the speedtronic mark iv control™, a distributed fault tolerant

THE AMERICAN SOCIETY OF MECHANICAL ENGINEERS345 E. 47 St., New York, N.Y. 10017

The Society shall not be responsible for statements or opinions advanced in papers or Indiscussion at meetings of the Society or of its Divisions or Sections, or printed in itspublications. Discussion is printed only if the paper is published in an ASME Journal.Released for general publication upon presentation. Full credit should be given to ASME,the Technical Division, and the author(s). Papers are available from ASME for nine monthsafter the meeting.Printed in USA.

83-GT-106

THE SPEEDTRONIC MARK IV CONTROL (tm), A DISTRIBUTED

FAULT TOLERANT GAS TURBINE CONTROL SYSTEM

D. JohnsonManagerElectronic Control

Development LaboratoryGas Turbine DivisionGENERAL ELECTRIC COMPANY

K. E. GilbertSenior EngineerElectronic ControlDevelopment Laboratory

Gas Turbine DivisionGENERAL ELECTRIC COMPANY

L. P. BuckleySenior EngineerAdvanced Systems

Design UnitDrives Systems Dept.GENERAL ELECTRIC COMPANY

ABSTRACT

Greatly improved availability is theprimary design goal of the SPEEDTRONTC Mark IVGas Turbine control. It achieves this goal bydistributing control functions among fourmicrocomputers: three are identical controlsections, and the fourth handlescommunications. Powerful on-line diagnosticsindicate which section is faulty, down to thereplaceable element. Panel repair is effectedwith the gas turbine running. Mean time torepair is predicted to he three to four hours.The prediction is that the SPEEDTRONIC Mark IVcontrol will not cause a plant shut down moreoften than once in ten years. In addition,the system has capacity for redundant sensorinputs, which significantly reduces forcedoutages caused by faulty sensors. Informationon how these results were accomplished ispresented in the paper, along with adescription of the initial experiences runninggas turbines with the new system.

INTRODUCTION-

Microprocessors have been used in GeneralElectric gas turbine controls for severalyears, starting with the combustion monitor.Today their use includes water injectionequipment, logging, condition monitoring,remote control systems, temperature control,and automatic synchronizing. With thisexperience as a base, an all new microcomputerbased control system has been built and now isin the pilot production testing period.

The primary objective of Mark IVSPEEDTRONIC is a tenfold increase in the meantime before a turbine forced outage is causedby the control, which is achieved bydistributed microprocessors. When one sectionof the electronics fails, the turbinecontinues to run under control of the

remaining sections. The failed section isdiagnosed, repaired and returned to servicewhile the gas turbine continues to run. Inthis way the fault tolerance of the system isrestored to the original level.

FIGURE 1 - SPEEDTRONIC MKIV (tm) CONTROL PANEL

The SPEEDTRONIC Mark IV controlrepresents a major step forward in industrialcontrols assuming this projected availabilityis realized in production. Designrestrictions were placed on the manufacturingcost and panel size. It was essential to finda new approach to keeping the manufacturingcosts down, since the computing power neededwas greatly increased, as compared to a nonredundant control. This was accomplished bycarefully modularizing the hardware, such thatone basic control panel would cover allturbine types and applications. Next, each

Copyright © 1983 by ASME

Downloaded From: https://proceedings.asmedigitalcollection.asme.org/ on 04/07/2018 Terms of Use: http://www.asme.org/about-asme/terms-of-use

module was designed for automated manufactureand test. Despite the increase in electronicfunctions, calculations show that the failurerate should be lower than previous controls.Because of the fault tolerant design, lessthan one in ten of these failures should causea forced outage.

The resulting panel, shown in Figure 1,is striking in its difference from previouscontrol panels. The membrane switch and theCRT display serve to simplify the panel frontconsiderably, while bringing more informationto the operator.

The biggest engineering challenge wassoftware. Not only must the softwareaccommodate the many different types ofcontrols, it must also be able to diagnosefaults while on line and after a repair,reinitialize and recover so that the repairedsection can be returned to service without anymajor shift in the turbine operating point.Thus proper software is the key toaccomplishing the primary SPEEDTRONIC Mark IVobjective of dramatically improved controlavailability.

SPEEDTRONIC' MK IVARRANGEMENT

CONTROLSECTIONS

FIGURE 2

BROAD PRINCIPLE-

Figure 2 shows the basic block diagram ofthe SPEEDTRONIC Mark IV system. The threecontrol sections R, S, and T, are called<RST>, signifying that they are identical yet

completely independent processors. Each ofthem has inputs and outputs, and each has itsown power supply.

The fourth section is called <C> forcommunicator. It is in communication with<RST> over six independent communicationlines. In this way, an energetic failure inone section of <RST> is less likely to causedamage to another control section than if<RST> were allowed to communicate directlywith one another. The communicator alsointerfaces with the operator through themembrane switches and CRT. In the case ofremote control, <C> communicates with remotecomputers.

Critical sensors are distributed among<RST> such that each section has anindependent assessment of turbine condition.For example, thirteen exhaust thermocouplesare distributed 4 to R, 5 to S, and 4 to T.Each of these sections sends its values to<C>, which calculates the median value andsends it back to <RST>. Thus, under normalconditions, the turbine will he controlled tothe median of thirteen thermocouples. Ifthere is some failure, each section of <RST>can make its own independent assessment of howto limit the fuel.

Sensors that are not critical tooperation are brought directly into <C>. Thisavoids extra I/O and processing in <RST>, thussimplifying these computers and making themmore reliable. The same reasoning was appliedto the major portion of the operatorinterface, since it is not critical to turbineoperation. Should <C> fail, an alpha numericauxiliary display (described later) isutilized to operate until <C> is repaired.

Outputs from the three sections must bevoted; ordinarily 2 out of 3 are required.Critical sequential outputs, such as thecommand to close the stop valve, are voted byproperly connecting the contacts of three

independent relays. This is easilyaccomplished as follows:

1=RUN O=TRIP*="AND"+="OR"

RUN=IR*S + S*T + T*R}

Some of the less critical outputs are voted indedicated logic, while others are brought outthrough <C>.

The signals for continuous control suchas modulation of fuel flow are output as acurrent to a servovalve. The servovalve isdesigned with three independent coils, and theoutputs of <RST> are summed by the ampereturns of the servovalve magnetic circuit.Each of the outputs is limited in magnitude,such that any two signals can override athird. Lets assume that the turbine is ontemperature control, and <R> fails such thatit drives the maximum current through the fuelservovalve in the direction to increase fuel.

2


SPEED rRooc:

• • eerie, I !. 111• • 111111111• • eeel9a. alal Mg '

11111111111 GB as_Itill__ 11)±11_11_.,18__.. 41 j

The actual fuel to the turbine will increaseslightly, causing the temperature to exceedthe setpoints in <S> and <T>. These promptlycall for a decrease in fuel, and together theyare able to override the false signal causedby <R>. On tests performed with computersimulations of turbines, the resultingtransient is typically less than 10% of ratedfuel.

OPERATOR INTERFACE-

The operator interface consists of thecontrol insert and a printer in a roll-outdrawer. Figure 3 shows the control insert inmore detail.

The industrial grade membrane switch hasbetter reliability than the older dedicatedswitches with hand wiring. Pushing a pad onthe membrane switch "arms" the command and isacknowledged by a flashing LED and a 'beep'.The operator then pushes the "execute" padwhich causes the turbine to respond, and turnsthe LED on steady. If there is more than a 2second pause after the arm command, theflashing LED goes out and the execute commandwill be ignored.

FIGURE 3 - OPERATOR INTERFACE

In the upper right corner of the insertis the auxiliary display, which is used duringany time that the CRT or the communicationscomputer that drives the CRT is out ofservice. With this meter and huttons, thecondition of the turbine can be monitored, andthe load controlled while the <C> section isbeing repaired.

The normal display on the CRT (Figure 4)adapts itself to the current status of theturhine. For example, during startup, thespeed and condition of the starting means isdisplayed. While at load, the starting means

information is deleted since it is of nointerest; other things such as load aredisplayed. The lower left corner of thedisplay is reserved for alarms. The text ofthe latest 3 alarms appears here, along withthe number of acknowledged alarms. The bottomright corner gives the current value of anythree parameters that the operator wants todisplay. Operators consider this aparticularly handy feature.

The CRT is very useful in diagnosingproblems with the turbine. For example,alarms are not combined together; instead ofthe 'Vibration Trip or Trouble' used onSPEEDTRONIC Mark II, the SPEEDTRONIC Mark IVmessage might he as follows:

14JUN82 11:03:33.78 VIBRATION TRANSDUCERFAILURE

There are separate control buttons forsilence, acknowledge, clear, and reviewfunctions in this alarm management system.

There are many displays giving the valuesof all the logic, including turbine mountedswitches, internal logic, and output relaystatus. Similarly, the values of all sensorsand actuators can he displayed. This detailedinformation is presented by selecting pagesfrom the display menu. Any display can becopied by the roll out printer by pushing thecopy' hutton. Figure 5 shows the display

menu, as printed on the printer. Since thereare almost 200 pages on the display, only afew can be described here in more detail.

One important feature is that thedisplays avoid the necessity for people to goinside the SPEEDTRONIC Mark IV panel to makesettings and diagnose problems. The vastmajority of this work is accomplished from thepanel front. That is important from areliability viewpoint; one bad move inside theold style control can cause the turbine totrip. With SPEEDTRONIC Mark IV, most settingsare made by using the 'control constants'display. If the operator wishes to change thevalue for pre-selected load, he will go to thecontrol constants display and find the properpage. The CRT will label one of theundedicated switches for entering the adjustmode. We call these switches 'soft' switches,for a software identified switch function.Pressing this soft switch will cause theSPEEDTRONIC Mark IV to ask for the password(not everyone should be able to adjust controlconstants!). After entering the propernumber, the operator uses the cursor and theincrement or decrement switches to make theadjustment within a limited range. Thisprocess may seem complex, but is easy tomaster in a few minutes. In fact, it isvastly easier than the older method of hookingup digital voltmeters to the proper pointswith jumper wires, turning pots with a tinyscrewdriver, and calculating from volts toengineering units. Another feature ofSPEEDTRONIC Mark IV is that the settings areeasily recorded using the printer.

3


UST HSPLAd MINI

TITLE TITLE

£001#84. REFEREESUNOTTNEINOOMUSMIEIWOUTKUMMPUS

ET LIM NOS lei

COURT $ CONPOSITELOWS

teresm RAO

If11#111 JISPLOY

OULU COOTEOLLORIC FO#C1N4IRAN COPT/TERIF#INTER-PROCESSOR LOCC IOTAINTER-RPOLISSOit UAL MTNCONTACT INPUTSMAT OUTPUTSTTIVIATECONTROL MOUNTSNEWT11#010ST1C 11SPOTS

LIST

1$it12131415it1716ItIAI#itIOIf°IF

LIST

V

FIGURE 5 - DATA DISPLAY MENU

The SPEEDTRONIC Mark IV has a standardoption to interface with the Data-Tronic (t)remote control and condition monitoringsystem. With the addition of a maintenancecomputer, these remote controls can give muchmore comprehensive historical records andanalysis of the efficiency trend, condition ofthe combustion system, trend plots, histogramscorrelated with hot gas path parts inventoryprograms, etc.

HARDWARE-

The hardware design of the SPEEDTRONICMark IV panel had several objectives. One ofthese was to have a base design that couldaccommodate 95% of the customer panelrequirements without hardware change otherthan removing or adding an optional card,module, or cable. This objective was to havethe software configuration provide theaccommodation to the customer's requirements.While the design was tested against historicalrequirements and met the test, only time willtell how well we meet the needs of customers'future requirements.

Another objective was to have the panelrepairable while running a turbine. Mucheffort has been expended to achieve a panelarrangement where most of the components canbe replaced easily and safely with the panelenergized and running a turbine. For thisreason, the modules containing most of theactive components (which would presumably bemost likely to fail) are located on the frontdoors for ready access.

To achieve easy repairability, it wasrequired to construct the SPEEDTRONIC Mark IVpanel from physical modules that could easilybe handled by one person. We believe thatthis goal has been met with the exception ofthe black start inverter which is beingredesigned to SPEEDTRONIC Mark IV standards.Table 1 lists the modules used in the panel.

It was also required to make maximum useof pluggable cables rather than screwterminals for electrical connections, in orderto achieve easy repairability. This too hasbeen accomplished, with the result that modulereplacement in SPEEDTRONIC Mark IV is donevery quickly. Another benefit of using cablesis that the number of wiring errors in moduleinstallation is considerably reduced, therebygiving more reliable repairs. To achievemaximum reliability, all variable wiringmodules have been eliminated. Many have beenconverted to printed wiring backplanes.

Another method of achieving higherreliability is to minimize the number of partsand to use the same parts for differentpurposes. A microprocessor is ideal for thisapproach, because it promotes generic hardwarewith the functionality provided by software.The small set of printed wiring boards orcards is indicative of this, as shown in Table2.

Operators are particularly fond of thedemand display. Here the operator can selectup to 64 values to display on two pages fromanything in the SPEEDTRONIC Mark IV database.Selection is made directly from the panelfront by typing in the signal name using themembrane switch keyboard. If the operatordesires, he can have this displayautomatically printed at regular intervals.

There is a dedicated button on themembrane switch called 'history'. Pushingthis button will cause the historical log tobe printed. It looks back in time from themost recent shut down (or if the machine isrunning, from the present time). The framesof data are selected to concentrateinformation near the time of shut down. Eachof the ten frames of data includes turbinespeed, turbine speed reference, fuel strokereference, compressor discharge pressure, allexhaust thermocouple temperatures, and allalarms.

MAX VI IPSRPMF SPREAD•. F

AR ROIL

SPED

TKHSETX** • •

FUEL"

SILECT:Llit2 11611111tWS LIARS egfigiagga..,.6.Lai sax

FIGURE 4 - NORMAL DISPLAY

4


Printed Wiring Boards Used in MK IV Control

1. HMPF

2. HXPC

3. HRMA

4. HRMB

5. HPMA

6. HCMA

7. HMHA

8. HVDB

9. HIOD

10. HPRA

11. HAIA

12. NTCA

13. NVCA

14. HSAA

15. NPSM

16. HSCG

17. HRDB

18. HPIB

Micro-computer 8086 based

Micro-computer function expander

Ram memory-16 KB

Ram memory-8 KB-battery backed

Prom memory-64 KB

Uart communications-RS232-2 channels

SDLC communications-RS422-2 channels

Video driver-B/W CRT

Logic I/0-32 inputs/32 outputs

Pulse rate/digital-6 inputs

A/D converter-12 bit- +I- 10 V -channels

Type K thermocouple input-14 signals

Vibration (6) and pressure (4) input

Analog output and servo-valve driver-2 outputs

DC/DC converter-28/5 volt

Isolated contact input-125 volt-16 signals

Relay driver-32 outputs-16 are 2/3 voting

Operator's panel interface

TABLE I

Modules used in the Mark IV Panel(with their card complements)

1. Power supplies

PSCB + 5.00 V - 20.0 A+ / - 15.00 V - 1.5A

PSCC + 28.00 V - 6.0 A

2. <C> Communicator modules

HMPB

HVDBHXPC

(3) HIDD(3)

HPMA

(2) HCMA(2)

HRMA

0-1 HMHAHRMB

HAIA1-3 NTCA

3. <RST> Controller modules

HMPF

HAIAHXPC

NTCAHRMA

NVCAHPRA 1-3 HSAA

4. Contact input modules for <C> communicator: HSCG *

5. Contact input modules for <RST> controllers: HSCG * W

6. Relay driver module: HCDB

7. Relay modules (contact outputs)

8. Analog input/output modules *

9. Thermocouple input modules *

10. Operator's input and auxiliary display module: HRIB

11. Operator's primary CRT display module

12. Remote communications isolated driver module *

13. Black start inverter module

*These modules have printed wiring board backplanes not included in Table II.

TESTING-

The SPEEDTRONIC Mark IV hardwareproduction testing is done in 4 phases;components, cards, modules, and panels. Inthe component test, all integrated circuitsare given three screens; tempera ture cycle,hermetic seal fine and gross leakage, andburn-in. Then the ICs are given a 100%electrical parameter test.

Printed wire boards (cards) are burned inat 155F for 160 hours with the electricalpower on, and then given an in circuit testfollowed by a functional test. If specialcalibration is required, it is done separatelyafter the testing. The in circuit andfunctional testing is presently being done ona General Radio GR2270 tester. The tests arefully programmed, giving a high degree ofconsistency and accuracy.

The modules receive individual testsvarying from inspections on simple back-planesto automatic wiring scans on wired back-planesand cables, to full functional testing ofpower supplies. It is planned to functionallytest the total hardware configuration on the<C> communicator and the <RST> controllermodules.

The fully assembled panel is given afunctional hardware test where all input

TABLE II

signals are simulated and al 1 output signalsare v al ida ted. For completeness, the testsand measurements are made from the customerinterfaces. The testing is fully programmed,giving a high degree of confidence in thethoroughness and quality of the tests.

SOFTWARE-

The software design of the SPEEDTRONICMark IV presented several challenges. First,each installation of gas turbine control iscustomized with the particular opt ions andfeatures that the customer requires. Thismeans that the software must be highlymodularized and easily modified in those areasthat are frequently changed such as start-upand shut-down sequencing. To configure thisunique set of software and still meet the highreliability object ives is still anotherchallenge. Third, the fault-tolerantredundant processor design requires acareful ly designed communication system whichcan function properly in the presence ofpart ial failures.

The core of the software design is arobust multi-task operating system whichprovides the structure in which the specificsoftware modules of a part icular installationare included and executed. The operatingsystem incorporates the following majorfunctions:

1) Initializes the hardware and thesoftware data.

2) Schedules tasks periodical ly.3) Executes the highest prior ity task.4) Manages the interrupts.5) Provides system service routines.

5


Sequencer Instructions

LD

Load

ORS Or StringOR

Or STO Store

ANS And String ESC Escape

ANF And False TMV Timer Variable

Two Rung Ladder Diagram Example

AII I

C •

X • G KY = 5 SEC

Interpreter Instructions for the Example

LD ALD BOR CANSLD DANF F

STO X

LD XOR GESC TMV, KY. TYSTO Y

Initialization is accomplished upon poweringup the SPEEDTRONIC Mark IV panel. It includessetting all programmable chips in the module,clearing all RAM memory, and setting all theinterrupt vectors.

One of the interrupts is from a real timeclock, and this is used to schedule or bidrunning of most tasks periodically. Thefrequency can be 32hz, 16hz, lhz etc.

The operating system will cause thehighest priority task that is bid to beexecuted. The task will continue executionuntil it:

1 ) Comp le to s2) Is interrupted by a hardware interrupt3) Suspends itself to wait for an event

If interrupted, the task will normally resumeupon completion of the interrupt service,unless a higher priority task is hid by theinterrupt service routine. If suspended, thetask will be dormant until awakened by theoperating system after the event occurs. Ifthe task completes, the task is dormant untilbid by the real time clock or another task.

The application tasks are organized intoan array in priority order, with the highestpriority task being first. The major tasks inthe SPEEDTRONIC Mark IV system are as follows:

1) Communications, sequencing and control2) Display3) Log4) Diagnostics.

Each of these will be discussed in turn.

The communications, sequencing, andcontrol task accomplishes all major actionsrelating to the turbine. These are listedbelow:

1) Read messages from other controllers2) Read inputs3) Execute sequencing4) Execute "continuous" control functions5) Write outputs6) Send messages to other controllers

This task is responsible for communicatingdata from the controllers to the communicator,and commands and data from the communicator tothe controllers. In addition, the data fromthe 3 controllers is voted before being usedfor display or control purposes. The generalpattern is a simple input, process, outputthat is repeated at an appropriate rate.

The display task responds to the membraneswitch pushbuttons pressed by the operator toprovide the requested display. The data are

read from the data base, scaled intoengineering units, and displayed in anappropriate manner on the CRT.

The log task provides an historic datalog. Options include an EnvironmentalProtection Agency water injection log, an

alarm log, and a demand log of operatorselected data at operator selected intervals.As with the display, the data are read fromthe data base, scaled into engineering units,and output to the printer.

The diagnostic task occupies all of thespare time of the processor. It continuouslyrepeats the on-line diagnostics, and if afault occurs, it notifies the operator throughthe diagnostic alarms. These on-linediagnostics are described in greater detaillate r.

SEQUENTIAL AND TURBINE CONTROL-

The sequencing is accomplished by aninterpreter of a relay ladder diagramlanguage. Two typical relay ladder rungs areshown in Figure 6 along with the sequencingand interpreter instructions. The system isquite simple and easily learned; yet it isfully adequate for handling the sequentialsystem required in gas turbine applications.It has the flexibility of easily adapting tcadditions or changes in sequencing.

FIGURE 6

The turbine control functions aregenerally fixed for a specific turbine designand application (i.e. MS7001E electric powergeneration). Frequently, the functions can beapplied to differing turbines with only achange in some constants. Because of the

6


fixed nature of these functions, they havebeen programmed in a high level language,PLM86, but do use utility routines written inassembly language, ASM86, for executionefficiency.

The functions are documented in thesoftware 'elementary' in block diagram style.This is a much clearer documentation to anoperator or maintenance man than a softwarelisting, as demonstrated in Figure 7. Here,R, C, and M are typical reference feedback andmanipulated variables. The mathematicaloperator Z-1 represents a delay of one sampletime. The arguments n and n-1 representsample times, frequently thought of as n=now,n-l=the last time. The arithmetic functionsIADD, ISUB, and IMPY are proprietary routinesbased on PLM86 arithmetic op-codes that dosaturation arithmetic. The multiply functionIMPY has a third argument that shifts theproduct in the 32 bit register to improve thesignificance before truncation to 16 bits.

CONTROL FUNCTIONBLOCK DIAGRAM

BLOCK DIAGRAM

RELATIONS: E = R — CM(n) = KE + M(n-1)

PLM86: E = ISUB (R, C)M = IADD (M, IMPY(E, K, —1))

FIGURE 7

COMPUTER DIAGNOSTICS-

There are three classes of diagnostics inthe SPEEDTRONIC Mark IV panel; power-up,on-line, and off-line. The power-updiagnostics consists of:

1) Stall timer test.2) CPU instruction tests.3) PROM checksum tests.4) RAM data and addressing tests.5) Auxiliary processor self-tests

With these tests successfully passed, there isa high probability that the processor hardwarewill operate correctly, since the testsinclude checks of the code and constants viathe checksums.

The purpose of the on-line diagnostics isto check the hardware for faults while thePanel is running. Specifically, those faultsthat, because of redundancy, would remaininnoticed, are to be annunciated. The earlyietection of these failures and their repairwill preclude their causing a turbine forcedDutage at some later time. To avoidinterference with normal turbine operation,the diagnostics are executed as the lowestPriority task running only during otherwiseidle time. The areas of self testing includethe following:

1) PROM checksums.2) Battery backed memory (BRAM) checksums.3) RAM data tests.4) Voting of analog signals.5) Voting of logic signals.6) Power supply limits.7) Auxiliary processor errors.8) <C> to <RST> communication errors.9) <C> to REMOTE communication errors

(optional).10) Thermocouple channel errors.11) Analog input/output errors.12) Idle time limits.

A SPEEDTRONIC Mark IV annunciator drop isreserved to inform the operator of adiagnostic failure. The operator can enterthe diagnostic alarm display through a softswitch on the alarm display to find thedetails of the failure.

Off-line diagnostics consist of a seriesof operator initiated tests to verifyinput/output operations. Therefore, most ofthe off-line diagnostics can he used only whenthe turbine is not running. The exceptionsare the tests on operator inputs and displays.An analog test module is required to implementtests 6 through 10 below. The followinginput/output areas are tested:

1) Auxiliary display2) Operator's panel membrane switches3) Digital I/O cards4) Contact inputs5) Relay outputs6) Pulse rate inputs7) Vibration inputs8) Pressure inputs9) Thermocouple inputs10) Analog output card

The off-line diagnostics will primarily beused during installation, for preventivemaintenance, and after any significantrepairs.

FIELD CHANGES-

The purpose of the field changecapability is to make the required changes

C + A A+

7


RATA as ACONTROL CONSTANTS

13:I8114

VALUE UNITS

16.$ tpaw Lis MitF5013 8.125 COWF510114 4.$88 C14142FSERE 8.14$ CNT82

F5154.F1 21.1 7FSESCIN 17.4 1FSE58.A1 41.1FSKSV.13 8.8 tCSESGLIA 8.80 FSA/Sr5454.111 0.14 FSVS

1.440 CNTA28.3 % SPI 111

4.25 F50/555.4 t SPA

1.4399 MAI1.4333 00411.04 CNTO2

1.4808 CAM

FSOW OCREMIR IS06 1

SELECT:LiSAS I LOGICSi

It

FSKRSYN1ESKRSYN2FSXRSYN3FSGRSYN4

GSMFSKT?FSGT3FSGT4

easy and provide appropriate safeguards.Capability for change or adjustment isrequired in 3 areas: the control algorithmconstants such as references and gains, theposition servos which need calibration, andsequencing logic which frequently requiresminor changes during the installation andstart-up. The following safeguards areprovided:

1) Requires entering a unique password2) Limits rate of change of constants if

turbine is running.3) Permits servo calibration only in 'off'

and 'crank' modes of gas turbinecontrol.

4) Permits sequencing changes only ifturbine is stopped.

5) Limits ranges on critical parameters.

The control constants can be changed byrequesting the 'control constants' display,and entering the identification code. Theconstants are displayed in engineering units.The operator selects the page containing theconstant to be changed, and then places thecursor on that constant. Pressing the INCR orDECR soft switch will then cause the sglectedconstant to increase or decrease. Figure 8shows a page of the control constants displayin the adjust mode.

FIGURE 8 - CONTROL CONSTANTS DISPLAY

The constants are stored in'battery-backed ram (BRAM) which is normallydownloaded from PROM upon powering up, unlessthe FREEZE variable is set. If the FREEZEvariable is set, then upon powering up theBRAM is preserved, saving the changed values.The FREEZE variable can be set or cleared fromthe 'control constants' display.

There is a sequencing editor in theSPEEDTRONIC Mark IV panel to facilitate makingchanges to the sequencing logic. A 'dumb'terminal (optional equipment) is required, and

is plugged into the RS232 port on theprocessor card in the communicator module. Asimple editor, consisting of 8 displaycommands and three editing commands is thenused to examine and modify the appropriate'rung' of the relay ladder diagram. In thissimple editor, the elements of the 'rung' aredisplayed as instructions rather thangraphically. Experience has shown that afield engineer or maintenance man iscomfortable with this editor after a couple ofhours of usage.

After completing constant or sequencingchanges, the contents of the BRAM can hedownloaded to a portable prom-blower (optionalequipment) to make the changes permanent.Only 2 proms need to be changed for all thesequencing and control constants. These can

then be inserted into the PROM board replacingthe original PROMs in that location.

At the factory, the application softwarefor a given installation is configured andloaded into a test bed for checking. Thistest bed provides a maximum case set ofhardware so that any job can be loaded andtested. A programmable simulator is providedto simulate inputs and measure outputs so thata thorough check of the software can be made.

PROMS are then blown, and when thehardware tests of the SPEEDTRONIC Mark IVpanel are complete, the PROMS are inserted andthe final operational check made beforeshipment.

AVAILABILITY-

Availability of the control panel is afunction of the frequency and duration ofturbine forced outages caused by a failure inthe control panel hardware or software. Boththe number and duration of such outages are ofconcern to turbine owners. The SPEEDTRONICMark IV reduces these outages by the use offault tolerant design, on line diagnostics,repair, and recovery. At this stage in theevolution of SPEEDTRONIC Mark IV, there isinsufficient experience to gather thestatistics required to shed any light on thecontrol availability actually achieved. Thissection, therefore, deals with calculationsand extrapolations from past experience.

The calculations of failure rates for thehardware are expected to be quite accurate,since they are based on Mil Spec componentfailure rates weighted with experience fromprevious similar electronic boards. Increasedautomation in board manufacture, modularconstruction, cable connections and thoroughautomatic testing indicate that the averageMTBF (mean time between failures) willimprove. The diagnostics have the beneficialeffect of keeping people out of the panel, asmentioned before, and of reducing the MTTR(mean time to repair). It is estimated thatMTTR will be between 3 and 4 hours at thepresent time.

8


In total, it is expected that the averagenumber of years between an electronic failurein the control panel will be about 50% betterthan the earlier control panels, or about 1.5years. Of these failures, about 1 in 10 willcause a forced outage according to preliminarycalculations. This, of course, is a difficultnumber to assess with the very limited fieldexperience available at the present time.Targets have been set at at a 10:1 improvementin control panel availability, or 10 yearsbetween forced outages caused by theelectronics.

One of the most difficult factors toassess is the reaction of operators andmaintenance people: Will they, in fact, followGeneral Electric's recommendation of on lineservice? This will depend on their confidenceat the time of the failure, which will dependon training, and their assessment of the costand risk of shutting down, compared toaffecting an on line repair. GeneralElectric's position is that the improvedavailability is of prime importance to users,and that they will utilize the built incapability of the panel for on line repair.In fact, the SPEEDTRONIC Mark IV is expectedto set the standard for control availabilityfor this decade.

Another issue is how long the panel willbe left in a partially disabled state beforedoing the on line repair. With a partialfailure, a second failure is quite likely tocause a forced outage. Thus the panel isvulnerable during this period. Here,statistical analysis provides some meaningfuladvice: If the panel is repaired within 24hours, there is no significant reduction inavailability. If the panel is left withoutrepair until it finally causes a forcedoutage, the potential 10:1 improvement inavailability is almost completely lost.

With the MTTR estimated at 3 to 4 hours,it seems reasonable for an owner to be able torepair the control panel in this period oftime. It depends on three factors:

1) Simple and accurate diagnostics2) Knowledgeable personnel3) Spare parts on site

The diagnostics are designed to be used easilyby typical plant operators and maintenancepersonnel.

The reliability of sensors has not beenincluded in the foregoing description ofavailability of the control panel. WithSPEEDTRONIC Mark IV, more redundant sensorscan be added to improve the overall controlavailability. Making the sensors redundantdecreases the sensor induced forced outagerate in heavy duty turbines by about 50%.Some of the sensors can not be replaced withthe turbine running because their environmenttemperature and proximity to moving parts.

Figure 9 shows outage rates for theSPEEDTRONIC Mark IV and the redundant sensors.When the influence of sensors is combined withthe SPEEDTRONIC Mark IV, estimates are for a

mean time to forced outage of three years.This assumes good maintenance; particularlyfor the sensors. Suppose a critical sensorhas a MTBF of three years. If all threesensors are working, the first failure willnot shut down the power plant, and shouldoccur on the average in one year. But thenext failure, of either of the remainingsensors, will shut down the machine. Thiswill happen, on the average, in only sixmonths. For this reason, it is extremelyimportant to replace sensors as soon aspossible after a failure. In fact, if noservice is performed on sensors at all untilthere is a forced outage, there will be moreoutages than without redundant sensors.

RELATIVE OCCURRENCEOF FORCED OUTAGES

SPEEDTRONICTM MARK IIVS MARK IV

PE RC EN T

PANEL

PANEL PANELONLY

SENSORS REDUNDANTSENSORS

FIGURE 9

EXPERIENCE AND APPLICATIONS

The first gas turbine ran withSPEEDTRONIC Mark IV control at themanufacturing plant in Schenectady in thesummer of 1981. Although the control systemwas new, and not all the software wascompleted, the testing went extremely well.All scheduled tests on the MS6000 prototypemachine were completed as planned.

General Electric has entered into anearly demonstration program of the SPEEDTRONICMark IV with the Electric Power ResearchInstitute and a utility company. An existingsingle shaft combined cycle plant is being

retrofitted with the SPEEDTRONIC Mark IV paneland sensors. Careful records of all failuresand forced outages will be kept, which willbegin to build the statistical base needed formeasuring the SPEEDTRONIC Mark IVavailability. Also, as part of this program,

9


a more formal reliability analysis will becompleted. The plant should be operating onSPEEDTRONIC Mark IV in the fourth quarter of1982. Three similar combined cycle units atthe same site, equipped with originalcontrols, will form a good basis forcomparison of availability.

The turbine that was operated inSchenectady with SPEEDTRONIC Mark IV is nowbeing installed in a cogeneration plant inCalifornia. While in Schenectady inspectingthe turbine, the owners liked the prototypeSPEEDTRONIC Mark IV controls, and asked if theSPEEDTRONIC Mark IV could be delivered withthe turbine. Rather than the prototype, aproduction control was manufactured, tested,and delivered. The machine is scheduled torun on site in September of 1982. Like theretrofit combined cycle unit, this machine isslated for considerable running and longperiods between shut-downs.

Figure l0 shows the first start-up of theMS6001 gas turbine under SPEEDTRONIC Mark IVcontrol at the customer's site. Theinstallation and checkout of the new controlwent very smoothly, and the first startpresented no significant problems.

SPEEDTRONIC' MK IV START-UP(MS 6001)

The test plan calls for releasing up tosix SPEEDTRONIC Mark IV units before startingfull production. These machines will beinstalled and operating before manySPEEDTRONIC Mark IV controls are shipped,allowing time for corrective feedback shouldany unanticipated problems occur on the earlyinstallations. Production is now scheduled tostart in the fall of 1983 for most productlines, with all lines standardizing onSPEEDTRONIC Mark IV within one yez - thestart of production.

CONCLUSIONS-

SPEEDTRONIC Mark IV control represents asignificant departure from the older controls,in that it is a microprocessor baseddistributed control with provision for on linerepair and return to service. At the presenttime it appears that turbine users lookfavorably toward the potential for highcontrol system availability that SPEEDTRONICMark IV offers. The display system, althoughvery different in concept from the olderdedicated meters and annunicator light box,has so far been quite well received because itgives the operator more information, which isbetter organized, with some operatorconfigurability and a hard copy .option.SPEEDTRONIC Mark IV has the flexibility tomeet a large variety of applications, yetretains standardized hardware which simplifiesmanufacturing, diagnostics and maintenance.

References:

1) Loft, Arne,Speedtronic- Tomorrow's Analog andDigital Gas Turbine Control System,IEEE Trans, v. IGA-5 July Aug 1969pp 380-388.

2) Stambler, I,Solid State Analog System to ControlCW-352 Series, Gas Turbine World, V7Jan 1978 p. 40.

100— SPEED

z0

wa 50 —

I I I _

0 1 2 3 4 5 6 7 8 9 10 11 MIN

FIGURE 10

10


the speedtronic mark iv control™, a distributed fault tolerant

Documents