynchronous Device Language (ADL) messaging with special
adaptations for the input/output handling and the state exchanges.

The VCMI board acts as IONet master and polls the remote interface module for
data. The VCMI master broadcasts a command to all slave stations on a single IONet
causing them to respond with their message in a consecutive manner. To avoid
collisions on the media, each station is told how long to delay before attempting to
transmit. Using this master/slave mechanism, and running at 10 Mb/s, the IONet is
capable of transmitting a 1000 byte packet every millisecond (8 MHz bit rate).

Note IONet supports control operation at up to 100 times per second.

In a multiple module or multiple cabinet system, powering down one module of a

channel does not disrupt IONet communication between other modules within that
channel. If one IONet stops communicating then the I/O boards, in that channel, time
out and the outputs go to a safe state. This state does not affect TMR system
operation. If two IONets stop, the I/O boards in both channels go to a safe state that
results in a turbine trip, if the turbine was generating.

I/O Boards
Most I/O boards are single width VME boards, of similar design and front cabinet,
using the same digital signal processor (TMS320C32).

The central processing unit (CPU) is a high-speed processor designed for digital
filtering and for working with data in IEEE 32-bit floating-point format. The task
scheduler operates at a 1 ms and 5 ms rate to support high-speed analog and discrete
inputs. The I/O boards synchronize their input scan to complete a cycle before being
read by the VCMI board. Contact inputs in the VCCC and VCRC are time stamped
to 1 ms to provide an SOE monitor.

Each I/O board contains the required sensor characteristic library, for example
thermocouple and resistance temperature devices (RTDs) linearizations. Bad sensor
data and alarm signal levels, both high and low, are detected and alarmed. The I/O
configuration in the toolbox can be downloaded over the network to change the
program online. This means that I/O boards can accept tune-up commands and data
while running.

Certain I/O boards, such as the servo and turbine board, contain special control
functions in firmware. This allows loops, such as the valve position control, to run
locally instead of in the controller. Using the I/O boards in this way provides fast
response for a number of time critical functions. Servo loops, can be performed in
the servo board at 200 times per second.

Each I/O board sends an identification message (ID packet) to the VCMI when
requested. The packet contains the hardware catalog number of the I/O board, the
hardware revision, the board barcode serial number, the firmware catalog number,
and the firmware version. Also each I/O board identifies the connected terminal
boards through the ID wire in the DC-37 pin cable. This allows each connector on
each terminal board to have a separate identity.

GEH-6421N Mark VI Control System Guide Volume I Chapter 2 System Architecture 2-11
 No. per I/O
I/O Processor Terminal Processor Type of Terminal
Board Board I/O Signal Types Board Board Comments

VAIC TBAI (2) Analog inputs, 0"1mA, 4"20 20 TMR, simplex

mA, voltage 4
Analog outputs, 4"20 mA,
0"200 mA
VAOC TBAO Analog outputs, 4"20 mA 16 TMR, simplex
VCCC and TBCI (2) Contact inputs 48 TMR, simplex (VCCC is two slots)
VCRC TRLY (2) Relay Outputs (note 1)* 24 TMR, simplex
VCCC TICI (2) Point Isolated Contact 48 TMR, simplex VCCC-only in place of TBCI.
inputs (optional)
VGEN TGEN Analog inputs, 4"20 mA 4 TMR, simplex
Potential transformers 2
Current transformers 3
TRLY Relay outputs (optional) 12 for FAS (PLU)
VPRO (3) TPRO Pulse rate 3 TMR Emergency Protect
Potential transformers 2
Thermocouples 3
Analog inputs, 4"20 mA 3
TREG (2) Solenoid drivers 6 TMR Gas turbine
Trip contact inputs 7
Emergency stop 2 Hardwire, Trip, Clamp
TREL Solenoid drivers 3 TMR Large steam
Trip contact inputs 7
TRES Solenoid drivers 3 TMR, simplex Small/medium steam
Trip contact inputs 7
VPYR TPYR Pyrometers (4 analog inputs 2 TMR, simplex
each)
KeyPhasor shaft position 2
sensors
VRTD TRTD, Resistance Temperature 16 TMR, simplex 3 wire
Devices (RTD)
VSVO TSVO (2) Servo outputs to valve 4 TMR, simplex Trip, Clamp, Input
hydraulic servo
LVDT inputs from valve 12
LVDT excitation 8
Pulse rate inputs for flow 2
monitoring
Pulse rate excitation 2
VTCC TBTC Thermocouples 24 TMR, simplex
VTUR TTUR Pulse rate magnetic pickups 4 TMR, simplex
Potential transformers, gen. 2
and bus
Shaft current and voltage 2
monitor
Breaker interface 1
TRPG Flame detectors 8 TMR, simplex Gas turbine
(Geiger Mueller)
Solenoid drivers (note 2)* 3
TRPL Solenoid drivers 3 TMR Large steam

2-12 Chapter 2 System Architecture GEH-6421N Mark VI Control System Guide Volume I
 No. per I/O
I/O Processor Terminal Processor Type of Terminal
Board Board I/O Signal Types Board Board Comments

Emergency stop 2
TRPS Solenoid drivers 3 TMR, simplex Small/med. steam
Emergency stop 2
VVIB TVIB (2) Shaft vibration probes 16 TMR, simplex Buffered using BNC
(Bently Nevada)
Shaft proximity probes 8
(Displacement)
Shaft proximity reference 2
(KeyPhasor)

*Note 1: Refer to the table in the section Relay Terminal Boards.

*Note 2: VTURH2 occupies two slots and supports two TRPG boards, with flame
detector support on only the first TRPG.

Terminal Boards
The terminal board provides the customer wiring connection point, and fans out the
signals to three separate DC-37 pin connectors for cables to the R, S, and T I/O
boards. Each type of I/O board has its own special terminal board, some with a
different combination of connectors. For example, one version of the thermocouple
board does not fan out and has only two connectors for cabling to one I/O board. The
other version does fan out and has six connectors for R, S, and T. Since the fan out
circuit is a potential single point failure, the terminal board contains a minimum of
active circuitry limited primarily to filters and protective devices. Power for the
outputs usually comes from the I/O board, but for some relay and solenoid outputs,
separate power plugs are mounted on the terminal board.

TBAI Terminal Board

DC-37 pin
x x connectors with
x x JT1 latching fasteners
x x
x x
x x
x x
x x
Customer Wiring x x
x x
x x
x x JS1 Cable to VME Rack T
x x
x x
x
Shield Bar
x
x x
x x
x
x
x Cable to VME Rack S
x JR1
x x
x
Customer Wiring x
x x
x x
x x
x x
x x
BarrierType Terminal x x
Blocks can be x Cable to VME Rack R
x
unplugged from board
for maintenance
Typical Terminal Board with Cabling to I/O Boards in VME Rack

GEH-6421N Mark VI Control System Guide Volume I Chapter 2 System Architecture 2-13
 DIN-rail Mounted Terminal Boards

Smaller DIN-rail mounted terminal boards are available for simplex applications.
These low cost, small size simplex control systems are designed for small gas and
steam turbines. IONet is not used since the D-type terminal boards cable directly into
the control chassis to interface with the I/O boards. The types of DIN-rail boards are
shown in the following table.
DIN–Rail Mounted Terminal Boards
DIN Euro Size Number Associated I/O
Terminal Board of Points I/O Description Processor Board
DTTC 12 Thermocouple temperature inputs with one cold junction VTCC
reference
DRTD 8 RTD temperature inputs VRTD
DTAI 10 Analog current or voltage inputs with on-board 24 V dc power VAIC
supply
2 Analog current outputs, with choice of 20 mA or 200 mA
DTAO 8 Analog current outputs, 0-20 mA VAOC
DTCI 24 Contact Inputs with external 24 V dc excitation VCRC (or VCCC)
DRLY 12 Form-C relay outputs, dry contacts, customer-powered VCRC (or VCCC)
DTRT ------- Transition board between VTUR and DRLY for solenoid trip VTUR
functions
DTUR 4 Magnetic (passive) pulse rate pickups for speed and fuel flow VTUR
measurement
DSVO 2 Servo-valve outputs with choice of coil currents from 10 mA to VSVO
120 mA

6 LVDT valve position sensors with on-board excitation

2 Active pulse rate probes for flow measurement, with 24 V dc
excitation provided
DVIB 8 Vibration, Position, or Seismic, or Accelerometer, or Velomiter VVIB
4 Position prox probes
1 KeyPhasor (reference)
DSCB 6 Serial communication ports supporting RS-232C, RS-422 and VSCA
RS-485

Relay Terminal Boards

The following table compares the features offered by the different relay terminal
boards.
Relay Terminal Boards

Power
Board Relays Distribution Feedback Relay type Redundancy Suppression Terminals

12 form C relays
soldered
24 dc @ 10 A
sealed
DRLYH1A 125 dc @ 0.5 A none none none, simplex only No 72 Euro-box
mechanical
120 ac @ 10 A
relays
240 ac @ 3 A

12 form C relays
soldered
24 dc @ 2 A
sealed
DRLYH1B 125 dc @ 0.5 A none none none, simplex only No 72 Euro-box
mechanical
120 ac @ 1 A
relays
240 ac @ 0.5 A

2-14 Chapter 2 System Architecture GEH-6421N Mark VI Control System Guide Volume I
 Power
Board Relays Distribution Feedback Relay type Redundancy Suppression Terminals

12 form C relays 6 fused socketed

Coil drive = voted
24 dc @ 3 A branches, voted coil sealed
TRLYH1B TMR input or MOV 48 Barrier
125 dc @ 0.6 A 1 special drive mechanical
simplex input
120/240 ac @ 3 A unfused relays
6 fused isolated socketed
12 form C relays Coil drive = voted
branches, contact sealed
TRLYH1C 125 dc @ 0.6 A TMR input or MOV & R-C 48 Barrier
1 special voltage mechanical
120/240 ac @ 3 A simplex input
unfused feedback relays
6 fused isolated socketed
Coil drive = voted
12 form C relays branches, contact sealed
TRLYH2C TMR input or MOV & R-C 48 Barrier
24 dc @ 3 A 1 special voltage mechanical
simplex input
unfused feedback relays
ohm meter
socketed
6 form A relays (dc Coil drive = voted
6 fused sealed
TRLYH1D 24 dc @ 3 A 125 solenoid TMR input or MOV 24 Barrier
branches mechanical
dc @ 0.6 A integrity simplex input
relays
monitor)
isolated
soldered Coil drive = voted
12 form A relays contact
TRLYH1E none solid-state TMR input or No 24 Barrier
120/240 ac @ 6 A voltage
relays simplex input
feedback
isolated
soldered Coil drive = voted
12 form A relays contact
TRLYH2E none solid-state TMR input or No 24 Barrier
24 dc @ 7 A voltage
relays simplex input
feedback
isolated
soldered Coil drive = voted
12 form A relays contact
TRLYH3E none solid-state TMR input or No 24 Barrier
125 dc @ 3 A voltage
relays simplex input
feedback
soldered
none without non-voted sealed Relay contact 48 Barrier
TRLYH1F 12 form A relays No
WPDF coil drive mechanical voting, TMR only (24 used)
relays
soldered
With WPDF,
non-voted sealed Relay contact
TRLYH1F 12 form A relays 12 fused No 48 Barrier
coil drive mechanical voting, TMR only
outputs
relays
soldered
none without non-voted sealed Relay contact 48 Barrier
TRLYH2F 12 form B relays No
WPDF coil drive mechanical voting, TMR only (24 used)
relays
soldered
With WPDF,
non-voted sealed Relay contact
TRLYH2F 12 form B relays 12 fused No 48 Barrier
coil drive mechanical voting, TMR only
outputs
relays

GEH-6421N Mark VI Control System Guide Volume I Chapter 2 System Architecture 2-15
 Trip Terminal Boards

The following table compares the features offered by the different trip terminal
boards.

Output Output
Contacts, 125 Contacts, 24 V Input Contacts Input Contacts Economy
Board TMR Simplex V dc, 1 A dc, 3 A ESTOP Dry 125 V dc Dry 125 V dc Resistor
TRPGH1A* Yes No Yes No No No No No
TRPGH1B Yes No Yes Yes No No No No
TRPGH2A* No Yes Yes No No No No No
TRPGH2B No Yes Yes Yes No No No No
TREGH1A* Yes No Yes No Yes Yes No Yes
TREGH1B Yes No Yes Yes Yes Yes No Yes
TREGH2B Yes No Yes Yes Yes No Yes Yes
TRPLH1A Yes No Yes Yes Yes No No No
TRELH1A Yes No Yes Yes No Yes No No
TRELH2A Yes No Yes Yes No No Yes No
TRPSH1A Yes Yes Yes Yes Yes No No No
TRESH1A Yes Yes Yes Yes No Yes No No
TRESH2A Yes Yes Yes Yes No No Yes No

* These boards will become obsolete

Power Sources
A reliable source of power is provided to the rack power supplies from either a
battery, or from multiple power converters, or from a combination of both. The
multiple power sources are connected as high select in the PDM to provide the
required redundancy.

A balancing resistor network creates a floating dc bus using a single ground

connection. From the 125 V dc, the resistor bridge produces +62.5 V dc (referred to
as P125) and -62.5 V dc (referred to as N125) to supply the system racks and
terminal boards. The PDM has ground fault detection and can tolerate a single
ground fault without losing any performance and without blowing fuses. Since this
fault is alarmed, it can be repaired.

2-16 Chapter 2 System Architecture GEH-6421N Mark VI Control System Guide Volume I
 Turbine Protection Module
The Turbine Protection Module (VPRO) and associated terminal boards (TPRO and
TREG) provide an independent emergency overspeed protection for turbines that do
not have a mechanical overspeed bolt. The protection module is separate from the
turbine control, and consists of triple redundant VPRO boards, each with their own
on-board power supply, as shown in the following figure. VPRO controls the trip
solenoids through relay voting circuits on the TREG, TREL, and TRES boards.

VPRO R8 VPRO S8 VPRO T8

x x x x x x x x x x x
x x

I RUN I RUN I RUN

IONet R O FAIL O FAIL O FAIL
IONet S N STAT N STAT N STAT
E 8 X E 8 X E 8 X
IONet T T 4 Y T 4 Y T 4 Y
T 2 Z T 2 Z T 2 Z
R 1 R 1 R 1
C C C
S S S
E E E
Ground R J R J R J
6 J 6 6
J P5 P5 J P5
COM 5 COM COM
5 5
P28A P28A P28A
P28B P28B P28B
E E E
T T T
To TPRO H H H
R R R
J J J J J J
To TPRO x P
4
P P x
3 4 A P
3 A P
3 4 A P
R O R O R O
A W A W A W
F N L E F N L E F N L E
To TREG VPRO R VPRO R VPRO R
x x x x x x x x x x x

To TREG

Power In
125 Vdc
Turbine Protection Module with Cabling Connections

The TPRO terminal board provides independent speed pickups to each VPRO, which
processes them at high speed. This high speed reduces the maximum time delay to
calculate a trip and signal the ETR relay driver to 20 ms. In addition to calculating
speed, VPRO calculates acceleration, which is another input to the overspeed logic.

TPRO fans out generator and line voltage inputs to each VPRO where an
independent generator synchronization check is made. Until VPRO closes the K25A
permissive relay on TTUR, generator synchronization cannot occur. For gas turbine
applications, inputs from temperature sensors are brought into the module for
exhaust over temperature protection.

The VPRO boards do not communicate over the VME backplane. Failures on TREG
are detected by VPRO and fed back to the control system over the IONet. Each
VPRO has an IONet communication port equivalent to that of the VCMI.

GEH-6421N Mark VI Control System Guide Volume I Chapter 2 System Architecture 2-17
 Operating Systems
All operator stations, communication servers, and engineering workstations use the
Windows operating system. The HMIs and servers run CIMPLICITY software, and
the engineer's workstation runs toolbox software for system configuration.

The I/O system, because of its TMR requirements, uses a proprietary executive
system designed for this special application. This executive is the basis for the
operating system in the VCMI and all of the I/O boards.
®
The controller uses the QNX operating system from QNX Software Systems Ltd.
®
This is a real time POSIX -compliant operating system ideally suited to high-speed
automation applications such as turbine control and protection

Levels of Redundancy
The need for higher system reliability has led vendors to develop different systems of
increasing redundancy.

Simplex systems have only one chain, and are the least expensive. Reliability is
average.

TMR systems have a very high reliability, and since the voting software is simple,
the amount of software required is reasonable. Input sensors can be triplicated, if
required.

Simplex System Redundancy Reliability

Type (MTBF)
Input Controller Output
Simplex Average

Triple Redundant System

Triple Very
Input Controller (TMR) High
Vote

Input Controller Vote Output

Vote

Input Controller

Single and Triple Redundant Systems

2-18 Chapter 2 System Architecture GEH-6421N Mark VI Control System Guide Volume I
 Simplex systems in a typical power plant are used for applications requiring
normal reliability, such as control of auxiliaries and balance of plant (BOP). A single
PLC with local and remote I/O might be used in this application. In a typical Mark
VI, many of the I/O are non-critical and are installed and configured as simplex.
These simplex I/O boards can be mixed with TMR boards in the same interface
module.

Triple Modular Redundant (TMR) control systems, such as Mark VI, are used
for the demanding turbine control and protection application. Here the highest
reliability ensures the minimum plant downtime due to control problems, since the
turbine can continue running even with a failed controller or I/O channel. In a TMR
system, failures are detected and annunciated, and can be repaired online. This
means the turbine protection system can be relied on to be fully operational, if a
turbine problem occurs.

Control and Protection Features

This section describes the fault tolerant features of the TMR part of the control
system. The control system can operate in two different configurations:

# Simplex configuration is for non-redundant applications where system operation

after a single failure is not a requirement.
# TMR configuration is for applications where the probability of a single failure
causing a process shutdown has to be taken to an extremely low value.

Triple Modular Redundancy

A TMR system is a special case of N-modular redundancy where N=3. It is based on
redundant modules with input and output voting.

Input signal voting is performed by software using an approach known as Software

Implemented Fault Tolerance (SIFT). Output voting is performed by hardware
circuits that are an integral part of the output terminal boards.

The voting of inputs and outputs provides a high degree of fault masking. When
three signals are voted, the failure of any one signal is masked by the other two good
signals. This is because the voting process selects the median of the three analog
inputs. In the case of discrete inputs, the voting selects the two that agree. In fact, the
fault masking in a TMR system hides the fault so well that special fault detection
functions are included as part of the voting software. Before voting, all input values
are compared to detect any large differences. This value comparison generates a
system diagnostic alarm.

In addition to fault masking, there are many other features designed to prevent fault
propagation or to provide fault isolation. A distributed architecture with dc isolation
provides a high degree of hardware isolation. Restrictions on memory access using
dual-port memories prevent accidental data destruction by adjacent processors.
Isolated power sources prevent a domino effect if a faulty module overloads its
power supply.

GEH-6421N Mark VI Control System Guide Volume I Chapter 2 System Architecture 2-19
 TMR Architecture
The TMR control architecture has three duplicate hardware controller modules
labeled R, S, and T. A high-speed network connects each control module with its
associated set of I/O modules, resulting in three independent I/O networks. Each
network is also extended to connect to separate ports on each of the other controllers.
Each of the three controllers has a VCMI communication board with three
independent I/O communication ports to allow each controller to receive data from
all of the I/O modules on all three I/O networks. The three protection modules are
also on the I/O networks.

Control Module R0 Control Module S0 Control Module T0

VCMI Board TMR System with
with Three V U V U V U Local & Remote I/O,
IONet Ports C C I/O C C I/O C C I/O Terminal Boards not
M V Boards M V Boards M V Boards shown
I X I X I X

IONet - R
IONet - S
IONet - T

Interface Module R1 Interface Module S1 Interface Module T1

VCMI Board
with One V V V
IONet Port C I/O C I/O C I/O IONet Supports
M Boards M Boards M Boards Multiple Remote
I I I I/O Racks

VPRO VPRO VPRO Protection

R8 S8 T8 Module

TMR Architecture with Local & Remote I/O, and Protection Module

2-20 Chapter 2 System Architecture GEH-6421N Mark VI Control System Guide Volume I
 Each of the three controllers is loaded with the same software image, so that there are
three copies of the control program running in parallel. External computers, such as
the HMI operator stations, acquire data from only the designated controller. The
designated controller is determined by a simple algorithm.

A separate protection module provides for very reliable trip operation. The VPRO is
an independent TMR subsystem complete with its own controllers and integral
power supplies. Separate independent sensor inputs and voted trip relay outputs are
used.

Redundant
Unit Data
Highway Control Cabinet Termination Cabinet

Power
1 Serial <R x > Interface Module Supply
Terminal
V
I I I DC
Boards
Power DC C
V C I I I /
Supply / M U
C
V
D IONET M / / / 21 SLOT / / /
DC
<R> I O O O VME RACK O O O DC
I V S H
H X K Ethernet 1
2
10Base2
<R> Control Module Thin
Coax

Power
1 Serial <S x > Interface Module Supply
V DC
Power DC V U V C I I I I I I
/
Supply / C D IONET M / / / 21 SLOT / / /
DC M C I O O O VME RACK O O O
DC
I V S <S>
H X K H
2 Ethernet 1
10Base2
<S> Control Module
Thin
Coax

Power
1 Serial <T x > Interface Module Supply
V DC
Power DC V U V C I I I I I I
/
Supply / C
M C D IONET M / / / 21 SLOT / / /
DC
DC I O O O VME RACK O O O
I V S <T> H
H X K Ethernet 1
2 10Base2
<T> Control Module Thin
Coax

Input
+125Vdc
Power <R> Internal
Power Protection V V V
Converter <S> Buss Modules P P P
Input to R R R
Input T
Power <T> Power IONET Power O O O
Supplies Interface <R8> <S8><T8> R
Converter Converter
to I
Input other I/O <R> P
Input
Power Cabinet Power <S>
Lineups +125Vdc
Converter Converter <T> Internal Power
(Optional)
Busses to
Input <R8> Power Supplies &
Power <S8> Terminal Boards
Converter <T8>
To
Input Contact Input Excitatn. Terminal
Power Solenoid Power
Cond. Boards

Customer
Customer Supplied Sensor Cables
Power Input(s)
Typical Cabinet Layout of Mark VI TMR System

GEH-6421N Mark VI Control System Guide Volume I Chapter 2 System Architecture 2-21
 TMR Operation
Voting systems require that the input data be voted, and the voted result be available
for use on the next calculation pass. The sequential operations for each pass are
input, vote, calculate, and output. The time interval that is allotted to these operations
is referred to as the frame. The frame is set to a fixed value for a given application so
that the control program operates at a uniform rate.

For SIFT systems, a significant portion of the fault tolerance is implemented in

software. The advantage to this approach is software does not degrade over time. The
SIFT design requires little more than three identical controllers with some provision
of transferring data between them. All of the data exchange, voting, and output
selection may be performed by software. The exception to the all software approach
is the modification to the hardware output circuitry for hardware voting.

With each controller using the same software, the mode control software in each
controller is synchronizing with, and responding to, an identical copy of itself that is
operating in each of the other controllers. The three programs acting together are
referred to as the distributed executive and coordinate all operations of the controllers
including the sequential operations mentioned above.

There are several different synchronization requirements. Frame synchronization

enables all controllers and associated I/O modules to process the data at the same
time for a given frame. The frame synchronization error is determined at the start of
frame (SOF) and the controllers are required to adjust their internal timing so that all
three controllers reach SOF of the same frame at the same time.

The acceptable error in time of SOF is typically several microseconds in the 10 to 25

Hz control systems that are encountered. Large errors in SOF timing will affect
overall response time of the control since the voter will cause a delay until at least
two controllers have computed the new values. The constraining requirement for
synchronization comes from the need to measure contact SOE times with an
accuracy of 1 ms.

Designated Controller
Although three controllers R, S, and T contain identical hardware and software, some
of the functions performed are individually unique. A single designated controller is
automatically selected to perform the following functions:

# Supply initialization data to the other two controllers at boot-up

# Keep the master time clock
# Calculate the control state data for the cabinet if one of the other controllers
fails.
The VCMIs determine the designated controller through a process of nomination and
voting based upon local visibility of the IONet and whether a designated controller
currently exists. If all controllers are equal, a priority scheme is used favoring first
R, then S, and then T. If a controller, which was designated, is powered down and
then powered up, the designated controller will move and not come back if all
controllers are equal. This ensures that a toggling designated controller is not
automatically reselected.

2-22 Chapter 2 System Architecture GEH-6421N Mark VI Control System Guide Volume I
 UDH Communicator

Controller communications takes place across the UDH. A UDH communicator is a

controller selected to provide the cabinet data to that network. This data includes
both control signals (EGD) and alarms. Each controller has an independent, physical
connection to the UDH. In the event that the UDH fractures and a controller becomes
isolated from its companion controllers, it assumes the role of UDH communicator
for that network fragment. While for one cabinet there can be only one designated
controller, there may be multiple UDH communicators. The designated controller is
always a UDH communicator.

Fault Tolerant EGD

When a controller does not receive expected external EGD data from its UDH
connection, (for example, due to a severed network) it will request that the data be
forwarded across the IONet from another UDH communicator. One or more
communicators may supply the data and the requesting controller uses the last data
set received. Only the EGD data used in sequencing by the controllers is forwarded
in this manner.

Output Processing
The system outputs are the portions of the calculated data that have to be transferred
to the external hardware interfaces and then to the various actuators controlling the
process. Most of the outputs from the TMR system are voted in the output hardware,
but the system can also output individual signals in a simplex manner. Output voting
is performed as close to the final control element as possible.

Outputs from the TMR system are normally calculated independently by the three
voting controllers, and each controller sends the output to its associated I/O hardware
(for example, R controller sends to R I/O). The three independent outputs are then
combined into a single output by a voting mechanism. Different signal types require
different methods of establishing the voted value.

The signal outputs from the three controllers fall into three groups:

# Signals exist in only one I/O channel, and are driven as single-ended non-
redundant outputs
# Signals exist in all three controllers, and are sent as output separately to an
external voting mechanism
# Signals exist in all three controllers, but are merged into a signal by the output
hardware
For normal relay outputs, the three signals feed a voting relay driver, which operates
a single relay per signal. For more critical protective signals, the three signals drive
three independent relays with the relay contacts connected in the typical six-contact
voting configuration. The following figure shows two types of output boards.

GEH-6421N Mark VI Control System Guide Volume I Chapter 2 System Architecture 2-23
 Terminal Board, Relay Outputs
I/O Board
Channel R Voted Relay
Driver
Coil
I/O Board
V
Channel S

Relay Output
I/O Board
Channel T

Terminal Board, High Reliability Relay Outputs

I/O Board KR KS
Channel R Relay KR
Coil
Driver

KS KS KT Relay Output
I/O Board Relay
Coil
Channel S Driver
KT KT KR
Relay
I/O Board Coil
Driver
Channel T
Relay Output Circuits for Protection

For servo outputs as shown in the following figure, the three independent current
signals drive a three-coil servo actuator, which adds them by magnetic flux
summation. Failure of a servo driver is sensed and a deactivating relay contact is
opened.

I/O Boards
Servo Driver Output
Channel R Terminal Coils
D/A Board On Servo
Valve

Servo Driver
Channel S
D/A

Servo Driver
Channel T
D/A

Hydraulic
Servo
Valve
TMR Circuit to Combine Three Analog Currents into a Single Output

2-24 Chapter 2 System Architecture GEH-6421N Mark VI Control System Guide Volume I
 The following figure shows 4-20 mA signals combined through a 2/3 current sharing
circuit that allows the three signals to be voted to one. This unique circuit ensures
that the total output current is the voted value of the three currents. Failure of a 4-20
mA output is sensed, and a deactivating relay contact is opened.

I/O Boards
4-20 mA Driver Current
Channel R Feedback
D/A

Output
4-20 mA Driver
Load
Channel S
D/A

4-20 mA Driver
Channel T
D/A Output
Terminal
Board
TMR Circuits for Voted 4-20 mA Outputs

Input Processing
All inputs are available to all three controllers but there are several ways that the
input data is handled. For those input signals that exist in only one I/O module, the
value is used by all three controllers as common input without SIFT-voting as shown
in the following figure. Signals that appear in all three I/O channels may be
application-voted to create a single input value. The triple inputs either may come
from three independent sensors or may be created from a single sensor by hardware
fanning at the terminal board.

A single input can be brought to the three controllers without any voting as shown in
the following figure. This arrangement is used for non-critical, generic I/O, such as
monitoring 4-20 mA inputs, contacts, thermocouples, and RTDs.

I/O Rack Control Rack

Field Wiring Termin. Bd. I/O Board VCMI IONet VCMI Controller
R,S, R,S,T
Direct Signal or T Exchange No Control System
Sensor
Input Condition Vote Database
Alarm Limit

SC
A R
R,S, or T

Single Input to Three Controllers, Not Voted

GEH-6421N Mark VI Control System Guide Volume I Chapter 2 System Architecture 2-25
 One sensor can be fanned to three I/O boards for medium-integrity applications as
shown in the following figure. This configuration is used for sensors with medium-
to-high reliability. Three such circuits are needed for three sensors. Typical inputs
are 4-20 mA inputs, contacts, thermocouples, and RTDs.

I/O Rack Control Rack

Field Wiring Termin. Bd. I/O Board VCMI IONet VCMI Controller
R,S,or T R,S,T
Sensors Fanned Signal Prevote Exchange Voter Control
Input Condition System Database

SC R Voted (A)
A
R,S, or T Voter

SC S Voted (A)
R,S, or T Voter

SC T Voted (A)
R,S, or T Voter
One Sensor with Fanned Input & Software Voting

Three independent sensors can be brought into the controllers without voting to
provide the individual sensor values to the application. Median values can be
selected in the controller, if required. This configuration, shown in the following
figure, is used for special applications only.

I/O Rack Control Rack

Field Wiring Termin. Bd. I/O Board VCMI IONet VCMI Controller
R,S,or T R,S,T
Sensors Common Signal No Median Control System
Input Condition Vote Select Database
Alarm Limit Block
A Median (A,B,C)
SC MSB
A B A
R,S, or T R B
C
C

SC A Median (A,B,C)
B B MSB A
R,S, or T C S B
C
A Median (A,B,C)
SC MSB
C B A
R,S, or T C T B
C
Three Independent Sensors with Common Input, Not Voted

2-26 Chapter 2 System Architecture GEH-6421N Mark VI Control System Guide Volume I
 The following figure shows three sensors, each one fanned and then SIFT-voted.
This arrangement provides a high-reliability system for current and contact inputs,
and temperature sensors.

I/O Rack Controller Rack

Field WiringTermin. Bd.I/O Board VCMI IONet VCMI Controller

R,S,or T R,S,T
Sensors Fanned Signal Prevote Exchange Voter Control System
Input Condition Database
Alarm Limit
SC R Voted "A"
A Control
R, S, or T Voter Voted "B" Block
Voted "C"

B SC S Voted "A"
Control
Same R, S, or T Voter Voted "B"
Block
Voted "C"

SC T Voted "A"
C Control
Same R, S, or T Voter Voted "B"
Block
Voted "C"
Three Sensors, Each One Fanned and Voted, for Medium to High Reliability Applications

Speed inputs to high-reliability applications are brought in as dedicated inputs and

then SIFT-voted. The following figure shows the configuration. Inputs such as speed
control and overspeed are not fanned so there is a complete separation of inputs with
no hardware cross-coupling that could propagate a failure. RTDs, thermocouples,
contact inputs, and 4-20 mA signals can also be configured this way.

I/O Rack Control Rack

Field Wiring Termin. Bd. I/O Board VCMI IONet VCMI Controller

R,S,or T R,S,T
Sensors Dedicated Signal Prevote Exchange Voter Control System
Input Condition Database
Alarm Limit

SC R Voted (A,B,C)
A
R,S, or T Voter

B SC S Voted (A,B,C)
R,S, or T Voter

SC T Voted (A,B,C)
C
R,S, or T Voter
Three Sensors with Dedicated Inputs, Software Voted for High Reliability Applications

State Exchange
Voting all of the calculated values in the TMR system is unnecessary and not
practical. The actual requirement is to vote the state of the controller database
between calculation frames. Calculated values such as timers, counters, and
integrators are dependent on the value from the previous calculation frame. Logic
signals such as bi-stable relays, momentary logic with seal-in, cross-linked relay
circuits, and feedbacks have a memory retention characteristic. A small section of the
database values is voted each frame.

GEH-6421N Mark VI Control System Guide Volume I Chapter 2 System Architecture 2-27
 Median Value Analog Voting
The analog signals are converted to floating point format by the I/O interface boards.
The voting operation occurs in each of the three controller modules (R, S, and T).
Each module receives a copy of the data from the other two channels. For each voted
data point, the module has three values including its own. The median value voter
selects the middle value of the three as the voter output. This is the most likely of the
three values to be closest to the true value. The following figure provides examples.

The disagreement detector (see the section, Disagreement Detector) checks the
signal deviations and sets a diagnostic if they exceed a preconfigured limit, thereby
identifying failed input sensors or channels.

Median Value Voting Examples

Sensor Median Sensor Median Sensor Median

Sensor Inputs Input Selected Input Selected Input Selected
Value Value Value Value Value Value
Sensor
981 910 1020
1

Sensor 985 981 985 978 985 985

2

Sensor 978 978 978

3

Configured TMR No TMR TMR Diagnostic TMR Diagnostic

Deviation = 30 Diagnostic on Input 1 on Input 1
Median Value Voting Examples with Normal and Bad Inputs

Two Out of Three Logic Voter

Each of the controllers has three copies of the data as described above for the analog
voter. The logical values are stored in the controller database in a format that
requires a byte per logical value. Voting is a simple logic process, which inputs the
three values to find the two values that agree.

The logical data has an auxiliary function called forcing, which allows the operator
to force the logical state to be either true or false and have it remain in that state until
unforced. The logical data is packed in the input tables and the state exchange tables
to reduce the bandwidth requirements. The input cycle involves receive, vote,
unpack, and transfer to the controller database. The transfer to the database must
leave the forced values as they are.

Disagreement Detector
A disagreement detector is provided to continuously scan the pre-vote input data sets
and produce an alarm bit if a disagreement is detected between the three values in a
voted data set. The comparisons are made between the voted value and each of the
three pre-vote values. The delta for each value is compared with a user
programmable limit value. The limit can be set to avoid nuisance alarms but indicate
that one of the pre-vote values has moved out of normal range. Each controller is
required to compare only its pre-vote value with the voted value, for example, R
compares only the R pre-vote value with the voted value.

2-28 Chapter 2 System Architecture GEH-6421N Mark VI Control System Guide Volume I
 Failure of one of the three voted input circuits has no effect on the controlled process
since the fault is masked by SIFT. Without a disagreement detector, a failure could
go unnoticed until occurrence of a second failure.

Forced Variables
The controller has a feature called Forced Variables. This allows the maintenance
technician using toolbox to set analog or logical variables to forced values. Variables
remain at the forced value until unforced. Both compute and input processing respect
forcing. Any applied forcing is preserved through power down or reboot of the
controller.

Logic Forcing is for offline software checkout and

troubleshooting and should only be used in conjunction
with proper lockout/tag out procedures. Forcing of
protective functions is never permissible for an operating
unit.

Peer I/O
In addition to the data from the I/O modules, there is a class of data coming from
other controllers in other cabinets connected through the UDH network. For
integrated systems, this network provides a data path between multiple turbine
controllers and possibly the controls for the generator, the exciter, or the
HRSG/boiler.

Selected signals from the controller database can be mapped into pages of peer
outputs that are broadcast periodically on the UDH I/O to peer controllers. For TMR
systems, the UDH communicator performs this action using the data from its internal
database. In the event of a redundant UDH network failure, the controller will
request data over the remaining network, the IONet.

Command Action
Commands sent to the TMR control require special processing to ensure that the
three voting controllers perform the requested action at the same time. Typically, the
commanding device is a computer connected to the UDH that sends messages over a
single network so there is no opportunity to vote the commands in each controller.
Commands may be sent from one of several redundant computers at the operator
position(s).

When any TMR controller receives a command message, it synchronizes the

corresponding response of all three controllers by retransmitting the command to its
companions across the IONet and queuing it for action at the start of the next frame.

By default, the HMIs send all commands to the UDH communicator.

Rate of Response
The control system can run selected control programs at the rate of 100 times per
second (10 ms frame rate) for simplex systems and 50 times per second (20 ms frame
rate) for TMR systems.

GEH-6421N Mark VI Control System Guide Volume I Chapter 2 System Architecture 2-29
 Failure Handling
The general operating principle on failures is that corrective or default action takes
place in both directions away from the fault. When a fault occurs in the control
hierarchy extending from the terminal mounts through I/O boards, backplanes,
networks, and main CPUs, there is a reaction at the I/O processor. There is also a
reaction at the main controller, if still operating. When faults are detected, health bits
are reset in a hierarchical fashion. If a signal goes bad, the health bit is set false at the
control module level. If a board goes bad, all signals associated with that board,
whether input or output, have the health bits set false. A similar situation exists for
the I/O rack. In addition, there are pre-configured default failure values defined for
all input and output signals so that normal application code may cope with failures
without excessive healthy bit referencing. Healthy bits in TMR systems are voted if
the corresponding signal is TMR.

Loss of Control Module in Simplex System - If a control module fails in a

simplex system, the output boards go to the configured default output state after a
timeout. The loss of the controller board propagates down through the IONet so that
the output board knows what to do. This is accomplished by shutting down the
IONet.

Loss of Control Module in TMR System - If a control module fails in a TMR

system, the TMR outputs and simplex outputs on that channel timeout to the
configured default output state. TMR control continues using the other two control
modules.

Loss of I/O VCMI in TMR System - If the VCMI in an interface module in a

TMR system fails, the outputs timeout to the configured default output state. The
inputs are set to the configured default state so that resultant outputs, such as UDH,
can be set correctly. Inputs and output healthy bits are reset. A failure of the VCMI
in Rack 0 is viewed as equivalent to a failure of the control module itself.

Loss of I/O VCMI in Simplex System - If the VCMI in an interface module in a

simplex system fails, the outputs and inputs are handled the same as a TMR system.

Loss of I/O Board in Simplex System - If an I/O board in a simplex system

fails, hardware on the outputs from the I/O boards set the outputs to a low power
default value given typical applications. Input boards have the input values set to the
pre-configured default value in the master VCMI board.

Loss of Simplex I/O Board in TMR System - If the failed simplex I/O board is
in a TMR system, the inputs and outputs are handled as described herein if they were
in a simplex system.

Loss of TMR I/O Board in TMR System - If a TMR I/O board fails in a TMR
system, inputs and outputs are handled. TMR, SIFT, and hardware output voting
keep the process running.

Loss of IONet in Simplex System - If the IONet fails in a simplex system, the
output boards in the I/O racks timeout and set the pre-configured default output
values. The master VCMI board defaults the inputs so that UDH outputs can be
correctly set.

Loss of IONet in TMR System - If the IONet fails in a simplex system, outputs
follow the same sequence as for a Loss of Control Module in simplex. Inputs follow
the same sequence as for Loss of I/O VCMI in TMR.

2-30 Chapter 2 System Architecture GEH-6421N Mark VI Control System Guide Volume I
 Turbine Protection
Turbine overspeed protection is available in three levels, control, primary, and
emergency. Control protection comes through closed loop speed control using the
fuel/steam valves. Primary overspeed protection is provided by the controller. The
TTUR terminal board and VTUR I/O board bring in a shaft speed signal to each
controller where they are median selected. If the controller determines a trip
condition, the controller sends the trip signal to the TRPG terminal board through the
VTUR I/O board. The three VTUR outputs are 2/3 voted in three-relay voting
circuits (one for each trip solenoid) and power is removed from the solenoids. The
following figure shows the primary and emergency levels of protection.

Software
Voting

High Speed Shaft R TTUR Controller R TRPG

& Terminal
Terminal VTUR
Board
Board
High Speed Shaft S
Controller S Primary
& Hardware Protection
VTUR Voting
High Speed Shaft T (Relays)
Controller T
&
VTUR
Magnetic
Speed
Pickups
Trip
(3 used)
Solenoids
(Up to three)

High Speed Shaft R8 TPRO

VPRO TREG
Terminal R8 Terminal
Board Board
High Speed Shaft S8
VPRO
Hardware Emergency
S8
Voting Protection
High Speed Shaft T8
(Relays)
VPRO
T8
Magnetic
Speed Trip Signal
Pickups to Servo
(3 used) Terminal
Board
TSVO
Primary and Emergency Overspeed Protection

GEH-6421N Mark VI Control System Guide Volume I Chapter 2 System Architecture 2-31
 Emergency overspeed protection is provided by the independent triple redundant
VPRO protection system. This uses three shaft speed signals from magnetic pickups,
one for each protection module. These are brought into TPRO, a terminal board
dedicated to the protection system. Either the controllers or the protection system can
independently trip the turbine. Each VPRO independently determines when to trip,
and the signals are passed to the TREG terminal board. TREG operates in a similar
way to TRPG, voting the three trip signals in relay circuits and removing power from
the trip solenoids. This system contains no software voting, making the three VPRO
modules completely independent. The only link between VPRO and the other parts
of the control system is the IONet cable, which transmits status information.

Additional protection for simplex systems is provided by the protection module

through the Servo Terminal Board, TSVO. Plug J1 on TREG is wired to plug JD1 on
TSVO, and if this is energized, relay K1 disconnects the servo output current and
applies a bias to force the control valve closed.

Reliability and Availability

System reliability and availability can be calculated using the component failure
rates. These numbers determine whether to use simplex circuits or TMR circuits.
TMR systems have the advantage of online repair discussed in the section, Online
Repair for TMR Systems.

Online Repair for TMR Systems

The high availability of the TMR system is a result of being able to do repair online.
It is possible to shut down single modules for repair and leave the voting trio in full
voting mode operation, which effectively masks the absence of the signals from the
powered down module. However, there are some restrictions and special cases that
require extra attention.

Many signals are reduced to a single customer wire at the terminal boards so removal
of the terminal board requires that the wires be disconnected momentarily. Each type
of terminal board must be evaluated for the application and the signal type involved.
Voltages in excess of 50 V are present in some customer wiring. Terminal boards
that have only signals from one controller channel may be replaced at any time if the
faulty signals are being masked by the voter. For other terminal boards such as the
relay outputs, the individual relays may be replaced without disconnecting the
terminal board.

For those singular signals driven from only one I/O board, there is no redundancy or
masking. These are typically used for non-critical functions such as pump drives,
where loss of the control output simply causes the pump to run continuously.
Application designers must avoid using such singular signals in critical circuits. The
TMR system is designed such that any of the three controllers may send outputs to
the singular signals, keeping the function operational even if the normal sending
controller fails.

Note Before performing an online repair, power down only the module (rack) that
has the fault. Failure to observe this rule may cause an unexpected shutdown of the
process (each module has its own power disconnect or switch). The modules are
labeled such that the diagnostic messages identify the faulty module.

2-32 Chapter 2 System Architecture GEH-6421N Mark VI Control System Guide Volume I
 Repair the faulty modules as soon as possible. Although the TMR system will
survive certain multiple faults without a forced outage, a hidden fault problem may
exist after the first unrepaired failure occurs. Multiple faults within the same module
cause no concern for online repair since all faults will be masked by the other voters.
If a second unrelated fault occurs in the same module set, either of the faulty
powered-down modules introduces a dual fault in the same three-signal set. This may
cause a process shutdown.

Reliability
Reliability is represented by the Mean Time Between Forced Outage (MTBFO) of
the control system. The MTBFO is a function of which boards are being used to
control and protect the turbine. The complete system MTBFO depends on the size of
the system, number of simplex boards, and the amount of sensor triplication.

In a simplex system, failure of the controller or I/O communication may cause a

forced outage. Failure of a critical I/O module also causes a forced outage. However,
there are non-critical I/O modules that can fail and be replaced without a shutdown.
The MTBFO is calculated using published failure rates for components.

Availability is the percentage of time the system is operating, taking into account the
time to repair a failure. Availability is calculated as follows:

MTBFO x 100%
-----------------------
MTBFO + MTTR

where:

MTTR is the Mean Time To Repair the system failure causing the forced outage.

With a TMR system, there can be failures without a forced outage because the
system can be repaired while it continues to run. The MTBFO calculation is complex
since it is calculating the probability of a second (critical) failure in another channel
during the time the first failure is being repaired. The time to repair is an important
input to the calculation.

The availability of a well-designed TMR system with timely online repair is

effectively 100%. Possible forced outages can still occur if a second failure of a
critical circuit occurs before the repair is completed. Other possible forced outages
can occur if the repairman erroneously powers down the wrong module.

Note To avoid possible forced outages from powering down the wrong module,
check the diagnostics to identify the modules that contain the failure.

System reliability has been determined by calculating the Failures In Time (FIT)
9
(failures per 10 hours) based on the Bellcore TR-332 Reliability Prediction
Procedure for Electronic Equipment. The Mean Time Between Failures (MTBF) can
be calculated from the FIT.

GEH-6421N Mark VI Control System Guide Volume I Chapter 2 System Architecture 2-33
Third-Party Connectivity
The Mark VI can be linked to the plant DCS in one of three ways:

! Modbus link from the HMI Server RS-232C port to the DCS
! A high-speed 10 Mbaud Ethernet link using the Modbus over TCP/IP protocol
! A high-speed 10 Mbaud Ethernet link using the TCP/IP protocol with an
application layer called GEDS Standard Messages (GSM)
The Mark VI can be operated from the plant control room.

GSM supports turbine control commands, Mark VI data and alarms, the alarm
silence function, logical events, and contact input sequence of events records with 1
ms resolution. The following figure shows the three options. Modbus is widely used
to link to the DCS, but Ethernet GSM has the advantage of speed, distance, and
functionality.

To DCS To DCS To DCS

Serial Modbus Ethernet Modbus Ethernet GSM

UCVx
Controller
x

PLANT DATA HIGHWAY

HMI Server Node

L
A
N

To Plant Data
Highway (PDH)

Ethernet Ethernet

UCVE
x

Ethernet

UNIT DATA HIGHWAY

Optional Communication Links to Third-Party Distributed Control System

2-34 Chapter 2 System Architecture GEH-6421N Mark VI Control System Guide Volume I