Hi Everyone

I am working in a power plant where GE GTs are used, frame 9E , mark 4 DCS .

I am trying to understand how the voting is done in mark 4 and I hope some one can answer my question.

To explain my point , I am going to give an example:
3 pressure switches are used to measure hydraulic trip oil for each fuel system , for gas fuel trip oil as an example we are using 63HG-1,2,3.

Two of the 3 switches are connected to the 3 controllers <RST>, ( each switch connected to the 3 controllers) through the CIM modules. the third switches connected to core <c>. then from here it is going to <RST> software again .

Inside the 3 controllers software voting is done between the 3 switches the final the result will be calculated by the TOOT logic.
Well ,till here I can understand.

My question is:
After each controller take its decision , where these results are going , I mean how voting is done between the controllers them selfs, because in the drawing this is not clear (in the drawing they mention that if alarm contacts are closed it will go to the alarm display in CRT , but how it is going , how voting is done , S/W or H/W??)
Also another question , why they take one switch o/p to <C> , from <c> how this go again to <RST>?
I know it is very long question , but i just want to explain how far I know to start from that point for time saving .

I wish any body can help>>>>

My Regards

 

The example you have chosen is not a very good one. When the Mark IV was being designed, someone saw fit to put three pressure switches on the trip oil system assuming that one could be connected to <R>, one to <S>, and one to <T>. But, there was no method to do that with the final design of the Mark IV.

But, they didn't change the number of switches. So, that's why two are connected to <Q> (<R>, <S>, and <T>) and one is connected to <C>. The reasoning for doing that is to have two separate paths for the signal(s) to get into the software, one through <Q> and one through <C>. As long as the communication with <C> is good, the sequencing will use the <C> input. If comm's with <C> are lost, the sequencing will not look at that input.

You'll notice that the trip oil pressure switches are the only ones that have three redundant switches for trip indication. (There is gas fuel trip oil and liquid fuel trip oitl.) L.O. header pressure just uses two switches; L.O. header temperature just uses two switches. One is typically connected to <Q>, and one to <C> (that separate path thing again).

This is kind of difficult to explain, but voting in the Mark IV is done at the "output" of each control processor (<R>, <S>, and <T>), with the exception of the exhaust T/Cs for the combustion monitor. There is a "4" relay output for each control processor, and two out of the three "4" relays must be energized for the turbine to run and continue to run.

All three Mark IV control processors make their own determination running identical sequencing. If, for example, <R> thought that the trip oil pressure was okay, and <S> thought it was low enough to trip the turbine, and <T> thought the trip oil pressure was okay, then the 4S relay would be de-energized because it thought the turbine should be tripped because of low trip oil pressure.

But, because 4R and 4T were still energized then the two-out-of-three hardware voting would keep the unit running. There would be a lot of Diagnostic Alarms, and <S> servo outputs would be disabled (because it thinks the turbine should be tripped).

This allowed the turbine to keep running if one processor thought the trip oil pressure was low and the others didn't.

*HOWEVER*, if <T> processor thought that the L.O. header temperature were excessively high and the turbine should be tripped, the 4T relay would drop out, and only 4R would be energized, and the two-out-of-three voting would trip the turbine. *AND* there would no Process Alarm to say why the turbine was tripped!

That's because only one processor (<S>) thought the turbine should be tripped on low trip oil pressure (Process Alarms require two-out-of-three voting to be annunciated) and only one processor (<T>) thought the turbine should be tripped on excessive header temperature. The only Process Alarm that would be annunciated would be 'Loss of Flame Trip'. There would be tons of Diagnostic Alarms as a result of <S>'s thinking the turbine should be tripped and <T>'s thinking the turbine should be tripped, but nobody every pays attention to Diagnostic Alarms, right? Right.

There are several inputs that are not voted and several that are voted in different ways; it's very complicated to explain each and every single one. But, that's the basic idea.

In the Mark IV voting is basically done after the sequencing is executed.

 

dear CSA:
thank u very much about ur replay but still one point not clear to me.

you said that there are 4 relays for each controller and the voting is done between the three (4) ... OK , but actually my question is: the output of these relays connected to where exactly? i mean who is making the voting between them and send the signal of trip. another question, why 4 relays for each processor?

i know that i am asking some silly question, but forgive me, i want to understand the story, because we are going to update our system to mark 6, and i want to know how the voting philosophy will change and what is the differences between the two generations of control?

 

One of the most important sheets of the Mark IV Speedtronic elementary is 04G. The three master protective "4" relays are shown on this drawing, as are the E-stop pushbutton(s) and any other components of the Mark IV hardware (hardwired) trip circuit. This is the Mark IV hardware "two-out-of-three" voting for the protection of the unit.

Two of the three "4" relays must be energized to energize the 4X-1, -2, -3 & -4 relays to get 28 VDC to drive the relay outputs for the protective solenoids on Sh's. 20A, 20B, and 20C.

L4 of <R>'s sequencing drives 4R; L4 of <S>'s sequencing drives 4S; and L4 of <T>'s sequencing drives 4T. That's shown on Sh's. 04F and 04G. When the scan of the sequencing is completed, each control processor makes a determination if it's master protective relay (the "4" relay) should be energized or de-energized.

The fuel trip solenoids (typically 20FG-1, 20FL-1, etc.) are shown on 20B and they also use contacts from the 4X-n relays to allow the 125 VDC to energize the trip solenoids.

In the Mark IV, one control processor could think the unit should be tripped for one particular reason and it's "4" relay would be de-energized. And another control processor could think the turbine should be tripped for an entirely different reason and de-energize it's "4" relay and the unit would be tripped.

Voting is done VERY differently in Mark V, Mark VI, and Mark VIe. These control systems use SIFT, Software Implemented Fault Tolerance. In SIFT, the three control processors all read their inputs, then they broadcast their values of the inputs they just read to the other control processors, and then *each control processor* independently votes the value of the input and then uses the voted value in the execution of the sequencing. It's a very tightly synchronized system. Each sequencing scan begins by reading inputs, broadcasting inputs, voting inputs, executing sequencing, writing to outputs. And, then it starts all over again: read, broadcast, vote, execute, execute, write.

If <R> thought there was low-low L.O. pressure and <S> and <T> thought the L.O. pressure was okay. <R> would say, "I think the L.O. pressure is low-low, but <S> and <T> say it's okay, so I'm going to execute my sequencing as if the L.O. pressure was okay." <S> and <T> each would say, "<R> thinks the L.O. pressure is low-low, but <S> and <T> think it's okay, so we'll execute our sequencing as if it's okay." At least one pesky Diagnostic Alarm would be generated to alert an alert operator or technician to the fact the <R> isn't thinking the L.O. pressure is okay. But nobody pays any attention to Diagnostic Alarms as long as the unit hasn't tripped, right? Right.

With SIFT, two control processors can't trip the turbine for completely different reasons. (At least I've never seen it happen; never say never, right?) Alert and attentive operators and technicians should be investigating Diagnostic Alarms and working to prevent such a condition before it happens. (Though if alert and attentive operators and technicians were investigating Diagnostic Alarms on Mark IVs, the likelihood of two processors tripping the turbine for two completely different reasons should never happen. But, who pays attention to Diagnostic Alarms, anyway. As long as the turbine isn't tripped, who should care? And if the turbine tripped, who goes back and looks at the Diagnostic Alarms? They're just pesky nuisances.)

Mark V, Mark VI, and Mark VIe all have two-out-of-three hardware voting also in their trip solenoid outputs, it's just that the way the determination is made as to whether or not the trip solenoids should be energized or not is done differently than it is done in the Mark IV. There are also two (2) two-out-of-three hardware voting schemes in Mark V, Mark VI, and Mark VIe TMR panels (Primary Trip Relays and Emergency Trip Relays).

Lastly, there are exceptions to every rule and not every input is voted. Most inputs are, some are not. And the definition of why most are and some are not is way beyond explanation in a few sentences or paragraphs.

As an interesting (to some) finish, Mark V, Mark VI, and Mark VIe all have three trip oil pressure switches. Isn't that a hoot! "If it ain't broke, don't fix it." Having a third switch doesn't hurt anything, even if it does increase complexity and cost, and GE is all about cost reduction. Someone would think they would catch on to this sooner or later.

 

thank very much, actually Ur answer is rich and very nice. To be clear with u, i didn't understand 100% ( still beginner), but i feel that i can imagine some thing. Briefly i will say what i have got from your replies, and please correct to me if i am wrong.

For critical signals (voted by 3 controllers), after each processor finish his calculation, he give his answer to his rely (4) to trip or not, voting between the 3 (4) relays is done ( hardware voting) may be in the (RDM)then from here the sequence of the trip will take place.
I know this is not very accurate description, but i mean this is the idea, (before i was thinking that <c> is making the voting between the 3 cores).

Finally thank u dear CSA for Ur help. I wish that in the next subject i can be more familiar with the system...thanks again

 

Glad to be of help. I think you have a good understanding of this basic concept.

One asks questions to learn something. It's not necessary to be knowledgeable in a subject to ask a question.

You say you will be getting Mark VI (or Mark VIe), and they use SIFT which makes sure the voting occurs before the execution of the sequencing (called application code in Mark VI and Mark VIe).

I hope at some point one of the next questions will be about another type of voting, that which occurs in the electro-hydraulic servo-valve.

There's all manner of voting in a Speedtronic turbine control system.