background image

6.2

Triple Modular Redundancy

Controllers, power supplies, networks, and I/O are physically separate, which is the origin of the term triple modular
redundancy (TMR) that is often used when describing the control system. Triple redundancy controls offer a higher degree of
fault tolerance than dual redundant controls. The primary advantages are the ability to ride-through a soft (partial) failure of a
controller, network, or I/O component with an unexpected failure mode, and the ability to identify the origin of the fault with
greater precision.

Since triple redundant controls are applied in a wide variety of applications, the I/O is flexible and can be implemented with
single, dual, or triple sensors that are connected to one or multiple I/O modules. Obviously, triple redundant sensors are more
fault tolerant than dual redundant or single sensors, but there is also a tradeoff between the cost of redundant sensors and the
historical reliability of a particular sensor type for a specific application. Identical application software in each controller read
sensor inputs, and diagnostics compares the data. Discrepancies are reported as system / process alarms.

Each sensor can be transmitted in parallel to the three IONETs (fanned) or transmitted individually. Fanned inputs are
transmitted on the IONET with three I/O packs on the I/O module. Therefore, a failure of an I/O pack does not inhibit any
controller from seeing all of the sensors. In addition, any disagreement between the data values for the same sensor in the
three controllers is identified as an internal diagnostic fault. Non-fanned inputs have less electronics (lower MTBF) but also
less diagnostic precision, because there is only one I/O pack per sensor. Since the precision of the diagnostics impacts the
MTTR, it also impacts the availability of the control system and the process.

The Mark VIe is also available as a SIL-3 capable safety controller, Mark VIeS, in simplex, dual, and triple redundant
configurations. Both systems share common architectures, configuration and diagnostic software tools, and can share input
data from I/O modules on a common IONET to simplify operations and maintenance. When sharing I/O, the controllers from
the Mark VIe and Mark VIeS can read inputs from all I/O modules, but write outputs only to their own I/O modules.

Sensor A

+24Vdc

Sensor B

+24Vdc

Sensor C

+24Vdc

Analog – Median select

Contacts – Logical vote

Disagreement diagnostics

Can be mixed with dual  & 

simplex inputs

+24Vdc

Wetting Voltage Redundancy

Fanned Inputs to Three Controllers

(Each sensor is seen by all 3 controllers even if an I /O Pack fails )

Instruction Guide

GEI-100728A

11

Public Information

Summary of Contents for Mark VIe

Page 1: ...nt contains non sensitive information approved for public disclosure GE may have patents or pending patent applications covering subject matter in this document The furnishing of this document does no...

Page 2: ...Controller 7 5 I O Network Redundancy 7 6 I O Redundancy 8 6 1 Dual Redundancy 8 6 2 Triple Modular Redundancy 11 7 Tripping Reliability 15 8 Digital Bus Reliability 17 8 1 FOUNDATION Fieldbus 17 8 2...

Page 3: ...ting the process Field components for example sensors actuators and wiring cause over half of forced outages Therefore redundancy of field components is an important consideration in the overall contr...

Page 4: ...one component is out voted by the other two In the case of three lube oil pressure switches the protective system performs a simple logical vote with no need to predict in advance a probable failure m...

Page 5: ...ing Blocks Controller 3 IONET Ports 2 Control Network Ports 1 COM Port IONET Switch I O Module I O Pack Local Processor Data Acquisition Terminal Block Typical Mark VIe Architecture Instruction Guide...

Page 6: ...ther the controllers are redundant or non redundant But they can be supplied in redundant pairs too if required Additional redundancy options are available Internal Power Converters Create 28V dc for...

Page 7: ...board rack or mounted inside the rack with communication on the backplane The I O network consists of active electronics at both ends and multiple failure modes so its redundancy is just as important...

Page 8: ...at the I O pack level Therefore replacement of I O has minimal impact on monitoring and control of the overall control system An extension of this is to add a third sensor whose value can be voted in...

Page 9: ...ovides recovery data 4 Receives external commands 5 Creates process alarms Data outputs from dual redundant controllers are normally implemented with each controller sending its signal to its switch a...

Page 10: ...ollers IONET switches and Ethernet ports on a common I O pack which controls a relay driver and a relay Level 2 also provides dual redundant controllers and IONET switches but extends the redundancy t...

Page 11: ...ed or transmitted individually Fanned inputs are transmitted on the IONET with three I O packs on the I O module Therefore a failure of an I O pack does not inhibit any controller from seeing all of t...

Page 12: ...les 3 Less IONET switches Non critical data that is being used for non essential monitoring is usually implemented without redundancy Redundant and non redundant I O coexists in most control systems T...

Page 13: ...nt sharing circuit Analog Voting occurs with a3 coil servo Extended Voting at Field Device Example 3 Coil Servo Valve Actuator Typical nuclear configuration Valve Regulator Valve Ref Valve Regulator V...

Page 14: ...Requirements for no single point failures must be evaluated on a case by case basis to determine the best way to approach this from the system level The preceding figure displays a variation of outpu...

Page 15: ...responding I O control protect and monitor the turbine Primary protection includes a full set of all trip functions and backup protection includes a small subset of the protection functions to backup...

Page 16: ...control valves and de energize the trip solenoids from the primary side Another example the backup protection monitors communications from each controller so it can be configured to initiate a trip o...

Page 17: ...the designated controller and a secondary controller Therefore the primary linking device is the one connected to the primary controller Less common are applications with a single controller and redun...

Page 18: ...al Controllers Supplies Switches Simplex Non redundant Dual with Redundant I O Full Triple Redundant Dual Redundant Triple Relative Contributions to Reliability and MTBFO Adding redundancy to the elec...

Page 19: ...Public Information...

Reviews: