Dear CSA,
I would like to know more about the SIL (Safety Integrity Level) capability of a MARK-VIe control system. Unfortunately I've never seen a MKVIe-System in practice so far, but I was told by GE that today they can offer special modules ("I/O packs") and Terminal Boards which meet the requirements regarding the IEC61508 (SIL1/2/3).

Unfortunately this safety discussion is kind of over-estimated throughout Europe (from my point of view) and often leads to the question of how safe a control system really is or let's say: to what level the safety of a control system "officially" was being certified. Do you know about any SIL-certified I/O-Packs? And what about the communication devices and communication protocol of the I/O Net? What about the main processors and the software? Does the MARK-VIe use redundant program processing or some kind of special failure check procedures in the "background" to make selected loops or functions more safe or "SIL-compatible"?If yes, does it require a redundant or TMR configuration? Is it really possible, with a MKVIe, to define Safety-SIL-Loops from the input to the output modules (by certification)?

What is actually today's counterpart of MKVIe to the good old "P-CORE" of the MKV?

I know, a lot of questions, but maybe you can give me one of your famous brief overviews...

I would really appreciate!

Thanks,

Marco

 

marco,

Flattery will get a lot of things, but not everything.

I have only seen blurry photos of a Mark VIeS "auxiliary" control system on a compressor-drive application in the Middle East.

I called a former colleague, and he told me that there are Mark VIeS controllers (the main microprocessor unit), and Mark VIeS I/O Packs for things like the SPRO and TPRO (some of the "protective" components you referred to) and analog input cards, and contact input cards, and the TTUR (the primary turbine speed and synchronizing card).

And, it's said that it can be used in SIMPLEX, DUAL Redundant, and TMR configurations.

I agree with you 1010%. The "S" in SIL might as well be a "$" ($IL) because it's very expensive.

And, in my personal opinion, it's all a bunch of guessing anyway, because not only is good sound data used in the design of an SIS (Safety Instrumented System), a lot of desires and assumptions are made and used in those calculations with the good, sound data. And, there's nothing that says that certain particular functions must be SIL-rated or not. It's all about territory, when you get right down to it. (I'm talking about the "P" word: Protectionism. There; I said it.)

And it does nothing but over-inflate the cost of a plant, because as I understand the concept it's not just about individual components of a plant or process it's about the entire plant or process.

And every control system manufacturer is free to manufacture components and systems to meet their interpretation and understanding of the specification (whatever IEC number it is; it should be called EPC whatever). So, there is lots of differences in equipment supposedly built to the same specification. Another wonderful aspect to the whole scheme.

I don't have the GE manuals nor access to them any longer, but perhaps someone here who has electronic copies will offer to email a copy to you if you'll post your email address.

That's about all I could glean from my colleague; it is proprietary stuff, after all.

Hope this helps!

 

Dear CSA,

thanks a lot! Yes it helps (a little bit). At least now I know that the "S"-Components, modules and processors are more than a fairy tale and really do exist, although not to be seen very often on the plants in the world as it seems.

So this one goes out again to the whole control-community! Can anybody support me with some more detailed information or GE-manuals regarding the SIL/SIS-stuff?

What is of special interest for example is if a MARK-VIe Control System can be configured to handle both "normal" and "Sil-rated" signal processing at the same time by just selecting different modules to reach "integrated SIL-protection" and if yes (of course) how is this been best done?

Thanks in advance for yor help!

Bye,
marco

 

marco,

I'm a little curious because if you were working with GE to develop a control system for a SIS one would think they would be helping to choose the proper components for the desired SIL ratings.

So, why the curiosity about the configuration of a Mark VIe system?

 

Dear CSA,

I'm glad you asked me for this story.
It's all about a planned retrofit of two MARK-V-LM-Control-Systems for LM2500-DLE, mechanical drive application. This MARK-V control-system today makes use of two additional redundant safety-PLCs by SIEMENS (S5) to meet (or better: try to meet) the european and german normative standard and rules for safety. Although the MKV has it's own <P>-Core the safety PLC handles all the signals, functions and trips in some way related to "life-protection":

-overspeed GG
-overspeed PT
-discharge high temperature
-discharge high pressure
-emergency-Push-Button
-gas-alarm
-fire-detection
-enclosure ventilation
-ignition time (safe shutdown after 15 sec of ignition sequence)
-hot&cold start conditions
-and even some more

Of course the <P>-Core also handles overspeed-protection, flame-detectors and emergency-push-buttons and the <P>-Core and the other Cores and the safety PLC are all interconnected, exchanging a lot of hardwired signals, "enabling"(not a joke!) the safety PLC to shut-down the engine or not, depending on conditions being calculated in the "non-safety-certified" (I don't like to say "non-safe") main-processor of the standard <R>-Core. The output contacts of the two redundant PLCs are connected in series energizing special safety (SILrated) relays in the MCC which are in turn energizing SIL-rated solenoids, which, if de-energized, bring the engine into it's safe position (closing fuel gas main valves, opening all vent valves etc.). That's the main concept- explained in a few words and I really don't like it, because from my point of view, an additional Safety-PLC or SIS, if installed and if really needed (and it is in europe), should not depend on any other system than itself, just watching the process and it's safe limits. The discussion with GE today is, if we still need an additional safety-PLC at all, if we choose to install MKVIe , which seems to have it's own SIL-modules to meet certain Saftey or SIL-Levels. But regarding the rules and norms it's not about the I/O-modules only. It's all about the whole loop from input to output, including main-processing-unit and the software running on it. So, there were meetings, discussions, minutes-of-meeting, a lot of things to be done, again meetings, some clarifications, list of open points, new minutes of meeting and still things need to be checked and so on and so on. I have seen certificates for certain modules, but not for the whole system. And having said this I would like to say: I'm not the guy who is needing all this SIL-stuff. It's all just because of the euopean safety standard being printed on "paper of rules".

So I was just wondering if anyone here at control.com could share some experiences or manuals, showing how a MKVIe-System can be configured and certified as *complete* SIL-rated-System from input to output.

 

marco,

I'm really glad you took the time to explain to tell the story.

Isn't this sadly typical?

I contacted my colleague again, and it seems, from his reading of the manual while we were on the phone (both of us on mobiles) that the SIS turbine control system for an application would likely consist of a Mark VIe for the non-SIFs (Safety Instrumented Functions) and a Mark VIeS for the SIFs. Please know that this information was gleaned in the span of just about four minutes.

The safety instrumented functions would be handled by the Mark VIeS, which would likely drive the equivalent of the TREG or whatever is used for the "protective" side of the trip solenoids for aero-derivatives, and the non-SIFs would be handled by the Mark VIe driving the TRPG or whatever is used for the aero-derivatives.

There is a controller for the Mark VIeS that has all the required "lock-down" functions and interfaces with the typical types of I/O (discrete inputs, analog inputs, discrete outputs) via SIL-rated I/O Packs. It has it's own "IONET" per what I was told.

And that's about all we had time for.

Now, again, that's all "hearsay" from someone who took some time I don't think he really had to give a quick glance through a couple of the Mark VIeS manuals.

GE has this "proprietary" attitude about the manuals for the Mark VIe and Mark VIeS. No non-GE employee is supposed to get copies of these manuals unless they have signed a non-disclosure agreement or have purchased the equipment. Since I'm not in any of those three groups, I have to rely on what I'm being told, which I don't even know if I should be passing along because, again, it was all verbally passed along in a very short period of time while talking on mobile phones.

But I believe the information is good, without divulging any trade secrets.

Again, it's all about the P word, isn't it.

Actually, SIL-rated Speedtronics are being installed in Australia and other countries that have adopted the IEC SIL "practices" (what is that 61508 and/or 61511?).

Coming soon to a country near or you!

So, based on what I believe I heard the Mark VIeS controller would replace the safety PLC, but that's just a SWAG based on hearsay, I have to keep warning you.

I'm of the impression that SIL is not really applicable for retrofits (based on what I've heard because it's really about the entire plant, not just the turbine island) but I would guess it might apply to a retrofit of an existing SIS. When I say it's not applicable for turbine control retrofits I mean it's not to be applied only to a turbine control system unless the entire plant is also being retrofitted to a safety instrumented plant.

I don't even know if I'm using the right terms, and I don't care. I want to stay as far away from this $IL stuff as I can for as long as I can, and I'm not ashamed to say it.

Good luck with the endeavour! But, it really just does go to show everyone who's reading this thread that this whole SIS thing is in its infancy and its really not well documented or understood and very open to interpretation.

And, it's nearly out of control.

 

CSA,

thanks so much for all your effort trying to give me good advice and writing me those lines. Please forward my thanks also to your nice colleage, who was helping me by helping you.
That's "real networking", isn't it?

I absolutely agree with you that GE is living a very strange philosophy with handing-out (or better say: not-handing-out) their proprietary manuals. Any other control system supplier, if it is Allen&Bradley, SIEMENS, ABB, BECKHOFF or any other, is publishing everything you need to know about their technical solutions by simply&freely sharing all manuals on their websites. And the craziest thing: you can even find everything about micronet and netcon from woodward. And even more crazy: even if you buy, as a legal customer, a MARK-V control system directly from GE it sometimes takes years(!) to get all the really important manuals and in most cases by desperatly asking for it for example on control.com!!Just have a quick look at this thread: http://www.control.com/thread/1258804464#1275339881. I was the one who was first asking for some manuals and then it was like triggering an avalanche.

What is the reason GE is not publishing everything everyone needs to know? I really don't understand...

But anyway, I somehow was expecting that for an integrated saftey-system with MKVIe one will have to use at least two processors, one MKVIeS with S-modules connected to it and one MKVIe with non-S modules connected to it and I also believe that in the end we will do it exactly that way. And it's ok for me, as long as we get rid of this additional Saftey-PLC.

By the way the IEC 61508 is one of the standards we are also refering to. Beside that one, especially in Germany, we also have to meet those:

DIN EN ISO 13849-1
DIN EN 954-1
DIN EN 12583
DVGW 435
DVGW 497
DIN EN 50156
VDI/VDE 2180

...and they are all about Safety in Process Control at the same time!And most of them of course have more than 100 pages!

So, let us see how the MKVIe-System will manage all these requirements, hoping that the MKVIe will not forget it's main task: running the turbine

I promise to come back on this thread later to publish all the information I will collect about the MKVIeS and the way we solved this super-safe-retrofit-project here on control.com.

Again, thank you very much!

Best wishes,
marco

 

marco,

Glad to be of help, but I had occasion to talk with another former colleague and he had a slightly different read of the manual (and I don't even know if they were reading the same manual!). I already thanked them both profusely (and they will both call in the favor some day!).

In any case, you should be able to eliminate the Safety-PLC(s) on the unit(s).

And, remember: The G in GE does not stand for Generous, and the S in SIL should be $, so make sure you've got lots o' cash!

To go with the patience you'll have to have through the process of working "with" GE.

As for the manuals, if they were well-written and had useful information along with the proprietary information (and that's even questionable), one might be able to understand them wanting to keep them "protected." But, ... well, we don't need say anymore do we.

It's unfortunate they don't have a more open attitude because I maintain they would do a lot to promote their products by being more open, at least with their manuals.

And if wishes were horses, I'd be suffocating in manure.

 

CSA and Marco,

Would you please tell me your contact email address to 'sammsanti at gmail.com'

 

Hey Green_man,

I just want to say thank you for the precious information you provided. Hope that CSA also received his "MARK-VIe-SIL-Info-Package". The documents you sent us gave us a very good first insight into the configuration and programming of a MARKVIeS-Controller.

Regards,
Marco