Meaning of TMR in mARK-Vie system

V

Thread Starter

V GUPTA

We have one MARK-Vie and one MARK-IV system for Gas turbine frame-V. But i am not understand the meaning of TMR in detail and how to relate this application in field instrument of Gas Turbine.
 
I'm not exactly clear about your question, but we'll start the discussion with this.

The main concept behind redundancy in control systems is to provide running reliability. One way to accomplish this is to have multiple controllers, each performing identical decisions about control and protection, so that in the event one of them or one of the control system components of one of the multiple controllers fails that they can be replaced "on-line" without disturbing the process (in this case, producing torque with a GE-design heavy duty gas turbine).

For the purposes of this discussion, I'm making a distinction between the control system (the Mark IV and the Mark VIe in this case) and the field devices and instruments connected to the Mark IV or the Mark VIe (the pressure switches, temperature switches, pressure transmitters, LVDTs, T/Cs, limit switches, solenoids, etc.). Many time there are redundant field devices connected to the control system, and that's done primarily to prevent nuisance trips or to provide redundant feedback signals so that in the event one device or sensor fails the unit can continue to run while it is replaced or repaired. This is different from control system redundancy, and redundant field devices were used to improve running reliability long before redundant control systems were every conceived.

There are many ways to implement redundancy in the control system and GE has seen fit, until recently, to do this with a triple modular redundant (TMR) method. In this method, under normal operating conditions when all the processors are running normally and participating in controlling and protecting the turbine the decisions about what should happen and when are performed with a two-out-of-three "voting" scheme, meaning that two processors must agree that a motor should be running or a solenoid be de-energized before the motor is started or the solenoid de-energized.

In the event that one of the controllers fails or must be shut down to perform a repair or replacement of one of its components, then GE's implementation of TMR usually results in one processor driving the outputs and making the decisions about control and protection (kind of hard to make a decision with only two processors are "voting" if they disagree, so it was decided to pick one of the two remaining processors and use it to control the unit).

When the off-line processor is brought back on line, then the system reverts to two-out-of-three again.

The two-out-of-three (or, 2oo3, or toot) scheme implemented in the Mark IV is very different from that implemented in the Mark VIe. But both systems still provide the redundancy that allows on-line servicing/replacement without shutting the unit down.

One more little distinction, the three-coil servos used for fuel control valves and IGVs on GE-design heavy duty gas turbines are part of the "voting" scheme, since each processor puts out the amount of current it believes is necessary to achieve the desired position or pressure or flow, and then the sum of the torque produced by the three currents is summed (algebraically added) to determine how much oil is ported to the actuator. So this "voting" takes place outside the control system.

I think that's enough to get us started. I'm <b>certain</b> that ProcessValue will have more to add or to clarify or to take exception to or to disagree with based on his experience, but this will suffice for now. If you want more clarification or wish to discuss a particular issue, then write back and let us know.

But the basics of control system redundancy is to allow on-line service and repair without affecting <b>running</b> reliability. In the GE heavy duty gas turbine implementation this does <b>NOT</b> include starting! All the control system components must be "happy" and healthy and communicating in the GE system for a unit start to be initiated. We're only talking about running reliability.
 
TMR stands for Triple Modular Redundant. I don't recall the full explanation of the differences between TMR and the Mark IV implementation of triple redundancy, but some of it is:
In Mark IV, the redundant field sensors were divided up among the 3 control processors (R,S & T). R could only read the inputs assigned to it, likewise for S and T. Therefore, when one of the processors failed, all of its inputs were lost to the system. You could still run on the other 2 processors, but a failure of one input device could now trip the turbine.

In Mark VI and Mark VIe, and I believe on Mark V, all the I/O can be read by all the processors. So all of the processors vote all the redundant input sensors. Now, if one processor fails, the other 2 still vote all the redundant input sensors so a single sensor failure should not result in a trip. The Mark VIe I/O is an even more robust arrangement than the Mark V and Mark VI.
 
P

Process Value

TMR in Mark VI system

i am writing this predominantly to do justice to CSA's unbound confidence in me; in adding to, clarifying, take exception to , disagree with , agree with (yes the last point is happening with frighting regularity in the last few days , what is the control.com coming to) his statements and observations. so after my jab at attempted dry humor lets get back to business.

I have not worked in mark iv systems , and to think of it i have not seen one also. so my explanation here is on the mark vi and also the mark vie control systems.

TMR as the name states is triple modular redundancy. though we normally use the term R S and T processors , R S and T are processing modules. as with every modern control system the processing module contains the following basic parts

a. the processor card - the ucgX range of processor cards
b. the communication card - the VCMI
d. the io cards - VSVO , VVIB , VTCC are all io cards in the mark vi system

each processing module contain one processor card , one communication card and a slew of io cards. this is what is replicated in in the other processor modules. ( note - i am assuming here for the sake of simplicity that there are no simplex cards in the modules) . thus the R S and T are identical processing modules. they together form the TMR system in the mark VI control system.

why should one go for TMR ? especially in turbine controls the answer is as CSA said is to improve the running reliability. i am splitting the reliability into three sections.

a. field input signal reliability
b. Controller module reliability
c. output reliability

the GE systems have different ways to acheive reliability in the above within the mark vi system.

field input reliability - let us suppose that you have one field pressure switch which trips the turbine (fuel pressure low). if it goes faulty even though your system is healthy it trips the turbine. now let us suppose that we have two pressure switches , one goes high indicating a low pressure but the other stubbornly remains in the low position. now which to believe. this is what which led to the two out of three logic for the mission critical field equipments. Now you have three pressure switches , if two goes high then it is believed that a low pressure has indeed occurred in the system ans it trips the turbine. the same is implemented for the analog values also. this is called the median voting. the median value out of the three input analog values is taken as the correct value. this type of reliability has been there for long, even with redundant or simplex processors you can implement field input reliability. but you have to do that in the application code. GE with the TMR system has moved it to the controller firmware. thus saving you the time to write additional logic. ( well at leaset that was the intention , but people still write two out of three logics in application code). this is called SIFT , software implemented fault tolerance in the input level. there are many ways by which you can give the input to the three processor modules. you can give three separate inputs to the three modules ( speed sensors , critical pressure switches etc ) fan one input to the three processors etc ....

controller module reliability - similar to the malfunctioning of the field input , the processor module can malfunction. the malfunction can be in any part , the controller itself , it may be the communication card or the IO card. what happens in a failure is , the signal associated with the io card is taken to its default value. let us suppose that you have power input coming to the io board (VTUR in fact). if all three modules are working then it will be something like this

R - 90.2
S - 90.5
t - 90.7

here 90.5 is the median value and it is taken as the signal io value.

but now the the card in R module has failed. depending on how the io is configured the default value is taken as the input. let us again suppose that the default value is 0. now it will be something like this

R - 0
S - 90.5
t - 90.7

here the median value is still 90.5 and it is taken as the signal value. a diagnostic alarm is raised stating that the voting value difference is high or tha t it is taking default value. but of course we always ignore the diagnostic alarms as long as the machine is running.

the case of a processor or a communication failure is more severe that all the signals from that module will be taken as the default inputs.

output reliability - as SIFT is a norm for the inputs hardware voting is the norm for the outputs. this is done to take the voting as close as possible to the final driver element. in case of a digital output is in the form of hardwired relays in the terminal boards. here also three out of three logic is implemented. for a malfunction to take place , two hardware modules have to get damaged or a software failure in one module and a hardware failure in another. pretty far fetchet right? . an example of hardware voting is of the trip solenoid. three separate inputs from the processors go to individual relays which is passed on to a master aux which will only energize when at least two of the outputs match.

so by including three redundant processor modules , taking input values with SIft and moving the outputs to hardware voting , we enhance the running reliability. thus allowing us to preform online repairs and online maintenance.

one interesting thing in mark vi control system is that the voting is performed in the VCMI rather than in the processor card.

i have taken some liberties here , the implementation of the designated controller and how it affects system reliability and also the user input reliability using redundant EGD and all is not covered here. frankly there is too much to type lol . if you people have mark vi manual 1 please read through it. it has all the information you want.

but of course if certain things are not clear , it happens , GE manuals tend to be ...er ... verbose but slightly difficult to understand for a first time reader. you can always ask here in control.com
 
As you noted, ProcessValue, the nature of the question is pretty vague. We should likely wait for the originator to clarify or ask any further questions before generalizing about many things.

As the original question involved Mark IV and Mark <b>VIe</b>, *NOT* Mark VI, it's going to be necessary to interrupt the frightening regularity of agreement with this news flash.

While some of the same terminal boards are used in Mark VIe, the architecture and make-up of the controllers is VERY different. There are no VME racks with VME cards, like in Mark VI. There is no <P> core.

Not all analog values are chosen by median select; some are high-selected and some are low-selected. It just depends on the safest and most reliable mode, as determined by GE in their infinite wisdom.
 
P

Process Value

Ah so good to back to old fighting days , that too with a news flash ;) .

and this time its my bad, i went to explain mark vi control system instead of mark vie. i do not have extensive experience in mark vie, it is not a popular in india and especially not in refineries, but i have worked in one. the basic TMR concept is the same in the mark vi and mark vie. the architecture is vary though, vastly.

there is virtually no back plane communication in mark vie. the old VME (versa module europa) back plane communication which is a vestige of motorolla 68000 bus scheme is now replaced by full duplex Ethernet communication over ionet. each io card , now communicates to the processor like a remote io in mark vi.

the io cards , are now called general purpose and turbine specific cards and they have a processor module to themselves and communicate through ionet to the main processor and are moved close to the Terminal board.

well , so much about the architecture , but the basic concept of TMR remains the same in mark vie too. mark vie is analogous mark vi in full remote io configuration.
 
Go to TRICONEX Website. If someone knows about TMR (I mean REAL TMR, not fake like GE´s, he is TRICONEX.
 
Wow Margie,

I can't say that I completely love GE but your comment seems somewhat harsh. A good explanation from you of the differences of GE TMR VS other manufacturers would be very welcome. Or at least a description of what you think GE did wrong!
 
Top