GEH-6723 - Mark6es functional safety 2021

GEH-6723W Mark* VIeS Control Functional Safety Manual Sept 2021 Public Information These instructions do not purport to cover all details or variations in equipment, nor to provide for every possible contingency to be met during installation, operation, and maintenance. The information is supplied for informational purposes only, and GE makes no warranty as to the accuracy of the information included herein. Changes, modifications, and/or improvements to equipment and specifications are made periodically and these changes may or may not be reflected herein. It is understood that GE may make changes, modifications, or improvements to the equipment referenced herein or to the document itself at any time. This document is intended for trained personnel familiar with the GE products referenced herein. GE may have patents or pending patent applications covering subject matter in this document. The furnishing of this document does not provide any license whatsoever to any of these patents. Public Information – This document contains non-sensitive information approved for public disclosure. GE provides the following document and the information included therein as is and without warranty of any kind, expressed or implied, including but not limited to any implied statutory warranty of merchantability or fitness for particular purpose. For further assistance or technical information, contact the nearest GE Sales or Service Office, or an authorized GE Sales Representative. Revised: Sept 2021 Issued: Sept 2008 © 2008 – 2021 General Electric Company. ___________________________________ * Indicates a trademark of General Electric Company and/or its subsidiaries. All other trademarks are the property of their respective owners. We would appreciate your feedback about our documentation. Please send comments or suggestions to controls.doc@ge.com Public Information Document Updates Rev Location Description Primary Architecture Components, Terminal Boards Added TCDMS1A to table Application-specific I/O Primary Architecture Components, Added YDAS Application-Specific I/O Dual Single I/O Pack Single Network I/O Module on W Common TB YDAS Data Acquisition System New section Operation, Restrictions Added YDAS buffered outputs are not safety-certified I/O Configuration, YAIC I/O Configuration, YDAS Proof Tests, Dual and TMR System Test Requirements V U Combined TBAI Terminal Board and STAI Terminal Board tables into TBAI/STAI Terminal Board New section Added YDAS requirements Updated YSIL requirements Improved requirements language for all modules YDAS Test Procedures Throughout document New section K25A Updated tables SIF Function Blocks table Safety-instrumented Functions (SIF) Added new SIL Blocks Unlocked Mode Clarified that only factory fresh I/O packs do not require unlocking Restrictions Modifications to restrictions YSIL Added table YSIL Protection Hardware & Field Upgrade Kits Formatted tables New section, Variable Simulation Added guidelines for proof tests on Mark VIeS Functional Safety I/O packs Proof Tests and I/O pack channel configuration Added a table listing available pluggable connectors for use in proof tests YAIC/YHRA Input Accuracy Added Note to only test channels used and enabled for assigned configuration YDIA Low Source Voltage YDOA Low Source Voltage Modifications to acceptance criteria YTCC Thermocouple Input Accuracy YDOA Digital Output Control Added the two pluggable terminal blocks used with TRLY with YDOA Modifications to general test description to include both firmware and T YPRO Overspeed Test hardware overspeed functionality, and updates to clarify test steps and acceptance criteria YPRO Low Source Voltage Modifications to acceptance criteria Modifications to general test description to include both firmware and YSIL Overspeed Test hardware overspeed functionality, and updates to clarify test steps and acceptance criteria YSIL Low Source Voltage YSIL Thermocouple Input Accuracy Modifications to acceptance criteria YSIL Contact Input Low Source Voltage GEH-6723W Functional Safety Manual 3 Public Information Document Updates (continued) Rev Location Description Updated the table SIF Function Blocks to include the following blocks: Controller Application Code • CLAMP • DUALSEL_S2 • FUNGEN • INTERP_V2 • MEDSEL_S2 • VOTE and added the column Minimum Required Mark VIeS Firmware Version R Disabling Transmitters YUAA Universal Analog YSIL Core Safety Protection I/O Configuration, YUAA Proof Test Requirements, Dual and TMR Systems YUAA Test Procedures Q Introduction Controller Application Code Critical System Timing Parameters Maximum Remote I/O Stimulus to Response Time P N M Added this section to provide a description of disabling and enabling transmitters New section added for YUAA and SUAA safety certification Added Rate-based overspeed (RBOS) to the list of YSIL supported speed signals (probes) Added the YUAA configuration section Added YUAA to list of field devices with proof test requirements for Dual and TMR systems New section containing YUAA proof test procedures Added Attention statement that users application may not be licensed to access full system capability and I/O types described in this document Added approval for SIL3 use per IEC 61508–3 Added 10 ms frame period to critical system design parameters Clarified the Mark VIeS maximum remote I/O Stimulus to Response Time Restrictions calculation Added additional restrictions for 10 ms frame period for controllers Product Life Added UCSCS2A to second bullet item concerning wear items Appendix: Determine Frame Input Client Added appendix with procedures to determine frame input completion time Completion Time with Mark VIeS V06.00 (ControlST V07.02). SIF Function Blocks table Branding Added new SIL Blocks Branding is needed after upgrades from BPPB to BPPC based I/O packs YTCC Configuration table Corrected YTCC SysLimit1 and SysLimit1 choices temperature range YTCC Cold Junctions table Corrected YTCC Cold Junction TMR_DiffLimit choices temperature range YSIL Test Procedures New TCSA ETR#_Open Test Added Output Bits in the YSIL configuration YTCC, YAICS1B, YDIAS1B: I/O Configuration updated to be in sync with GEH-6721_Vol_II Added firmware compatibility information to YVIB, YAIC, YDIA, and YDOA I/O Configuration L 4 New section, YSIL YDOA, updated to be in sync with GEH-6721_Vol_II Process I/O Packs table Turbine Protection with YTUR and YPRO figure Added SRSA Corrected YPRO trip board to be TREG Application-specific I/O Added YSIL Proof Tests Added YSIL Proof Test Requirements and YSIL Test Procedures YDOA Test Procedures Updated to include SRSA Locked Mode Provided a more general description Black Channel Moved this information into GEH-6721_Vol_II Throughout Updated to define differences in YVIBS1A and the new YVIBS1B SIF Function Blocks table Added a Caution to indicate blocks that are not currently available for SIFs. GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information Acronyms and Abbreviations ALARP As low as reasonably practicable AMS Asset Management System BPCS Basic process control system CRC Cyclic redundancy check DC Diagnostic coverage DCS Distributed control system DHCP Dynamic Host Configuration Protocol E/E/PE Electrical/electronic/programmable electronic EGD Ethernet global data ETD Electrical trip device ETR Emergency Trip Relay EUC Equipment under control FMEDA Failure modes, effects, and diagnostic analysis HFT IEC LOP Hardware fault tolerance International Electrotechnical Commission Layers of protection MTBF MTBFO Mean time between failures Mean time between forced outages MTTFS Mean time to fail spurious PDM PT PTI PFDavg Power distribution module Potential transformer Proof test interval Average probability of failure on demand PFH Probability of failure per hour PST Process safety time RBOS Rate-based overspeed RRF SIF Risk Reduction Factor Safety-instrumented function SIL Safety integrity level SIS Safety-instrumented system TMR Triple modular redundancy UDH Unit Data Highway UDP User Datagram Protocol GEH-6723W Functional Safety Manual 5 Public Information Related Documents Title Description ToolboxST User Guide for Mark Controls Platform Contains instructions for using the ToolboxST application to configure and control a Mark VIeS system GEH-6721_Vol_ I Mark VIe and Mark VIeS Control Systems Volume I: System Guide Provides an overview of the Mark VIe and Mark VIeS control systems. The Technical Regulations, Standards, and Environments chapter provides a list of applicable agency codes and standards. GEH-6721_Vol_II Mark VIe and Mark VIeS Control Systems Volume II: System Guide for General-purpose Applications Describes the hardware elements that are available for use in a Mark VIeS control GEH-6721_Vol_III Mark VIe and Mark VIeS Control Systems Volume III: System Guide for GE Industrial Applications Describes the hardware elements that are available for use in a Mark VIeS control GEH-6808 ControlST Software Suite How-to Guides Provides procedures for setup and configuration of Mark VIeS components Doc # GEH-6700 GEH-6703 IEC 61508 Provides information on the controller blocks available in a Mark VIeS control Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems IEC 61511 Functional Safety – Safety Instrumented Systems for the Process Industry Sector GEI-100691 6 GEH-6723W Mark VIeS Safety Controller Block Library GEH-6723 Mark VIeS Control Functional Safety Manual Public Information Safety Symbol Legend Indicates a procedure or condition that, if not strictly observed, could result in personal injury or death. Warning Indicates a procedure or condition that, if not strictly observed, could result in damage to or destruction of equipment. Caution Indicates a procedure or condition that should be strictly followed to improve these applications. Attention GEH-6723W Functional Safety Manual 7 Public Information Contents 1 Introduction ..................................................................................................................................... 11 2 Functional Safety............................................................................................................................ 13 2.1 Risk Reduction...................................................................................................................................... 13 2.2 Modes of Operation ............................................................................................................................... 15 2.3 Hazard and Risk Analysis........................................................................................................................ 15 2.4 Safety Life Cycle................................................................................................................................... 16 2.5 Functional Safety Management ................................................................................................................ 16 3 System Design ................................................................................................................................ 17 3.1 Primary Architecture Components ............................................................................................................ 18 3.2 Safety-instrumented Functions (SIF) ......................................................................................................... 25 3.3 Online SIFs .......................................................................................................................................... 38 3.4 Redundancy.......................................................................................................................................... 39 3.5 Control and Protection ............................................................................................................................ 46 3.6 Critical System Timing Parameters ........................................................................................................... 49 3.7 Failure Analysis Probability..................................................................................................................... 56 3.8 System Configuration ............................................................................................................................. 57 3.9 Power Sources ...................................................................................................................................... 72 4 Installation, Commissioning, and Operation .......................................................................... 75 4.1 Installation ........................................................................................................................................... 75 4.2 Commissioning ..................................................................................................................................... 75 4.3 Operation ............................................................................................................................................. 76 4.4 Product Life.......................................................................................................................................... 79 5 I/O Configuration ............................................................................................................................ 81 5.1 YAIC .................................................................................................................................................. 82 5.2 YDIA .................................................................................................................................................. 88 5.3 YDOA................................................................................................................................................. 91 5.4 YHRA ................................................................................................................................................. 94 5.5 YTCC ................................................................................................................................................. 98 5.6 YVIB .................................................................................................................................................101 5.7 YPRO ................................................................................................................................................117 5.8 YSIL ..................................................................................................................................................120 5.9 YTUR ................................................................................................................................................132 5.10 YUAA................................................................................................................................................136 5.11 YDAS ................................................................................................................................................148 6 Proof Tests .....................................................................................................................................157 6.1 Proof Test Requirements ........................................................................................................................158 6.2 YAIC/YHRA Test Procedures .................................................................................................................160 6.3 YDIA Test Procedures ...........................................................................................................................164 6.4 YDOA Test Procedures ..........................................................................................................................166 6.5 YPRO Test Procedures ..........................................................................................................................171 6.6 YSIL Test Procedures ............................................................................................................................180 6.7 YTCC Test Procedures ..........................................................................................................................200 6.8 YTUR Test Procedures ..........................................................................................................................204 8 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 6.9 YUAA Test Procedures ..........................................................................................................................209 6.10 YVIB Test Procedures ...........................................................................................................................221 6.11 YDAS Test Procedures ..........................................................................................................................230 Appendix: Determine Frame Input Client Completion Time....................................................233 Glossary of Terms ..............................................................................................................................237 GEH-6723W Functional Safety Manual 9 Public Information Notes 10 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 1 Introduction The Mark* VIeS Safety control is a stand-alone safety control system used by operators knowledgeable in safety-instrumented system (SIS) applications to reduce risk in critical safety functions. It is a derivative of the Mark VIe control system used in a variety of power plant applications. The Mark VIeS Safety control is programmed and configured with the same ToolboxST* application that is used in the Mark VIe control. The Mark VIeS Safety controller and distributed I/O module firmware are enhanced for safety control use. Specific Mark VIe control hardware has also been identified for use in safety control systems. While the Mark VIeS control performs the logic solving tasks for the system, it can also interface with the ToolboxST application. The ToolboxST application can interface with an external distributed control systems (DCS). It provides a means to lock or unlock the Mark VIeS control for configuration and safety-instrumented function (SIF) programming. This allows you to install a safety function, test it, and place the controller in Locked mode to perform safety control. WorkstationST Server ToolboxST Application Other Devices Mark VIe HMI Locked/Unlocked Mode Sensors Mark VIeS Logic Solver Final Elements Mark VIeS Control as Part of a SIS Interfaces to the Mark VIeS control must be strictly controlled to avoid interference with the operation of the system. Data exchange to the safety control must be restricted and only used when validated by the application software. The Mark VIeS control was designed and certified to meet functional safety standards according to IEC 61508 Parts 1 through 3. It is certified for use in both high-and low-demand applications. The Mark VIeS control uses redundant architecture configurations and a hardware fault tolerance (HFT) of 1 to achieve safety integrity level (SIL) 3. The highest achievable SIL with an HFT of 0 is SIL 2. Introduction GEH-6723W Functional Safety Manual 11 Public Information The information in this document applies to the overall Mark* VIe control system or Mark VIeS Functional Safety System control products; however, your application may not be licensed to access full system capability and I/O packs as described in this document. For example, the Mark VIeS Functional Safety System for General Markets only utilizes the following I/O packs: Attention 12 GEH-6723W • Analog I/O (YAIC) • Universal Analog (YUAA) • Vibration Input Monitor (YVIB) • Relay Output (YDOA) • Discrete Contact Input (YDIA) • Power Distribution System Diagnostics (PPDA) • Serial Modbus Communication (PSCA) • Mark VIeS Safety Controller (UCSCS2x) • Mark VIe Controller for Gateway (UCSCH1x) GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 2 Functional Safety IEC 61508-4 definitions are as follows: Safety Risk Freedom from unacceptable risk. Combination of the probability of occurrence of harm and the severity of that harm. Functional Safety Part of the overall safety relating to the equipment under control (EUC) and the EUC control system that depends on the correct functioning of the Electrical/electronic/programmable electronic (E/E/PE) safety-related systems, other technology safety-related systems, and external risk reduction facilities. 2.1 Risk Reduction Functional safety relates to proper equipment operation, as well as other risk reduction practices. The Layers of protection (LOP) concept is as follows: Plant Evacuation Procedures Barrier Relief Valve Mechanical Protection Alarms with Operator Action Safety Instrumented Systems BPCS Process Alarms Operator Supervision Process Control and Monitoring Prevention Mitigation Plant Emergency Response LOP Functional Safety GEH-6723W Functional Safety Manual 13 Public Information The LOP around a process can be used to introduce risk reduction. Failure to carefully analyze the available LOP and the likelihood-consequence relationship of the risks involved with process control failure can lead to an expensive over-design of the system. The goal is to reduce the risk to a level that is as low as reasonably practicable (ALARP). Residual Residual Risk Risk Inherent Inherent Process Process Risk Tolerable Tolerable Risk Risk Increasing Risk NecessaryNecessary Risk Reduction Risk Reduction ActualRisk RiskReduction Reduction Actual To achieve functional safety, it is necessary to analyze the potential hazards to personnel and property, including any environmental impact, that could occur when the control of equipment is lost. Requirements for safety function and integrity must be met to achieve functional safety. Safety function requirements describe what the safety function does and is derived from the hazard analysis. The safety integrity requirement is a quantitative measure of the likelihood that a safety function will perform its assigned task adequately. For safety functions to be effectively identified and implemented, the system as a whole must be considered. A primary parameter used in determining the risk reduction in a safety controller is the Average Probability of Failure on Demand (PFDavg). The inverse of the PFDavg is the Risk Reduction Factor (RRF). 1 RRF = 14 PFDavg GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 2.2 Modes of Operation A demand mode is a mode operation in which the safety function is called upon only on demand. IEC 61508-4 clause 3.5.12 defines two demand modes of operation: • • Low demand mode High demand or continuous mode Low demand describes the mode in which safety function demand occurs no greater than once per year and no greater than twice the proof test frequency. In high demand mode, the frequency of demand is greater than once per year or greater than twice the proof test frequency. Continuous mode is regarded as very high demand and is associated with the safety function operating to keep the EUC within its normal safe state. The mode of operation is relevant when determining the target failure measure of a safety function. Low demand mode relates to the PFDavg whereas high demand or continuous demand mode relates to measuring the probability of failure per hour (PFH) (there are approximately 104 hours in a year). IEC 61508 defines a scale of four distinct levels of risk reduction referred to as the Safety Integrity Level (SIL). SILs SIL PFDavg Low Demand Mode PFH High Demand Mode RRF 1 2 ≥ 10-2 to < 10-1 ≥ 10-6 to < 10-5 ≥ 10-3 to < 10-2 ≥ 10-7 to < 10-6 > 10 to ≤ 100 > 100 to ≤ 1,000 3 ≥ 10-4 to < 10-3 ≥ 10-8 to < 10-7 > 1,000 to ≤ 10,000 4 ≥ 10-5 to < 10-4 ≥ 10-9 to < 10-8 > 10,000 to ≤ 100,000 The SIL applies to all elements in the safety loop (sensors, logic solver, and final element) and their architecture. The loop must be considered in its entirety. Sensor 1 1 out of 2 Sensor 2 Mark VIeS Logic Solver Valve 1 1 out of 1 Valve 2 Safety Loop 2.3 Hazard and Risk Analysis Hazard and risk analyses determine the necessary safety functions and the required levels of risk reduction (refer to IEC 61508-5:1998). The recommended safety life cycle stipulates the completion of a hazard and risk analysis early in the process. A hazard analysis, the identification of potential sources of harm, determines the causes and consequences of hazardous events. A team of professionals, familiar with both the EUC and safety-related systems, typically conducts the hazard analysis. A risk analysis is typically defined in three stages: hazard identification, hazard analysis, and risk assessment. Risk analysis, like hazard analysis, requires a large spectrum of expertise and a team effort is required to produce a viable result. Annexes A – F of IEC 61511-3 provides guidance in producing a risk analysis. Functional Safety GEH-6723W Functional Safety Manual 15 Public Information 2.4 Safety Life Cycle The safety life cycle is crucial to the philosophy of functional safety. The safety life cycle involves the following recommended stages: 1. Functional safety management including functional safety assessment 2. Safety life cycle structure and planning 3. Hazard and risk analysis 4. Allocation of safety functions to protection layers 5. Safety requirements specification for the safety control 6. Design and engineering of safety control 7. Design and development of other means of risk reduction 8. Installation, validation, and commissioning 9. Operation and maintenance 10. Modification and retrofit 11. Decommissioning IEC 61511 defines how to use the safety life cycle to achieve the desired SIL. Although the safety life cycle is described here and in IEC 61511 as a sequence of stages, in practice it is a repetitive process. If, for example, a modification is required in the operational system, an impact analysis is required and the design changes should be reassessed starting with the hazard and risk analysis phase. Furthermore, for each safety function a hazard and risk analysis is required to define the safety function requirements and required SIL. 2.5 Functional Safety Management Functional safety must be managed during the entire time of the safety life cycle. IEC 61511 clause 5 describes the objectives and requirements for the management of functional safety. The functional safety management plan should be a formal document that outlines the activities related to functional safety and the persons in the organization responsible for those activities. It should also include functional safety assessment and audit planning. IEC 61508 provides additional guidance about completing an effective functional safety management plan. The tables of technique and measures in Annex A and B of IEC 61508 Tab 1, 2, and 3 are particularly useful. 16 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 3 System Design This chapter describes the components that are critical to system implementation. The internal structure of the Mark VIeS control is displayed in the following figure. Mark VIeS Safety Control within Entire Application System Design GEH-6723W Functional Safety Manual 17 Public Information 3.1 Primary Architecture Components A Mark VIeS control for any supported architecture is built using a common set of safety approved components connected by a combination of direct wiring and the IONet communications bus. The Mark VIeS I/O signal path consists of three basic parts: terminal board, I/O pack, and IONet. 3.1.1 Terminal Boards Terminal boards mount on the cabinet and are of two basic types: S and T. The S-type board provides wire terminals for each I/O point and allows a single I/O pack to condition and digitize the signal. This terminal board is used for simplex, dual, and dedicated triple modular redundant (TMR) inputs and outputs by using one, two, or three boards. The T-type is a fanned TMR board that typically fans the inputs to three separate I/O packs. For outputs, the T-type hardware provides a mechanism to vote the outputs from the three I/O packs. Note Some application-specific TMR terminal boards do not fan inputs or vote the outputs. TMR Terminal Board Simplex Terminal Board Both S-type and T-type terminal boards provide the following features: • • • • • Terminal blocks for I/O wiring Mounting hardware Input transient protection I/O pack connectors Unique electronic ID 18 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information The following terminal board interfaces are available for field I/O: Typical Process I/O Board Typical Process I/O # of Packs/Board TBCIS1C 24 discrete inputs (125 V dc, group isolated) 1, 2, or 3 TBCIS2C 24 discrete inputs (24 V dc, group isolated) 1, 2, or 3 TBCIS3C 24 discrete inputs (48 V dc, group isolated) 1, 2, or 3 STCIS1A, S2A 24 discrete inputs (24 V dc, group isolated) 1 STCIS4A 24 discrete inputs (48 V dc, group isolated) 1 STCIS6A 24 discrete inputs (125 V dc, group isolated) 1 TRLYS1B 12 Form C mechanical relays w/ 6 solenoids, coil diagnostics 1 or 3 TRLYS1D 6 Form A mechanical relays for solenoids, solenoid impedance diagnostics 1 or 3 TRLYS1F 36 mechanical relays, 12 voted form A 3 TRLYS2F 36 mechanical relays, 12 voted form B 3 SRLYS1A, S2A 12 Form C mechanical relays-dry contacts 1 SRSAS1A, S3A Two banks of 5 channels each, for 10 total relay outputs 1 TVBAS1A, S2A 8 vibration or position, 4 position only, 1 reference (Keyphasor* transducers) 1 or 3 TBAIS1C 10 analog inputs (V and I) and 2 analog outputs 4-20 mA 1 or 3 STAIS1A, S2A 10 analog inputs (V and I) and 2 analog outputs 4-20 mA 1 SHRAS1A, S2A 10 analog inputs (V and I) and 2 analog outputs 4-20 mA, HART® capable 1 TBTCS1B 12 thermocouples 1, 2, or 3 TBTCS1C 24 thermocouples (12 per I/O pack) 1 STTCS1A, S2A 12 thermocouples 1 Application-specific I/O Board Application-specific I/O # of Packs/Board TTURS1C Mixed I/O: 4 speed inputs/ pack 1 or 3 TRPAS1A Speed inputs, trip outputs at 24 V dc, E-Stop 3 TRPAS2A Speed inputs, trip outputs at 125 V dc, E-Stop 3 TRPGS1B Primary trip – Gas, flame detector inputs 3 (through TTUR/YTUR) TRPGS2B Primary trip – Gas, flame detector inputs 1 (through TTUR/YTUR) TREGS1B Backup trip at 125 V dc, E-Stop 3 (through SPRO/YPRO) TREGS2B Backup trip at 24 V dc, E-Stop 3 (through SPRO/YPRO) TREAS1A Mixed I/O: 3 speed inputs, trip contacts at 24 V dc 3 TREAS2A Mixed I/O: 3 speed inputs, trip contacts at 125 V dc 3 TREAS3A Mixed I/O: 3 speed inputs, trip contacts at 24 V dc 3 TREAS4A Mixed I/O: 3 speed inputs, trip contacts at 125 V dc 3 SPROS1A Mixed I/O: 3 speed inputs, trip contacts 1 TCDMS1A 21 dynamic pressure inputs, CCSA or PCB charge amplifier 21 buffered outputs, non-interfering 1 or 2 System Design GEH-6723W Functional Safety Manual 19 Public Information 3.1.2 I/O Packs Mark VIeS I/O packs contain a common processor board and a data acquisition board that is unique to the type of device to which it is connected. I/O packs on each terminal board digitize signals, perform algorithms, and communicate with the Mark VIeS controller. I/O packs provide fault detection through special circuitry in the data acquisition board and software running in the CPU board. The fault status is transmitted to, and used by, the controllers. Each I/O pack transmits inputs and receives outputs on both network interfaces if connected. 3.1.2.1 Process I/O Typical process inputs include contact, analog, and thermocouple signals. Typical process outputs include relays and analog outputs. All typical process outputs based on inputs are processed by the system controller. The following process I/O packs are available for use in the Mark VIeS control: Process I/O Packs Associated Terminal Board(s) Functions Redundancy YAIC TBAI, STAI 10 analog inputs (voltage, 4-20 mA) 2 analog outputs (4-20 mA) 1 or 3 packs YDIA TBCI, STCI 24 discrete inputs w/ group isolation (24 V dc, 48 V dc, or 125 V dc) 1, 2, or 3 packs YDOA TRLY_B, TRLY_F, SRLY TRLY_D 12 relay outputs 6 relay outputs 1 or 3 packs SRSA 10 relay outputs 1 pack YHRA SHRA 10 analog inputs (4-20 mA), 2 analog outputs (4-20 mA) (All I/O HART enabled) 1 pack YTCC TBTC, STTC 12 thermocouple inputs 1, 2, or 3 packs I/O Pack YVIBS1A TVBA YVIBS1B TVBA 20 GEH-6723W 8 vibration, 4 position and 1 Keyphasor transducer 8 vibration, 3 position only, 2 position or Keyphasor 1 or 3 packs 1 or 3 packs GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 3.1.2.2 Application-specific I/O Mark VIeS Safety control system includes GE application-specific functions. The ability to accept local inputs and drive local outputs independent of the system controller differentiates these from the typical process I/O. GE application-specific I/O types include pulse rate speed inputs and flame detectors. In the Mark VIeS control, the following application-specific I/O packs are available: I/O Pack Associated Terminal Board(s) Functions Redundancy YDAS TCDM Combustion dynamics monitoring 21 dynamic pressure inputs 21 non-interfering buffered outputs 1 or 2 packs TREA, TREG, SPRO Backup/emergency protection 3 speed inputs 7 contact inputs 3 monitored trip relay outputs 1 E-Stop 3 packs YTUR TTUR, TRPA, TRPG Primary turbine protection 4 speed inputs 8 flame inputs 3 monitored trip relay outputs 1 E-Stop 1 or 3 packs YSIL Three I/O packs are mounted to TCSA + WCSA, which connects by serial links to three SCSAs to form the YSIL module Core safety protection Refer to table YSIL I/O Functions 3 packs YPRO The YPRO, YTUR, and YSIL process speed signals and operate trip relays locally, without requiring controller participation. The compatible mating terminal boards detect the correct operation of the tripping relay output circuits. YTUR includes a non-certified but non-interfering capability to synchronize a generator to a utility grid and control a connection breaker. The YPRO and YSIL include a non-interfering backup synchronizing check. Turbine overspeed protection is available as follows: control, primary, and backup. The controller provides primary overspeed protection. The TTUR terminal board and YTUR I/O pack carry a shaft speed signal to each controller, which select the median signal. If the controller finds a trip condition, it sends the trip signal to the TRPG terminal board through YTUR. A three-relay voting circuit (one for each trip solenoid) performs a two out of three vote of the three YTUR outputs and removes power from the solenoids. The YPRO adds firmware and hardware based redundant overspeed protection. The YDAS receives processes dynamic pressure signals, which are sent to a higher-level controller which will operate a trip relay in a separate I/O pack if necessary. The pressure signals are re-transmitted as non-interfering buffered outputs so that other systems may observe the pressure signals without interfering with the safety function. System Design GEH-6723W Functional Safety Manual 21 Public Information High Speed Shafts Software Voting R R S Mark VIeS controller and YTUR TTUR terminal board TRPG terminal board S Hardware Voting (relays) Mark VIeS controller and YTUR T Primary Protection T Mark VIeS controller and YTUR Magnetic Speed Pickups (3 used) Trip Solenoids (up to three ) High Speed Shafts R8 YPRO R8 SPRO TREG terminal board S8 YPRO S8 Hardware Voting (relays) SPRO T8 Backup Protection YPRO T8 SPRO Magnetic Speed Pickups (3 used) Turbine Protection with YTUR and YPRO 22 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information YSIL I/O Functions Signal Qty. Redundancy Board 33 Description 4-20 mA, 2-wires, loop powered (11 inputs times three SCSAs) Simplex SCSA 18 4-20 mA, 2–wires, externally powered (6 inputs times three SCSAs) Simplex SCSA 6 Contact outputs (2 outputs times three SCSAs) Simplex SCSA 9 Contact inputs, 24 V dc powered (3 inputs times three SCSAs) Simplex SCSA 1 Emergency push-button dedicated discrete input, capable of initiating a TRIP output without firmware interaction (hardware trip) TMR Voted TCSA 17 Contact inputs, 24 V dc powered, firmware trip option TMR Fanned TCSA 8 Flame detector Honeywell type inputs TMR Fanned TCSA 10 Flame detector externally powered 4-20 mA inputs (Reuter-Stokes) TMR Fanned TCSA 6 Gas compressor speed probes (magnetic pickup and TTL option) ‡ Dual sensor 3-shaft or Triple sensor 2-shaft configurations ‡ TCSA 6 Gas compressor speed probes repetitions (individually shielded, RS-232/485 options) ‡ TCSA 3 Contact inputs, 24 V dc powered TMR Fanned TCSA 3 Solenoid out, 24 V dc or 125 V dc General purpose or optionally configured as Energize to Trip (ETR) outputs TMR Voted TCSA 6 Solenoid out, 24 V dc or 125 V dc Energize to Trip (ETR) outputs TMR Voted TCSA 2 Contact output, voted configuration TMR Voted TCSA 2 Potential transformers for line/gen synchronization TMR Fanned TCSA Description Redundancy Board 21 Charge Converter Signal Amplifier (CCSA) or PCB Piezotronics® charge amplifier, ±30 Vpk 21 Non-interfering buffered outputs Simplex or Fanned Dual Simplex or Fanned Dual YDAS I/O Functions Signal Qty. System Design TCDM TCDM GEH-6723W Functional Safety Manual 23 Public Information † YTUR TTUR † I/O PTUR I /O packs can be used with a Shared IONet system. IONet Primary Protection System TRPG or TRPA I/O -V dc Three Trip Solenoids Backup Synch Check Protection +V dc TCSA YSIL <T> WCSA I/O IONet < S> <R> Backup Protection System Serial Buses <T> SCSA I/O < S> SCSA I/O <R> I/O SCSA Turbine Protection with YSIL and YTUR or PTUR 24 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 3.1.3 IONet The controllers and I/O packs communicate through the internal IONet (a closed network), using a proprietary IONet protocol. IONet communications are as follows: • • I/O packs that multicast inputs to the controllers each frame Controllers that broadcast outputs to the I/O packs each frame 3.2 Safety-instrumented Functions (SIF) Mark VIeS SIF configurations are created and maintained in the ToolboxST application, along with the basic process control configurations. This environment provides all the facilities to create, download, and maintain these configurations. Mark VIeS Safety controllers have two operating modes that are used for application execution: Locked and Unlocked. When in Unlocked mode, full access to the controller is granted, including the ability to download code, set constants, force points, and all other configuration and diagnostic operations. When in Locked mode, all changes to the controller operation are prevented to ensure the integrity of the safety functions. Within the Mark VIeS Safety controller, branding is used to support Locked mode and integrity checks. When the controller is unlocked, and the operator is satisfied with system operation, the system configuration is branded so that it can be uniquely identified. Once branded, a diagnostic alarm is generated if there are any changes to application code, constants, hardware integrity, or network connectivity. The diagnostics based on branding include all communications through the IONet to provide 100% network diagnostic coverage (DC) independent of the network hardware selected. Note For further details, refer to the section Branding. The typical sequence of application creation includes: • • • • • Application development Hardware connection and configuration Function testing while unlocked Application branding (after being tested and proven) Placing the controller in Locked mode System Design GEH-6723W Functional Safety Manual 25 Public Information 3.2.1 Controller Application Code Changes to the application code must be completely verified and tested prior to use in a SIF. The Mark VIeS Safety control provides several features to facilitate changes and track the state of application code acceptance. The following table lists the function blocks approved for SIL3 use per IEC 61508-3 that are available for use in SIFs. Any block that is in the Mark VIeS Safety Controller Block Library (GEI-100691) but is not listed in the SIF Function Blocks table is not available for use in SIFs. Attention SIF Function Blocks Min Required Mark VIeS Firmware Version Function Block Description AND 16-input logical AND V01.00.15C BLACK_RX Allows the reception of an exchange of up to 32 variables from a dedicated black channel EGD page, send from another Mark VIeS Safety controller V05.03.00C BLACK_TX Allows the transmission of an exchange of up to 32 variables from a dedicated black channel EGD page to be received by another Mark VIeS Safety controller V05.03.00C BFILT Boolean filter with configurable pick-up and drop-out delays V01.00.15C CALC 8-input calculator that performs mathematical, trigonometric, and logarithmic functions V01.00.15C CAPTURE Collects multiple samples of 1 to 32 variables in a buffer that can be uploaded to ToolboxST or the Data Historian for display and analysis V05.02.00C Special task for the Mark VIeS Safety controller V05.03.00C Cause and Effect Matrix CLAMP Clamp between a minimum and maximum V06.01.00C _COMMENT Non-functional comment block with page break V04.03.06C _COMMENT_BF Non-functional comment block with page break V04.03.06C _COMMENT_NB Non-functional comment block without page break V04.03.06C COMBINE_SD Combines two 16-bit words into a single 32-bit integer V06.02.00C COMBINE_SLR Combines four 16-bit words into a single 64-bit double value V06.02.00C COMBINE_SR Combines two 16-bit words into a single 32-bit float V06.02.00C COMBINE_SSD Combines two 16-bit words into a single 32-bit integer V06.02.00C COMPARE Multi-function numeric comparator V01.00.15C COMPHYS Numeric comparator with hysteresis and sensitivity V01.00.15C COUNTER CTRLR_MON Re-triggerable up counter V01.00.15C Controller monitor V04.03.06C DEVICE_HB Drives the heartbeat signal on the YPRO V04.06.03C DUALSEL_S2 Selects the average, minimum, or maximum of two analog signals V06.01.00C EXPAND_UDI 32-input mapped bit expander V01.00.15C I_TO_WD Function generator supporting STEP, SQUARE, RAMP, TRIANGLE, and SINE Converts short to unsigned short INTERP_V2 Linear interpolator LATCH Set and reset latch FUNGEN 26 GEH-6723W V06.01.00C V06.02.00C V06.01.00C V01.00.15C GEH-6723 Mark VIeS Control Functional Safety Manual Public Information SIF Function Blocks (continued) Function Block Min Required Mark VIeS Firmware Version Description MEDIAN Allows up to 32 inputs to be configured with the AND, OR, and NOT blocks to create a PERMIT, OVERRIDE, FORCE, or TRACK type block 3-input median selector MEDSEL_S2 Selects the median or average of three analog signals V06.01.00C MOVE Memory mover; data type translator V01.00.15C NOT Logical inversion V01.00.15C LOGIC_BUILDER_SC V05.02.00C V01.00.15C OR Behaves as a switch with a delayed response, whether being turned on or off 16-input logical OR PREVOTE PULSE Prevote values and health Boolean one-shot with programmable width V04.03.06C V01.00.15C RUNG 16-input logic solver V01.00.15C SELECT SPLIT_DS 8-input selector V01.00.15C Splits a 32-bit integer into two unsigned 16-bit integers V06.02.00C SPLIT_LRS Splits a 64-bit double into four unsigned 16-bit words V06.02.00C SPLIT_RS Splits a 32-bit float into two unsigned 16-bit words V06.02.00C SPLIT_SDS Splits a signed 32-bit integer into two 16-bit words V06.02.00C SYS_OUTPUTS I/O system command output interface V01.00.15C TEMP_STATUS Temperature sensing V01.00.15C TIMER TIMER_V2 Re-triggerable up-count timer V01.00.15C Accumulates incremental time into CURTIME while RUN is True One frame delay line V05.01.00C Variable health status Variable simulation M-out-of-N voter Converts unsigned short to short V01.00.15C V06.02.00C V06.01.00C ON_OFF_DELAY UNIT_DELAY VAR_HEALTH VARSIM VOTE WD_TO_I 3.2.1.1 V05.01.00C V01.00.15C V01.00.15C V06.02.00C Variable Health Inside the Mark VIeS Safety controller, every variable is associated with a set of qualities that provide additional information, or support advanced features such as forcing, simulation, or alarms. Some of these qualities are visible to users through ToolboxST application, and others are made available to application code through blockware. Variable health measures the validity of the data stored in the variable. When the ToolboxST application collects variable data from the controller, it also scans the health information and displays a U (for Unhealthy) beside each live data value if the corresponding health quality is FALSE. The Variable Health block (VAR_HEALTH) allows application code to access variable health. The Prevote block (PREVOTE) allows application code to access prevote values and health. The health of a variable with no connection to I/O is always TRUE, and therefore uninteresting. Also, output health is always TRUE. The health of variables associated with I/O is calculated from point and link health. Point health originates from software close to the hardware. Link health is calculated by the controller. These two values are passed through a logical AND gate to form variable health. Each I/O server defines the non user-configurable point and group health. For example, the point health of an analog input may be declared unhealthy if its value exceeds some limit, and the point health of all inputs on an I/O pack may be declared unhealthy if a problem is detected in the signal acquisition hardware. It may not be practical for an I/O server to provide a health indication for each individual point and so this component of variable health is optional. System Design GEH-6723W Functional Safety Manual 27 Public Information In a Mark VIeS Safety control, I/O is typically distributed at the I/O packs or across another network such as the Unit Data Highway (UDH). As such, the controller provides link health by validating that all transport layer checks between the I/O server and the controller are met. These may include timely delivery, signature matching, and checksums. Redundant I/O features complicate the explanation of the variable health calculation. A TMR input module supplies three opinions of variable health to the controller. Since these inputs are voted, as long as two out of three are healthy, the resulting variable is also healthy. A dual input module (either simplex I/O pack, dual network; or dual I/O pack, single network) provides two opinions of variable health to the controller. Since the controller cannot vote two opinions, it uses link health to select one of the channels and incorporates only the selected channel's point and group information into the variable health calculation. If the link health on the selected channel ever becomes unhealthy, the controller immediately switches to the second channel. The VAR_HEALTH block reveals the variable health and the link health of the connected variable. Application developers can choose to monitor the health of individual variables or the health of the network (link) that supplies many variables, especially if the I/O on the other end of that network does not provide any additional health information. For TMR inputs, the link health pin provides a voted link health (that is, two out of three channels). For dual inputs, the link health pin provides the health of the selected channel. 28 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information The following ToolboxST screen displays a TMR YDIA with two faulted channels. Because of the faults, all points on the YDIA are marked as Unhealthy. The current value and health of variables connected to YDIA inputs are displayed. U indicates an unhealthy value . From the PreVote tab, the T channel is healthy but the R and S channels are not, due to loss of communication. Variable Health Example System Design GEH-6723W Functional Safety Manual 29 Public Information The following ToolboxST screen displays a VAR_HEALTH block. Both variables are connected to the faulted YDOA. Since the cause of the fault is communication, both the HEALTH1 and LINKOK1 output pins are False. Block outputs can be used to drive alarms or initiate protective actions. VAR_HEALTH Block Outputs 3.2.1.2 Variable Simulation Variable simulation is available in the Virtual Mark VIeS via the VARSIM block to simulate inputs not actively being driven from hardware. Variable simulation is not supported in the Mark VIeS Safety control. The VARSIM block may exist in the application code downloaded to the Mark VIeS Safety controller, but will act as a no op. 3.2.1.3 Temperature Monitor There are two application code blocks available for monitoring the safety controller’s temperature: TEMP_STATUS and CTRLR_MON. These controller application code blocks can be used to set alarms, actuate fans, or perform other actions appropriate for the specific environment in which the control cabinet is placed. 3.2.1.4 Disabling Transmitters The DUALSEL_S2 and MEDSEL_S2 application blocks support the disabling of transmitters both automatically and manually. When the quality status of transmitter A is BAD, transmitter A is automatically disabled. Once the quality status of transmitter A becomes GOOD and the value of input A is within the deviation limits set by the user, transmitter A is automatically enabled. This concept also applies to input B (and input C on MEDSEL_S2). The control word input (refer to the following Attention statement) is used by the HMI operator for manual control. The manual commands from the HMI allow each input to be enabled or disabled. A manually disabled transmitter can be manually enabled, regardless of its deviation status. If all input transmitters are enabled and have a GOOD quality status and A is manually disabled, then A is disabled. This concept also applies to input B (and input C on MEDSEL_S2). In the MEDSEL_S2 block, if one transmitter is already disabled for any reason, a second transmitter may be disabled if the block is configured to allow one transmitter operation. 30 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information Attention Operation of the control word input in the Mark VIeS Safety control differs from that in other Mark VIe control products. In the Mark VIeS control, the variable attached to the control word input must be driven from a consumed EGD page. The EGD producer device driving the variable must implement the necessary push-button reset logic to clear the command after 1 second. Note Refer to the Mark VIeS Safety Controller Block Library (GEI-100691) for a full explanation of DUALSEL_S2 and MEDSEL_S2 block functionality. Commands are only accepted by the block if a transition from NO_CMD to a command value is detected while the CTL_ EXT input is healthy. After a command is accepted by the block, the CTL_EXT pin is ignored for a period of two seconds after which a valid transition from NO_CMD must be detected to accept another command. Example Configuration: An HMI faceplate is created to display data from the DUALSEL_S2 block from a Mark VIeS control. EGD signals are consumed by the HMI from the Mark VIeS control and are used to drive the faceplate. Unlike in the Mark VIe control, the control word variable from the Mark VIeS control is read-only and is used to show feedback status. The control word command is written to a separate EGD signal driven from a Mark VIe device. For example, after adding the DUALSEL_S2 block to the Mark VIeS control system and attaching the EGD signals to the faceplate, the following is required: In a Mark VIe device: • Create a control word variable (data type UINT). • Add the control word variable to a produced EGD page. • Add push-button reset logic in the blockware to reset the control word value to NO_CMD (0). The control word should be reset after one second of it being non-zero. In the HMI: • Attach the control word variable from the Mark VIe control to the control word logic in the appropriate DUALSEL_S2 faceplate. In the Mark VIeS device: • Attach the control word variable from the Mark VIe control to the CTL_EXT pin of the appropriate DUALSEL_S2 block. System Design GEH-6723W Functional Safety Manual 31 Public Information 3.2.2 Locked Mode The Mark VIeS Safety control provides a level of protection (LOP) against accidental modification of the safety software through Locked mode. In general, all functions or features that have the potential to modify the controller are disabled when in locked mode, for example: • • • • • • • • Variable and constant modification Variable forcing Application code download Firmware download Restart commands from ToolboxST application External file writes to flash memory Low-level diagnostic commands Time set commands The controller starts in Locked mode and remains there until an Unlock command is received from the ToolboxST application. When the controller receives a Lock command from the ToolboxST application or the controller is restarted, it returns to Locked mode. When the controller is unlocked, it generates a diagnostic alarm to log the event. The controller tracks its lock state through a configuration variable (for example, Is_Locked_R), viewable through the application code, so that appropriate control action can be taken or an external contact can be driven, if desired. ➢ To lock the controllers 1. From the Component Editor toolbar, click the key icon. The Lock / Unlock dialog box displays. 2. Click the Lock All button and the controllers status displays as Locked. 32 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 3.2.3 Unlocked Mode Warning While in Unlocked mode, the Mark VIeS is not inherently less safe than when in Locked mode, as SIF implementation is the same. However, when unlocked, the controller could become unsafe, as it is open to modifications that could lead to an unsafe condition. The Mark VIeS allows online application code changes in Unlocked mode. Take every precaution to ensure that any online change to application code does not cause an unintended error during the download. This is particularly relevant for dual network configurations in which separate I/O packs are driven by either redundant controller. The application code does not normally allow safety loops to be activated in Unlocked mode. To test a loop in Unlocked mode, the permissives preventing operation must be temporarily forced out. When online repair is required on an operating, redundant system, it is not necessary to unlock the control system to download software. Non-configured (factory fresh) I/O packs shipped with only Base load boot into Unlocked mode, allowing them to receive the initial software download. Once downloaded they have firmware that is in locked mode. The lock status of all the components can be determined by running a download scan. ➢ To unlock the Mark VIeS Safety controller 1. From the ToolboxST Component Editor toolbar, click the Lock/Unlock (key) icon. 2. From the Lock/Unlock dialog box, click the Unlock All button and the controllers status displays as Unlocked. The Locked state of each controller is displayed at the bottom of the Status tab. If a controller is unlocked and its branded application changed through download, then a diagnostic alarm is generated to announce that the branded application is no longer running. This diagnostic alarm cannot be cleared until the new application is branded. 3.2.4 Forced Variables The controller cannot be locked if any variables are currently forced. All forces must be cleared before issuing a lock command from the ToolboxST application. Forces are not maintained during a startup cycle, so restarting the controller is one method of clearing forces and putting the controller back into the Locked mode. 3.2.5 Online Repair When online repair is required on an operating, redundant system, it is not necessary to unlock the control system to download software. Non-configured I/O packs and controllers boot into Unlocked mode, allowing them to receive the initial software download. The lock status of all the components can be determined by running a download scan. System Design GEH-6723W Functional Safety Manual 33 Public Information 3.2.6 Branding Application code and configuration that is part of a SIF must be certified per IEC 61511 prior to use. To facilitate this activity, the controller allows the user to designate a particular set of code as acceptable for its intended purpose. In the ToolboxST application, this process is called branding. Branding is also required after upgrades from BPPB to BPPC-based Safety I/O packs. When the code is branded, the controller calculates a checksum of all application code and configuration information, and retains it in nonvolatile memory. Whenever the application code or I/O pack configuration is modified, the controller detects the difference and generates a diagnostic alarm. Similarly, until the application code has been initially branded, a diagnostic alarm will be active noting the fact. The current cyclic redundancy check (CRC) values are displayed by the ToolboxST application and available to the application code (such as CurrentAppCrc_R). If any I/O pack faults or is turned off, the controllers interpret this as a CRC difference and the diagnostic alarm is generated. A yellow Not Equal indicates that changes to the application code have not yet been downloaded to the controller . A green brand indicated that a controller is executing branded application code . Matching brands between redundant controllers show that all controllers are running the same application code . Before Download 34 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information After download but before branding, the following Status displays. A yellow brand indicates that the application currently running in the controller does not match the previous brand and needs to be certified and branded prior to use in a SIF. Note To download an application code change , the controllers must be unlocked. System Design GEH-6723W Functional Safety Manual 35 Public Information ➢ To brand the controller’s application and configuration: from the ToolboxST Component Editor toolbar, click the Brand icon. After branding, the text turns green and all three controllers match. The controllers are also locked to prevent further changes. Branded and Locked 3.2.7 Startup Shutdown Process The safety control system can shut down either by manual operator action or automatically as a result of certain detected fault conditions. A number of protective features are included in the Mark VIeS Safety control to ensure that a SIF is not compromised by inadvertent modifications made to the system. These features include an operating Locked mode, which prevents unwanted changes, and application code branding, which detects configuration changes. 3.2.7.1 Manual Shutdown A manual shutdown occurs when the controller power supply is manually turned off. When power is reapplied, the controller proceeds through control startup states that are designed to synchronize its application states with the other redundant controllers. Forced values are not retained through a power down cycle. If forced values exist and only one controller of a redundant set is restarted, forcing will be restored and the restarted controller will obtain those forced values from the designated controller during the Data Initialization control state. The restarted controller enters the same locked state as the designated controller. 36 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 3.2.7.2 Fault Detected Shutdown When fault conditions are detected, the Mark VIeS controller either restarts or enters a fail-safe control state, depending on the type of fault condition. In the event of a processor restart, the I/O packs are programmed to operate in their fail-safe state. The controller restarts on three conditions: • • • Software watchdog timeout Hardware watchdog timeout Operating system process control failure The watchdog timer functions are generally meant to ensure safe controller operation in conditions where one or more runtime processes are overloaded. Each periodic safety-critical process initializes and then continually tickles one or more software watchdog timers, which are implemented by the system firmware process and configured with expected tickle rates. If a watchdog timer is tickled too quickly, too slowly, or not at all, the system process restarts the controller. When using a hardware watchdog timer, a backup watchdog process is also implemented. If this process fails to tickle the hardware watchdog timer quickly enough, the board restarts. In addition to watchdog timeouts, a process control failure in the operating system can cause an automatic restart. If any runtime process, other than the system process, fails to run due to a problem, the operating system prompts the system process to restart the controller. If the system process fails, the hardware watchdog process detects the failure of the software watchdog function and forces a restart by not tickling the hardware watchdog timer. A different set of fault conditions cause the controller to enter its fail-safe control state, instead of restarting the controller. In this state, the controller outputs to the I/O packs are disabled, forcing the I/O packs, in turn, to enter their fail-safe state. In this state, I/O packs drive their physical outputs to safe values as configured. In the controller, the sequencer process continuously conducts the following program flow integrity malfunction tests: • • • • • Critical process order of execution Critical process scheduling overrun and under-run Frame period Frame state timeout intervals Frame number If any of these tests fail three consecutive times (generally three frames), appropriate diagnostic alarms are generated. After five successive failures, the system is placed in the fail-safe control state. System Design GEH-6723W Functional Safety Manual 37 Public Information 3.3 Online SIFs The Mark VIeS control components used by the online SIFs and their interconnections in TMR architecture are displayed in the following figure. TMR Safety Controllers YDIA Discrete Inputs IONet Layer R IONet S IONet R IONet YDOA Discrete Outputs YAIC Analog I/O YTCC Thermocouple Inputs Controller and I/O – TMR Control Mode The figure also illustrates the top-level architecture for SIL 3 capability, using a TMR, 2 out of 3, safety architecture. This deployment architecture is referred to in Mark VIeS documentation as the TMR Control Mode. 38 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 3.4 Redundancy The Mark VIeS Safety control can be set up in various traditional safety architectures that allow selections among SIL capability, availability, and cost to better serve the specific needs of an application. TMR, dual, and simplex control modes are supported. The controllers are designated as R, S, and T in a TMR system, R and S in a dual system, and R in a simplex system. Each controller owns one IONet. The R controller sends outputs to an I/O module through the R IONet, the S controller sends outputs through the S IONet, and the T controller sends outputs through the T IONet. IONet features include: • • • • Ethernet User Datagram Protocol (UDP) using Dynamic Host Configuration Protocol (DHCP) for network address assignments. While based on Ethernet hardware and protocol standards, the IONet is maintained as a separate physical network to avoid risks of interference from other network traffic. Full duplex Ethernet switches throughout, so no message collisions impact system timing IEEE® 1588 protocol through the R, S, and T IONets to synchronize the clock of the I/O modules and controllers to within ±100 microseconds Coordination of IONet traffic and controller action to ensure minimum predictable latency for inputs (given IEEE 1588 timing alignment). Controller outputs take place at the same time and all output I/O packs exhibit consistent latency in processing and updating the outputs. 3.4.1 TMR Control Mode In the TMR control mode, three independent controllers communicate with the I/O through three independent IONet channels. The TMR control mode with a hardware fault tolerance (HFT) of 1 is designed for SIL 3 capability with the running reliability of 2 out of 3 redundancy. Each independent controller receives three independent sets of input data, one from each IONet for 2 out of 3 input voting. Controller outputs are 2 out of 3 voted in the output circuitry. TMR control mode functions are as follows: • • • • • TMR (2 out of 3): SIL 3 high and low demand for de-energize-to-trip applications TMR (2 out of 3): SIL 2 low demand for energize-to-trip applications TMR (2 out of 3): SIL 2 high and low demand vibration (YVIBS1A) applications Degraded TMR (1 out of 2): SIL 3 high and low demand for de-energize-to-trip applications TMR degradation sequence: (2 out of 3) → (1 out of 2) → Fail Safe System Design GEH-6723W Functional Safety Manual 39 Public Information TMR Controllers Three Mark VIeS controllers work as a set synchronizing data every frame (sweep). Each controller receives inputs on all 3 I/O networks, and sends output commands on designated I/O network. PC Based Gateway PC based communication interface, options : - OPC-DA server - OPC-UA server - Modbus master Third Party Control System R S T Embedded Controller Gateway Embedded controller for communication interface, options: - OPC-UA server - Modbus slave TMR I/O Network Ethernet based TMR I/O network supports both centralized and distributed I/O modules. Sensor A TMR Fanned Input Single discrete/ analog sensor is fanned through a common terminal board to three independent input packs, 2oo 3 voting is done in the controller set. Sensor A1 Sensor A2 Sensor A3 TMR Dedicated Input Three redundant discrete/analog sensors are wired to three independent input modules, 2oo3 voting is done in the controller set. Actuator TMR Outputs Voted on Terminal Board The three packs receive output commands from their associated controller, the common terminal board then performs 2oo3 voting on the outputs and controls the discrete actuator. 2oo3 Voting in Actuator TMR Outputs Voted in Actuator Three independent output modules receive the output command from their associated controller, then command the actuator, 2 oo3 voting performed in the actuator. When TMR controllers are present in a system, dual and simplex inputs and simplex outputs, in addition to TMR I/O pack, can be used. This allows for a mix of redundancy within a single system. Some I/O packs can be TMR to support SIL 3 for critical safety functions, while other I/O packs can use less hardware and support a lower SIL for less critical functions. 40 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information TMR redundancy for I/O packs can be either dedicated (each mounted to individual S-type terminal boards) or TMR fanned (each mounted to a single T-type terminal board). With TMR, each I/O pack for field input and output is uniquely associated with only one IONet. With TMR fanned I/O, each input point is read by three independent I/O packs that receive the actual field input through a common terminal board that fans the input to each of the three I/O packs. Each I/O pack receives output messages from its own controller. The three independent I/O pack outputs are then 2 out of 3 hardware voted on a common terminal board. TMR Fanned Mode with Three I/O Packs and One T-type Terminal Board With TMR dedicated, the outputs or inputs for each I/O pack can be connected to an independent terminal board, allowing the 2 out of 3 voting to be performed in the field output devices outside the Mark VIeS control. Dedicated Mode with Three I/O Packs and three S-type Terminal Boards System Design GEH-6723W Functional Safety Manual 41 Public Information 3.4.2 Dual Control Mode The dual control mode contains two controllers, two IONets, and either a single I/O pack or fanned TMR I/O packs. In a dual system, the level of I/O reliability can be varied to meet the application needs for specific I/O packs. Dual control mode functions are as follows: • • • • Dual (1 out of 2): SIL 3 high and low demand for de-energize-to-trip applications. Dual (1 out of 2): SIL 2 high and low demand vibration (YVIBS1A) applications Dual (2 out of 2): SIL 2 low demand for energize and de-energize-to-trip applications Dual (2 out of 2): SIL 1 low demand vibration (YVIBS1A) applications Dual Controllers Dual Mark VIeS controllers work as a controller set synchronizing data every frame (sweep). Each controller receives inputs on both I/O networks, and sends output commands on designated I/O network. PC Based Gateway PC based communication interface, options: - OPC-DA server - OPC-UA server - Modbus master Third Party Control System R S Dual I/O Network Ethernet based dual I/O network supports both centralized and distributed I/O modules. Sensor A Single Sensor Single sensor wired to a single input module with dual I/O network to controller set. Sensor A1 Sensor A2 Dual Sensor Dual sensors wired to independent input modules with independent I/O networks to controller set. Embedded Controller Gateway Embedded controller for communication interface, options: - OPC-UA server - Modbus slave Sensor A TMR Fanned Input Single sensor is fanned through a common terminal board to three independent input packs, 2oo 3 voting done in the controller set. Actuator TMR Outputs Voted on Terminal Board The three output packs receive an output command from designated controller, the common terminal board then performs 2oo 3 voting and controls the actuator. Acutator 1oo2 De-energize to Trip in Output Modules Two independent output modules receive the output command from designated controller, combination of two creates 1 oo2 de energize to trip function across the two modules. In a dual Mark VIeS Safety control, both controllers receive inputs from the I/O packs on both networks and continuously transmit outputs on their respective IONet. Since redundant data is transmitted continuously from the I/O pack and controller, both the pack and controller must select which network to use. 42 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information At power up, the controller or I/O pack listens for data on both networks. The channel that delivers the first valid packet becomes the preferred network. The I/O pack or controller uses this data as long as the data continues to arrive on that channel. If the preferred channel does not deliver the data in a frame, the other channel becomes the preferred channel if it supplies valid data. This prevents a given I/O pack/controller from bouncing back and forth between two sources of data. As a result, different I/O packs/controllers may have separate preferred data sources, but this can also happen if a component fails. 3.4.2.1 Single I/O Pack Dual Network I/O Module The I/O option A is a single I/O pack dual network I/O module setup. This configuration is typically used for single sensor I/O. A single sensor connects to a single set of acquisition electronics but connects to two networks. Dual Mode with One I/O Pack and Two IONets The I/O pack delivers input data on both networks at the beginning of the frame and receives output data from both controllers at the end of the frame. The reliability and availability features include: • • • HFT 0 Single data acquisition Redundant network 3.4.2.2 Dual Single I/O Pack Single Network I/O Module The I/O option B is two single pack, single network I/O modules. This configuration is typically used for inputs that have multiple sensors monitoring the same process points. Two sensors are connected to two independent I/O modules. Dual Mode with Two Single Pack, Single IONet Modules Each I/O pack delivers input data on a separate network at the beginning of the frame and receives output data from separate controllers at the end of the frame. The reliability and availability features include: • • • • • HFT 1 Redundant sensors Redundant data acquisition Redundant network Online repair System Design GEH-6723W Functional Safety Manual 43 Public Information 3.4.2.3 Triple I/O Pack Dual Network I/O Module The I/O option C is a special case mainly intended for outputs but can also apply to inputs. The special output voting/driving features of the TMR I/O modules can be used in a dual control system. The inputs from these modules are selected in the controller. Dual Mode with Three I/O Packs and Two Simplex and One Duplex IONet Two I/O packs connect to separate networks to deliver input data and receive output data from separate controllers. The third I/O pack is connected to both networks. This I/O pack delivers inputs on both networks and receives outputs from both controllers. The reliability and availability features include: • • • • • HFT 1 Redundant data acquisition Output voting in hardware Redundant network Online repair 3.4.2.4 Dual Single I/O Pack Single Network I/O Module on Common TB The I/O option D is two single pack, single network I/O modules on a single terminal board. This configuration is typically used for single sensor I/O where redundant signal processing capability is required. One set of sensor inputs is fanned out to two independent I/O modules. Dual Mode with Two Single Pack, Single IONet Modules on Common TB Each I/O pack delivers pack delivers input data on a separate network at the beginning of the frame and receives output data from separate controllers at the end of the frame. The reliability and availability features include: • • • • HFT 1 Redundant data acquisition Redundant network Online repair 44 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 3.4.3 Simplex Control Mode, 1 out of 1 Simplex (1 out of 1) control mode is SIL 2 low demand capable for de-energize-to-trip and SIL 1 for vibration applications. Each I/O pack delivers an input packet at the beginning of the frame on its primary network. The controller sees the inputs from all I/O packs, runs application code, and delivers a broadcast output packet(s) that contains the outputs for all I/O modules. PC Based Gateway PC based communication interface, options: - OPC-DA server - OPC-UA server - Modbus master Simplex Controller Simplex Mark VIeS controller receives inputs and sends outputs on the one I/O network. Third Party Control System R I/O Network Ethernet based I/O network supports both centralized and distributed I/O modules. Sensor A Single Sensor Single sensor wired to a single input module with a simplex I/ O network to controller. Embedded Controller Gateway Embedded controller for communication interface, options: - OPC-UA server - Modbus slave Sensor A1 Sensor A2 Dual Sensor Dual sensors wired to independent input modules with a simplex I/O network to controller. System Design Actuator Simplex Output One output pack receives an output command from the controller. GEH-6723W Functional Safety Manual 45 Public Information 3.5 Control and Protection 3.5.1 Output Processing The system outputs must be transferred to the external hardware interfaces and then to the various actuators controlling the process. TMR outputs are voted in the output voting hardware, and any system can also output individual signals through simplex hardware. The three voting controllers calculate TMR system outputs independently. Each controller sends the output to its associated I/O hardware (for example, R controller sends to R IONet). A voting mechanism then combines the three independent outputs into a single output. Different signal types require different methods of establishing the voted value. The signal outputs from the three controllers fall into three groups: • • • Outputs driven as single-ended non-redundant outputs from individual IONets Outputs on all three IONets that are merged into a single signal by the output hardware Outputs on all three IONets that are output separately to the controlled process. This process may contain external voting hardware. For normal relay outputs, the three signals feed a voting relay driver, which operates a single relay per signal. For more critical protective signals, the three signals drive three independent relays with the relay contacts connected in the typical six-contact voting configuration. Relay Outputs for Protection 46 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information The following figure displays 4-20 mA signals combined through a 2 out of 3 current sharing circuit that votes the three signals to one. This unique circuit ensures the total output current is the voted value of the three currents. When the failure of a 4-20 mA output is sensed, a deactivating relay contact is opened. TMR Circuit for Voted 4-20 mA Outputs 3.5.1.1 I/O Pack Communication Loss Each I/O pack monitors the IONet for valid commands from one or two controllers. If a valid command is not received within an expected time, the I/O pack declares communication as lost. Upon loss of communication, the I/O pack action is configurable as follows: • • • The default action is the power-down state, as if the power were removed from the I/O pack Continue to hold the last commanded value indefinitely Commanded to go to a specified output state Caution For critical loops, the default action is the only acceptable choice because it is the assigned behavior for I/O pack failure on power loss failure. The other options are provided for non-critical loops in which running reliability may be enhanced by an alternate output. System Design GEH-6723W Functional Safety Manual 47 Public Information 3.5.2 Input Processing All inputs are available to all three controllers and input data is handled in several ways. For those input signals that exist in only one I/O module, all three controllers use the same value as a common input without voting. Signals that appear in all three I/O channels are voted to create a single input value. The triple inputs can come from independent sensors or from a single sensor by hardware fanning at the terminal board. I/O Configurations I/O Topology TMR Dual Simplex Simplex 1 pack, 1 IONet‡ X X X Dual 1 pack, 2 IONets 2 packs, 1 IONet 3 packs, 1/1/2 IONet X X N/A X X X TMR Fanned – 3 packs, 1 IONet/pack Dedicated – 3 packs, IONet/pack X X ‡ The number of IONets in a system must equal the number of controllers. For any of the input configurations, multiple inputs can be used to provide application redundancy. For example, three simplex inputs can be used and selected in application code to provide sensor redundancy. The Mark VIeS control provides configuration capability for input selection and voting using a simple, reliable, and efficient selection/voting/fault detection algorithm. This reduces application configuration effort, maximizing the reliability options of a given set of inputs and providing output voting hardware compatibility. For a given controller topology, terminal board redundancy ≤ the controller topology is available. For example, in a TMR controller, all simplex and dual option capability is also provided. While each IONet is associated with a specific controller, all controllers see all IONets. The result is that for a simplex input, the data is seen not only by the output owner of the IONet, but also by any other controllers in parallel. The benefit is that the loss of a controller associated with a simplex input does NOT result in the loss of that data. The simplex data continues to arrive at other controllers in the system. A single input can be brought to the three controllers without any voting as indicated in the following figure. This is used for generic I/O, such as monitoring 4-20 mA inputs, contacts, and thermocouples. Single Input without Software Voting 48 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information For medium integrity applications with medium to high reliability sensors, one sensor can be fanned to three I/O boards as shown in the following figure. Three such circuits are needed for three sensors. Typical inputs include 4-20 mA inputs, contacts, and thermocouples. One Sensor with Fanned Input and Software Voting Three independent sensor inputs can be brought into the controllers without voting to provide the individual sensor values to the application. Median values can be selected in the controller if required. This configuration, displayed in the following figure, is used for special applications only. Three Independent Sensors with Common Input, Not Voted 3.6 Critical System Timing Parameters Critical System Timing Parameters control is a discrete time, sampled system. The fundamental frame rate or scan period of the controller is selectable by the user (10 ms, 40 ms, 80 ms, or 160 ms) and should be related to the required process safety time for the fastest SIF in the system. The following figure provides a typical sequence of events within the scan frame (40 ms is shown in this example). System Design GEH-6723W Functional Safety Manual 49 Public Information 50 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 0 10 control blocks 20 Time to execute based on quantity and complexity of Control Logic prep for execution of control logic (application code) Input and state variables copied into variable space in packs Activities that span multiple subsystems identified with a dashed line rectangle Subsystem activities identified with a gray rectangle 30 controllers packs to S, and T controllers using IONet controllers to I/O Transmission of inputs from I/O circuit type dependent on circuit type End of frame Synchronization of data between R, latency is dependent on screws, latency is outputs from Transmission of I/O packs sample inputs, applied to terminal block Assumes a Triple Modular Redundant (TMR) configuration, versus dual, or simplex Notes TMR set of Safety Controllers TMR IONet TMR Safety I/O Packs Safety Control SubSystem Start of frame Fresh state of outputs 40 ms 3.6.1 Maximum Remote I/O Stimulus to Response Time The Mark VIeS Safety control and I/O has a worst case response time of < 300 ms. It is suitable for use in a SIF with a process safety time (PST) of 500 ms or higher and does not consume more than 60% of this budget. The individual components of the timing analysis are as follows: • • • • • • • • If input changes directly after last input sample, the worst case delay on the sample is one frame period (10, 40, 80 or 160 ms) Input sample to transmit over IONet is < 5 ms Controller receives inputs, runs programs, and sends outputs in < one frame period (10, 40, 80 or 160 ms) Output receives updated outputs and sets physical outputs in < 5 ms Physical output relays have a worst case 40 ms response. Total worst case time without any lost IONet communication is 2 x frame period + 50 ms (for input or output transfer). Worst case additional communication delay due to lost message without timeout is 3 x frame period up and 1 x frame period down, or 4 x frame period total. Total worse case response without timeout† (including lost IONet communications) is 6 x frame period + 50 ms. − − − − Assumes a frame period of either 10, 40, 80 or 160 ms Assumes maximum number of messages missed in both directions Assumes initial stimulus slightly missed previous input sample time Assumes common cause across IONets Note † Timing assumes use of fastest input I/O pack filter settings. This is the sum of total worst case time without any lost IONet communication and worst case additional communications delay due to lost message without timeout. System Design GEH-6723W Functional Safety Manual 51 Public Information Maximum Local I/O Stimulus to Response Time The Mark VIeS Safety control turbine-specific I/O can supply high-speed I/O for turbine protection functions with a worst case response time of < 60 ms. It is suitable for use in a SIF with a PST of 100 ms or higher, and does not consume more than 60% of the budget. The individual components of the timing analysis are as follows: • • • • • • • Local I/O timing is independent of redundancy architecture Local I/O operates at 10 ms frame rate If input changes directly after last input sample, the worst case delay on the sample is 10 ms Input change to be seen by I/O processor board is < 5 ms Local control algorithm receives inputs, runs user programs, and sends outputs in 10 ms Physical output relays have a worst case 40 ms response Total worst case time 55 ms (for input or output transfer) Note If TRPA or TREA with solid-state relays are used, relay response is < 1 ms. This reduces local response time to < 20 ms. 3.6.2 Diagnostic Interval All system self-diagnostics are conducted within a one-hour interval. 52 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 3.6.3 Mark VIeS Safety Controller Response to Loss of Communication 3.6.3.1 Single Network I/O Pack Input When communication between a controller and a one-network I/O pack fails, in the first frame the signal health is declared bad and the input variable is maintained at the last value received. During the third frame an alarm is generated. During the fifth frame the signal value is set to the default value. Single Network I/O Pack Input Response to Loss of Input Input Variables Frame 1 Health Unhealthy Alarm Values Hold last 3.6.3.2 Frame 2 Frame 3 Frame 4 Frame 5 Send Default Dual Network or Dual One-Network I/O Pack Input Upon failure of IONet communication with a single input, dual network I/O pack or a dual input, one-network I/O pack, the controller responds as follows. During the first frame after loss, the controller declares the buffer health bad, drives the input variable by the remaining valid network input, and holds the signal as healthy. During the third frame, an alarm is generated and, during the fifth frame, the input buffer value is set to the default value. Dual Network I/O Pack Input Response to Loss of First Input Input Buffer Frame 1 Health Unhealthy Alarm Values Input Variables Hold last Health Healthy Values 2nd input Frame 2 Frame 3 Frame 4 Frame 5 Send Default When the second input is lost, the input variable health immediately goes bad and the value is held at the most recent value received. In the third frame, an alarm is generated. During the fifth frame, the input variable is set to the default value. Dual Network I/O Pack Input Response to Loss of Second Input Input Buffer Frame 1 Health Unhealthy Alarm Values Input Variables Hold last Health Unhealthy Values Hold last Frame 2 Frame 3 Frame 4 Frame 5 Send Default Default System Design GEH-6723W Functional Safety Manual 53 Public Information 3.6.3.3 Triple Redundant I/O Pack Input The controller response to the loss of triple redundant input signals depends on the number of lost inputs. Upon loss of the first input signal, the prevote buffer for the lost signal is identified as unhealthy, held at the previous value for one frame, and set to the default value during successive frames. During the third frame, an alarm is generated, the input variable health remains good (HFT of 1), and the voted variable remains valid. Controller Response to Loss of First Input Prevote Buffer Frame 1 Health Unhealthy Alarm Values Input Variables Hold last Health Healthy Values Voted Frame 2 Frame 3 Frame 4 Frame 5 Send Default Upon loss of the second input, the input variable health is immediately set to Unhealthy and, for one frame, the prevote buffer is held at the most recent value. During the second frame, the input variable value is set to the default value. An alarm is generated during the third frame. Controller Response to Loss of Second Input Prevote Buffer Frame 1 Health Unhealthy Alarm Values Input Variables Hold last Health Unhealthy Values Voted Frame 2 Frame 3 Frame 4 Frame 5 Send Default Default (from vote) Upon loss of the third input, the input variable health is immediately set to Unhealthy and, for one frame, the prevote buffer is held at the most recent value. During the first frame, the input variable value is set to the default value. An alarm is generated during the third frame. Controller Response to Loss of Third Input Prevote Buffer Frame 1 Health Unhealthy Alarm Values Input Variables Hold last Health Unhealthy Frame 2 Frame 3 Frame 4 Frame 5 Send Default Values Default (from vote) 54 GEH-6723 Mark VIeS Control Functional Safety Manual Public Information GEH-6723W 3.6.4 I/O Pack Response to Loss of Communication 3.6.4.1 Single Network I/O Pack Output When an output pack does not receive communications from the controller, it holds the last value for one frame, goes to the defined condition in the second frame, and generates an alarm in the third frame. The defined output condition defaults to the power-down state and should be used in most safety systems. Options are provided so that the I/O pack continues to hold the most recent output or goes to a pre-defined output. Single Network I/O Pack Output Response to Loss of Input Outputs Frame 1 Health Healthy Unhealthy Hold last Send Standby Alarm Values 3.6.4.2 Frame 2 Frame 3 Dual Network I/O Pack Output When an output pack features two network inputs it responds to the loss of one network by using the output command from the other network. This selection takes place within the frame time and generates no observable fall-over time from the I/O pack. The command from the lost network is held for one frame and declared unhealthy in the second frame. An alarm is sent in the third frame. Loss of First Input, Dual Network I/O Pack Output Response Input Buffer Frame 1 Health Healthy Unhealthy Alarm Values Outputs Hold last Send Zero Health Healthy Values 2nd input Frame 2 Frame 3 When the second network is lost (both networks lost), the behavior is similar to the single network input pack. The output is held for the first frame after loss of command. In the second frame, the output moves to the defined condition and the output health is marked as bad. An alarm is generated in the third frame. Loss of Second Input, Dual Network I/O Pack Output Response Input Buffer Frame 1 Health Healthy Unhealthy Alarm Values Outputs Hold last Send Zero Health Healthy Unhealthy Values Hold last Standby System Design Frame 2 Frame 3 GEH-6723W Functional Safety Manual 55 Public Information 3.7 Failure Analysis Probability Reliability parameters for a given SIF are calculated using Markov models and the appropriate failure rates from the Mark VIeS failure modes, effects, and diagnostic analysis (FMEDA). For low-demand mode applications the PFDavg is calculated, while for high demand mode applications the PFH is calculated. In addition, the mean time to fail spurious (MTTFS) is calculated for both modes. For the default Markov model calculation, the analysis assumes a SIF with three analog input, two digital input, and two digital output signals. The following table displays the results of the Markov model calculation for several Mark VIeS control configurations in low-demand mode applications. A proof test interval (PTI) of one, two, and three years is used, assuming a perfect proof test. Markov Model Calculation for Several Mark VIeS Control Configurations Configuration MTTFS [yrs] PFDavg PTI 1 yr PTI 2 yr PTI 3 yr PTI 1 yr PTI 2 yr PTI 3 yr Simplex 1 out of 1 0.00412 0.0082 0.0123 20.3 20.39 20.47 Dual 1 out of 2 Dual 2 out of 2 TMR 2 out of 3 0.000126 0.00348 0.000147 0.000272 0.0069 0.000354 0.000438 0.0103 0.000616 10.27 15.79 300.63 10.29 15.77 193.09 10.31 15.75 145.12 The following table displays the results of the Markov model calculation for two Mark VIeS Safety control configurations in high-demand mode applications. Markov Model Calculation for Two Mark VIeS Control Configurations Configuration PFH [hr-1] MTTFS [yrs] Dual 1 out of 2 TMR 2 out of 3 0.0000000644 0.0000000367 4.74 139.02 56 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 3.8 System Configuration Prior to use, each I/O pack must be configured in the ToolboxST application. From the Component Editor Hardware tab Tree View, Double -click the module to access the Modify dialog box . Note When configuring I/O packs, be sure that the I/O pack configuration matches the hardware configuration of the attached terminal board. Refer to the chapter, I/O Configuration for detailed hardware and software configuration tables and checklists for Mark VIeS I/O packs and terminal boards. Use the checklists to cross-check the board configuration with the hardware topology. System Design GEH-6723W Functional Safety Manual 57 Public Information 3.8.1 YAIC Analog Input/Output The Analog Input/Output (YAICS1A) pack provides the electrical interface between one or two IONets and a terminal board. The pack handles up to 10 analog inputs, the first 8 of which can be configured as ±5 V or ±10 V inputs, or 4-20 mA current inputs. The last two inputs can be configured as ±1 mA or 4-20 mA inputs. Using 4-20 mA inputs yields better DC than voltage inputs. YAIC is compatible with the TBAIS1C and STAI terminal boards. YAIC is only compatible with the S1C version of TBAI and will report a board compatibility problem with any other version. SIL capability is as follows: • • SIL 2 in HFT = 0 architectures (1 out of 1, 2 out of 2) SIL 3 in HFT = 1 architectures (1 out of 2, 2 out of 3) 3.8.1.1 TBAI Analog Input/Output The Analog Input/Output (TBAI) terminal board holds 10 analog inputs and 2 outputs connected directly to two terminal blocks mounted on the board. Each block has 24 terminals that accept up to #12 AWG wires. A shield terminal attachment point is located adjacent to each terminal block. The TBAI can hold the following inputs and outputs: • • • • Analog input -two-wire, three-wire, and four-wire transmitter Analog input, externally powered transmitter Analog input, voltage ±5 V, ±10 V dc Analog output, 0-20 mA A 24 V dc power supply is available on the terminal board for all transducers. The inputs can be configured as either voltage or current signals. The two analog output circuits are 4-20 mA. TBAI can be used with one or three YAIC I/O packs. Dual YAICs on TBAI are not supported. TBAI I/O Capacity Quantity Analog Input Types 8 ±10 V dc, or ±5 V dc, or 4-20 mA 2 4-20 mA, or ±1 mA Quantity Analog Output Types 2 0-20 mA 3.8.1.2 STAI Simplex Analog Input The Simplex Analog Input (STAI) terminal board holds 10 analog inputs and 2 analog outputs connected to a high-density Euro-block type terminal block. STAI is designed for DIN-rail or flat mounting. It can hold the same inputs and outputs as the TBAI terminal board. A 24 V dc power supply is available on the terminal board for all transducers. The inputs can be configured as either voltage or current signals. The two analog output circuits are 0-20 mA. STAI Input Capacity Quantity Analog Input Types 8 ±10 V dc, or ±5 V dc, or 4-20 mA 2 4-20 mA, or ±1 mA Quantity Analog Output Types 2 0-20 mA 58 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 3.8.2 YDIA Discrete Input The Discrete Input (YDIAS1A) pack provides the electrical interface between one or two IONets and a terminal board. The I/O pack accepts up to 24 contact inputs and terminal board specific feedback signals, and supports three different voltage levels. YDIA is compatible with seven terminal boards. SIL capability is as follows: • • SIL 2 in HFT = 0 architectures (1 out of 1, 2 out of 2) SIL 3 in HFT = 1 architectures (1 out of 2, 2 out of 3) 3.8.2.1 TBCI Contact Input with Group Isolation The Contact Input with Group Isolation (TBCI) terminal board accepts 24 dry contact inputs wired to two barrier type terminal blocks. Dc power is provided for contact excitation. TBCI accepts one, two, or three YDIA packs. Three versions of TBCI are available. TBCI Input Capacity Terminal Board Contact Inputs Excitation Voltage TBCIS1C 24 Nominal 125 V dc, floating, ranging from 100 to 145 V dc TBCIS2C 24 Nominal 24 V dc, floating, ranging from 16 to 32 V dc TBCIS3C 24 Nominal 48 V dc, floating, ranging from 32 to 64 V dc 3.8.2.2 STCI Simplex Contact Input The Simplex Contact Input (STCI) terminal board accepts 24 contact inputs wired to a Euro-block type terminal block. The STCI is designed for DIN-rail or flat mounting and accepts a single YDIA. Four versions of STCI are available. STCI Input Capacity Terminal Board Contact Inputs TB Type Excitation Voltage STCIS1A 24 Fixed Nominal 24 V dc, floating, ranging from 16 to 32 V dc STCIS2A 24 Pluggable Nominal 24 V dc, floating, ranging from 16 to 32 V dc STCIS4A 24 Pluggable Nominal 48 V dc, floating, ranging from 32 to 64 V dc STCIS6A 24 Pluggable Nominal 125 V dc, floating, ranging from 100 to 145 V dc System Design GEH-6723W Functional Safety Manual 59 Public Information 3.8.3 YDOA Discrete Output The Discrete Output (YDOAS1A) pack provides the electrical interface between one or two IONets and a terminal board. YDOA is capable of controlling up to 12 electromagnetic or solid-state relays and accepts terminal board specific feedback. YDOA is compatible with six terminal boards. SIL capability is as follows: • • SIL 2 in HFT = 0 architectures (1 out of 1, 2 out of 2) SIL 3 in HFT = 1 architectures (1 out of 2, 2 out of 3) 3.8.3.1 TRLYS1B Relay Output with Coil Sensing The Relay Output with coil sensing (TRLYS1B) terminal board accepts 12 relay outputs wired directly to two barrier type terminal blocks. Each block has 24 terminals that accept up to #12 AWG wires. The first six relay circuits are jumper configurable either for dry, Form-C contact outputs, or to drive external solenoids. A standard 125 V dc or 115/230 V ac source, or an optional 24 V dc source, can be provided for field solenoid power. The next five relays are unpowered isolated Form-C contacts. Output 12 is an isolated Form-C contact, used for special applications requiring dedicated power from connector JG1. TRLYS1B supports a single YDOA on connector JA1, or three YDOAs on connectors JR1, JS1, and JT1. The fuses should be removed for isolated contact applications to ensure that suppression leakage is removed from the power bus. Note Jumpers JP1-JP6 are removed in the factory and shipped in a plastic bag. Re-install the appropriate jumper if power to a field solenoid is required. Conduct individual loop energized checks as per standard practices, and install the jumpers as required. 3.8.3.2 TRLYS1D Relay Output with Servo Sensing The Relay Output with servo sensing (TRLYS1D) terminal board holds six plug-in magnetic relays wired to a barrier type terminal block. The six relay circuits are Form-C contact outputs, powered and fused to drive external solenoids. A standard 24 V dc or 125 V dc source can be used. TRLYS1D supports a single YDOA on connector JA1, or three YDOAs on connectors JR1, JS1, and JT1. 3.8.3.3 TRLYS#F Relay Output with TMR Contact Voting The Relay Output with TMR contact voting (TRLYS1F) terminal board provides 12 contact-voted relay outputs. TRLYS1F holds 12 sealed relays in each TMR section, for a total of 36 relays among three boards. The relay contacts from R, S, and T are combined to form a voted Form A normally open (NO) contact. 24/125 V dc or 115 V ac power can be applied. Three YDOA packs plug into the JR1, JS1, and JT1 37-pin D-type connectors on the terminal board. TRLYS#F does not have power distribution or support simplex systems. Note TRLYS2F is the same as TRLYS1F except that voted contacts form a Form B normally closed (NC) output. 3.8.3.4 SRLY Simplex Relay Output The Simplex Relay Output (SRLY) terminal board provides 12 form C relay contact outputs wired to a Euro-style box terminal block. Each of 12 sealed relays uses an isolated contact set for relay position feedback. The SRLY accepts a single YDOA, which can have one or two network connections. 60 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 3.8.3.5 SRSA Simplex Compact Digital Output The Simplex Compact Digital Output (SRSA) terminal board provides 10 relay outputs, grouped as bank A and bank B. Each bank contains 5 outputs as a series combination of force-guided relay contacts and a solid-state relay. The primary disconnect operation should use the solid-state relays. The mechanical relays, one for each bank, are provided for redundancy and safety purposes. 3.8.4 YHRA HART Enabled Analog Input/Output The Highway Addressable Remote Transducer (HART) Enabled Analog Input/Output (YHRAS1A) pack provides the electrical interface between one or two IONets and a terminal board. The YHRA holds up to 10 analog inputs, the first 8 of which can be configured as ±5 V or 4-20 mA inputs. The last two inputs can be configured as ±1 mA or 4-20 mA current inputs. It also supports two 4-20 mA outputs. While in 4-20 mA mode, the YHRA can relay HART messages between HART enabled field devices and an Asset Management System (AMS). These HART enabled devices can be connected through any of the inputs or outputs. HART signals are for monitoring purposes only, and must be configured as non-interfering. Attention YHRAS1A is compatible with the SHRA terminal board and is capable of single I/O pack operation only. Refer to Appendix A for detailed hardware and software configuration tables and checklists for Mark VIeS I/O packs and terminal boards. Use the checklists to cross-check the board configuration with the hardware topology. For proper operation, the YHRA ToolboxST parameter AMS_Msg_Only must be set to disable. Attention SIL capability is as follows: • • SIL 2 in HFT = 0 architectures (1 out of 1, 2 out of 2) SIL 3 in HFT = 1 architectures (1 out of 2, 2 out of 3) 3.8.4.1 SHRA Simplex HART Enabled Analog Input/Output The Simplex HART Enabled Analog Input/Output (SHRA) terminal board accepts 10 analog inputs and two analog outputs wired to a high-density Euro-block type terminal board. Connected to the YHRA pack, SHRA allows HART messages to pass between the YHRA and a HART enabled field device. The 10 analog inputs accommodate two-wire, three-wire, four-wire, or externally powered transmitters. The two analog outputs are 4-20 mA. SHRA accepts a single YHRA I/O pack. System Design GEH-6723W Functional Safety Manual 61 Public Information 3.8.5 YTCC Thermocouple Input The Thermocouple Input (YTCCS1A) pack provides the electrical interface between one or two IONets and a terminal board. YTCC handles up to 12 thermocouple inputs, while two packs can handle 24 inputs on TBTCS1C. Type E, J, K, S, and T thermocouples can be used, and they can be grounded or ungrounded. YTCC is compatible with the TBTC or the STTC terminal boards. In TMR configuration with the TBTCS1B terminal board, three packs are used with three cold junctions, but only 12 thermocouples are available. SIL capability is as follows: • • SIL 2 in HFT = 0 architectures (1 out of 1, 2 out of 2) SIL 3 in HFT = 1 architectures (1 out of 2, 2 out of 3) Compatibility Terminal Board TBTC STTC Version and Inputs TBTCS1B (12 TC) TBTCS1C (24 TC)† TBTCS1B (12 TC) TBTCS1B (12 TC) STTCS1A (12 TC) STTCS2A Pack Quantity Single – Yes Dual – Yes Triple – Yes Single – Yes † Support of 24 thermocouple inputs on TBTC requires the use of two YTCC I/O packs. 3.8.5.1 TBTC Thermocouple Input The Thermocouple Input (TBTC) terminal board accepts up to 24 type E, J, K, S, or T thermocouple inputs wired to two barrier type terminal blocks and connects to the YTCC pack. TBTC works with the YTCC pack in simplex, dual, and TMR systems. In simplex systems two YTCC packs plug into the TBTCS1C for a total of 24 inputs. With TBTSH1B, one, two, or three YTCC packs plug-in to support a variety of system configurations, but only 12 inputs are available. 3.8.5.2 STCC Simplex Thermocouple Input The Simplex Thermocouple Input (STTC) terminal board accepts 12 thermocouples wired to a Euro-block type terminal block, and connects to the YTCC pack. The on-board signal conditioning and cold junction reference is identical to those on the larger TBTC board. STCC is designed for DIN-rail or flat mounting and accepts a single YTCC I/O pack. 62 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 3.8.6 YVIB Vibration Input 3.8.6.1 YVIBS1A The Vibration Input (YVIBS1A) pack provides the electrical interface between one or two IONets and a terminal board. The pack handles up to 12 vibration inputs, the first 8 of which can be configured to read vibration or proximity inputs, channels 9-12 support proximeters only and channel 13 can input either a Keyphasor transducer or proximity-type signal. The terminal board also support non-safety rated buffered outputs of the input signal. The YVIBS1A I/O pack is rated SIL 1 with HFT of zero. YVIBS1A is compatible with the TVBAS1A or TVBAS2A terminal board. SIL capability is as follows: • • SIL 1 in HFT = 0 architectures (1 out of 1, 2 out of 2) SIL 2 in HFT = 1 architectures (1 out of 2, 2 out of 3) 3.8.6.2 YVIBS1B The Vibration Input (YVIBS1B) pack provides the electrical interface between one or two IONets and a terminal board. the pack handles up to 13 inputs. The first 8 can be configured to read vibration or proximity sensors, channels 9-11 support position sensors only, and channels 12 and 13 can be configured to support either position sensors or KeyPhasor transducers. The terminal board also supports non-safety buffered outputs of the input signals. The YVIBS1B I/O pack is rated SIL 2 with HFT of zero. YVIBS1B is compatible with the TVBAS1A or TVBAS2A terminal boards. SIL capability is as follows: • • SIL 2 in HFT = 0 architectures (1 our of 1, 2 out of 2) SIL 3 in HFT = 1 architectures (1 our of 2, 2 out of 3) 3.8.6.3 TVBA Vibration Input The Vibration Input (TVBA) terminal board provides 8 vibration inputs, 3 position inputs, an additional 2 position or Keyphasor inputs, and non-safety rated buffered outputs connected directly to two terminal blocks mounted on the board. Each block has 24 terminals that accept up to #12 AWG wires. A shield terminal attachment point is located adjacent to each terminal block. The TVBA can hold the following inputs and outputs: • • • • Vibration input Proximeters, Seismics, and Velomitor* sensor channels 1-8; Accelerometers (channels 1, 2, and 3 only) Position inputs Proximeters channels 9-12 for YVIBS1A and channels 9-11 for YVIBS1B Keyphasor transducer input Proximeter sensor channel 13 for YVIBS1A and channels 12 & 13 for YVIBS1B Non-safety rated, buffered outputs of the inputs The first eight inputs are jumper configured: • Jumpers J1A through J8A − − − • Jumpers J1B through J8B − − • Seismic (S) Prox or Accel (P, A) Velomitor sensor (V) Prox, Velomitor sensor or Accel (P, V, A) Seismic (S) Jumpers J1C through J8C − − PCOM provides N28 return path for power OPEN no N28 return path through terminal board System Design GEH-6723W Functional Safety Manual 63 Public Information 3.8.6.4 WNPS Power Supply Daughterboard Three redundant external power supplies provide the power for the TVBA. If one of the power supplies fails, the off line power supply can be replaced without bringing down the terminal board. To maintain this feature, the TVBA has three removable daughter cards to provide –28 to 28 V dc power converters. The daughterboards can be removed while the TVBA is online by disconnecting the I/O pack power (one at a time, R, S, or T), and removing the WNPS. The daughterboards are required to be mounted in accordance with all vibration and seismic standards. 3.8.7 YUAA Universal Analog The Universal Analog (YUAAS1A) I/O pack provides the electrical interface between one or two IONets and the SUAAS1A terminal board. Using the ToolboxST application, 16 Simplex Analog channels can be individually configured as any of the following types: Thermocouple, RTD, Voltage Input (± 5 V or ± 10 V), 4–20 mA Current Input, 0–20 mA Current Output, Pulse Accumulator, or Digital Input. The YUAAS1A I/O pack is rated SIL 2 with HFT of zero. YUAAS1A is compatible with the SUAAS1A terminal board. SIL capability is as follows: • • SIL 2 in HFT = 0 architectures (1 out of 1, 2 out of 2) SIL 3 in HFT = 1 architectures (1 out of 2, 2 out of 3) Note For further details on the YUAA I/O pack, refer to the Mark VIe and Mark VIeS Control Systems Volume II: System Guide for General-purpose Applications (GEH-6721_Vol_II), the chapter PUAA, YUAA Universal I/O Modules. 3.8.7.1 SUAA Universal Analog Terminal Board The Universal Analog (SUAA) terminal board provides 16 Analog inputs that route directly to the YUAA electrical interface. The terminal blocks are removable on a per-channel basis due to how the points are grouped together as PWR_RTN, IO+, and IO-, respectively. Each terminal screw can accept a 24 - 12 AWG wire size. A shield terminal attachment point is located adjacent to each terminal block. There are no jumpers on the SUAA terminal board to configure. 64 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 3.8.8 YPRO Backup Turbine Protection The Emergency Turbine Protection (YPROS1A) pack and associated terminal boards provide an independent backup overspeed protection system. They also provide an independent watchdog function for the primary control. A typical protection system consists of three TMR YPRO I/O packs mounted on separate SPRO terminal boards. A cable, with DC-37 connectors on each end, connects each SPRO to an emergency trip board, TREG. An alternate arrangement places three YPRO I/O packs directly on TREA for a single-board TMR protection system. Mark VIeS control is designed with a primary and backup trip system that interacts at the trip terminal board level. Primary protection is provided with the YTUR pack operating a primary trip board (TRPG, TRPA). Backup protection is provided with the YPRO I/O pack operating a backup trip board (TREG, TREA). YPRO accepts three speed signals, including basic overspeed, acceleration, deceleration, and hardware implemented overspeed. It monitors the operation of the primary control and can monitor the primary speed as a sign of normal operation. YPRO checks the status and operation of the selected trip board through a comprehensive set of feedback signals. The pack is fully independent of, and unaffected by, the controller operation. YPRO modules are complex in their configuration and operation and should only be installed and configured by qualified personnel familiar with turbine protection systems. SIL capability is as follows: • • SIL 2 in HFT = 0 architectures (1 out of 1, 2 out of 2) SIL 3 in HFT = 1 architectures (1 out of 2, 2 out of 3) In the ToolboxST application, when the YPRO variable Speed1 is configured for either StaleSpdEn or SpeedDifEn (enabled), it must be connected to the controller's speed signal. An example is displayed in the following figure. Connecting ContWdog and Speed1 System Design GEH-6723W Functional Safety Manual 65 Public Information For an additional LOP, YPRO expects a continuously updated output (ContWdog) from the controller. The variable ContWdog Output must be connected and programmed to be incremented each frame. If the value is not updated within five frames, YPRO generates a trip. This feature allows YPRO to independently verify that the application code continues to run in the controller. DEVICE_HB Block for ContWdog Counter The YPRO I/O pack provides an additional LOP by monitoring the operating health of the system controller. The following rules apply if this protection is used: • • • Simplex main controller with TMR backup protection is supported by all Mark VIeS backup trip boards (TREG and TREA). In this configuration, one port on each of three YPRO I/O packs connects to the controller IONet. Dual Main Controllers with TMR backup protection is supported by all Mark VIeS backup trip boards (TREG and TREA). This configuration uses the dual controller TMR output standard network connection. The first YPRO pack has one network port connected to the R IONet. The second pack has one network port connected to the S IONet. The third pack has one network port connected to the R IONet and one network port connected to the S IONet. The third YPRO monitors the operation of both controllers. Triple Main Controllers with TMR backup protection is supported when operating with a TMR main control (2 out of 3). All Mark VIeS backup trip boards (TREG and TREA) support this configuration. The network configuration connects the first YPRO pack to the R IONet, the second to the S IONet, and the third to the T IONet. Note YPRO TMR applications do not support dual network connections for all three YPROs. In a redundant system there is no additional system reliability gained by adding network connections to the first two YPROs with dual controllers or any of the three YPROs with TMR controllers. The additional connections simply reduce mean time between failures (MTBF) without increasing mean time between forced outages (MTBFO). 3.8.8.1 TREA Turbine Emergency Trip The Aeroderivative Turbine Emergency Trip (TREA) terminal board works with YPRO turbine I/O packs. The inputs and outputs are as follows: • • • • Nine passive pulse rate devices (three per X/Y/Z section) sensing a toothed wheel to measure the turbine speed Jumper blocks that enable one set of three speed inputs to be fanned to all three YPRO I/O packs Two 24 V dc (S1A, S3A) or 125 V dc (S2A, S4A) TMR voted output contacts to trip the system Four 24 to 125 V dc voltage detection circuits for monitoring trip string For TMR systems, signals fan out to the JX1, JY1, and JZ1 DC-62 YPRO connectors. 3.8.8.2 TREG Turbine Emergency Trip The Gas Turbine Emergency Trip (TREG) terminal board provides power to three emergency trip solenoids and is controlled by the YPRO. Up to three trip solenoids can be connected between the TREG and TRPG terminal boards. TREG provides the positive side of the 125 V dc to the solenoids and TRPG provides the negative side. YPRO provides emergency overspeed protection, emergency stop functions, and controls the 12 relays on TREG, nine of which form three groups of three to vote the inputs controlling the three trip solenoids. 66 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 3.8.8.3 SPRO Emergency Protection The Emergency Protection (SPRO) terminal board hosts a single YPRO pack. It conditions speed signal inputs for the YPRO and contains a pair of potential transformers (PTs) for bus and generator voltage input. The DC-37 pin connector adjacent to the YPRO pack connector links the SPRO with a Mark VIeS trip board. 3.8.9 YSIL Core Safety Protection The Core Safety Protection (YSIL) I/O pack and associated terminal boards provide an independent backup overspeed protection system. They also provide an independent watchdog function for the primary control (Mark VIeS controller). A protection system consists of three TMR YSIL I/O packs mounted onto a TSCA terminal boards. Three serial cables connect from the TSCA to three SCSAs. Mark VIeS control is designed with a primary and backup trip system that interacts at the trip terminal board level. Primary protection is provided with the YTUR pack operating a primary trip board (TRPG, TRPA). Backup protection is provided with the YSIL I/O pack operating emergency trip relays (ETRs) on the TRPA. YSIL accepts 12 speed signals (probes), including basic overspeed, acceleration, deceleration, rate-based overspeed (RBOS), and hardware implemented overspeed. It monitors the operation of the primary control (Mark VIeS controller) and can monitor the primary speed as a sign of normal operation. YSIL checks the status and operation of TSCA through a comprehensive set of feedback signals. The I/O pack is fully independent of, and unaffected by, the Mark VIeS controller operation. YSIL modules are complex in their configuration and operation and should only be installed and configured by qualified personnel who are familiar with turbine protection systems. Attention Note For further details on RBOS, refer to the Mark VIe and Mark VIeS Control Systems Volume III: System Guide for GE Industrial Applications (GEH-6721_Vol_III), the chapter YSIL Core Safety Protection Module. SIL capability is as follows: • • SIL 2 in HFT = 0 architectures (1 out of 1, 2 out of 2) SIL 3 in HFT = 1 architectures (1 out of 2, 2 out of 3) In the ToolboxST application, when the YSIL variable Speed1 is configured for either StaleSpdEn or SpeedDifEn (enabled), it must be connected to the controller's speed signal. For an additional level of protection (LOP), YSIL expects a continuously updated output (ContWdog) from the controller. The variable ContWdog Output must be connected and programmed to be incremented each frame. If the value is not updated within five frames, YSIL generates a trip. This feature allows YSIL to independently verify that the application code continues to run in the controller. DEVICE_HB Block for ContWdog Counter System Design GEH-6723W Functional Safety Manual 67 Public Information The YSIL I/O pack provides an additional LOP by monitoring the operating health of the system controller. The following rules apply if this protection is used: • • • Simplex main controller with TMR backup protection is supported by the Mark VIeS backup trip board, TSCA. In this configuration, one port on each of three YSIL I/O packs connects to the controller IONet. Dual Main Controllers with TMR backup protection is supported by the Mark VIeS backup trip board, TSCA. This configuration uses the dual controller TMR output standard network connection. The first YSIL pack has one network port connected to the R IONet. The second pack has one network port connected to the S IONet. The third pack has one network port connected to the R IONet and one network port connected to the S IONet. The third YSIL monitors the operation of both controllers. Triple Main Controllers with TMR backup protection is supported when operating with a TMR main control (2 out of 3). The Mark VIeS backup trip board, TSCA supports this configuration. The network configuration connects the first YPRO pack to the R IONet, the second to the S IONet, and the third to the T IONet. Note YSIL TMR applications do not support dual network connections for all three YSILs. In a redundant system there is no additional system reliability gained by adding network connections to the first two YSILs with dual controllers or any of the three YSILs with TMR controllers. The additional connections simply reduce mean time between failures (MTBF) without increasing mean time between forced outages (MTBFO). 3.8.9.1 TCSA Turbine Emergency Trip The TCSA uses the J2 connector to supply 125 V dc or 24 V dc power for ETRs 1-3 found on TB5 SOL1 & SOL2 and TB6 SOL3. Likewise, the J3 connector supplies power to ETRs 4-9 found on TB6 SOL4 - SOL9. Under normal running conditions, the mechanical force-guided relay, K6 is energized and the ETRs 1,2 and/or 3 solid-state relays: ETR1-3 are energized. Similarly, the second mechanical force-guided relay, K7 is grouped with ETRs 4-6 and the third mechanical force-guided relay, K8 is grouped with ETRs 7-9. De-energizing any or all ETR(s) is considered a trip request. 3.8.9.2 SCSA I/O Expansion Board The YSIL module requires three SCSA I/O expansion boards be connected through serial links to the TCSA terminal board. Each SCSA provides ten 4-20 mA inputs and ten 24 V dc transmitter power outputs, six 4-20 mA inputs for externally powered transmitters, three thermocouple inputs, three contact inputs, and three contact outputs. The YSIL can use any of the 4-20 mA analog inputs on the SCSA (AnalogInput01_R,S or T through AnalogInput16_R,S or T TMR input sets) in the Emergency Trip Relay (ETR) logic string. 68 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 3.8.10 YTUR Primary Turbine Protection The Primary Turbine Protection (YTURS1A) pack provides the electrical interface between one or two IONets and a primary protection terminal board. YTUR plugs into the TTUR terminal board and handles four speed sensor inputs, bus and generator voltage inputs, shaft voltage and current signals, eight flame sensors, and outputs to the main breaker. Safety certified protection includes: Speed An interface is provided for up to four passive, magnetic speed inputs with a frequency range of 2 to 20,000 Hz. Flame Detection Voltage pulses above 2.5 V generate a logic high; the pulse rate is measured in a counter over a configurable time (multiple of 40 ms). ETD TRPx contains relays for interface with the electrical trip devices (ETD). Note For the Mark VIeS control, the flame sensing circuitry analysis was performed with the presence of flame considered as the safe state. YTUR flame sensing is not intended for applications where detected flame is the unsafe condition. Only speed, flame detectors, ETD, and E-Stop circuits are certified for safety applications. All other functionality is non-safety rated. Attention YTURS1A is compatible with the TTUR and TRPA terminal boards. As an alternative to TTUR, three YTUR packs can be plugged directly into a TRPA terminal board. In this arrangement, TRPA holds four speed inputs per YTUR, or alternately fans the first four inputs to all three YTURs. TRPA provides two solid-state primary trip relays. This arrangement does not support bus and generator voltage inputs, shaft voltage or current signals, flame sensors, or main breaker output. Note YTUR modules are complex in their configuration and operation, and should only be installed and configured by qualified personnel familiar with turbine protection systems. SIL capability is as follows: • • SIL 2 in HFT = 0 architectures (1 out of 1, 2 out of 2) SIL 3 in HFT = 1 architectures (1 out of 2, 2 out of 3) System Design GEH-6723W Functional Safety Manual 69 Public Information 3.8.10.1 TTUR Primary Turbine Protection Input The Primary Turbine Protection Input (TTUR) terminal board works with the YTUR turbine I/O packs as part of the Mark VIeS control. Two barrier style terminal blocks accept the following inputs and outputs: • Safety rated inputs and outputs: − − • Twelve pulse rate devices that sense a toothed wheel to measure turbine speed Three overspeed trip signals to the trip board Non-safety rated inputs and outputs: − − − Generator voltage and bus voltage signals taken from PTs 125 V dc output to the main breaker coil for automatic generator synchronizing Shaft voltage and current inputs to measure induced shaft voltage and current In simplex systems, YTUR mounts on connector JR4 and cable connects to TRPG through connector PR3. For TMR systems, signals fan out to the PR3, PS3, and PT3. TTUR supports connection of TRPG and TRPA boards through the JR4, JS4, and JT4 connectors. Note TTUR configuration information refers to non-safety-related functions. 3.8.10.2 TRPG Turbine Primary Trip The Gas Turbine Primary Trip (TRPG) terminal board is controlled by the YTUR. On two barrier style terminal blocks, TRPG holds nine magnetic relays in three voting circuits to interface with three trip solenoids (ETDs). The TRPG works with TREG to form the primary and emergency interface to the ETDs. TRPG holds inputs from eight Geiger-Mueller® flame detectors for gas turbine applications. There are two board types: • • The S1A and S1B version for TMR applications with three voting relays per solenoid The S2A and S2B version for simplex applications with one relay per solenoid In Mark VIeS systems, the TRPG is controlled by YTUR packs mounted on a TTUR terminal board. The I/O packs plug into the D-type connectors on TTUR, which is connected by cable to TRPG. Note In a dual-control mode topology where (1 out of 2) or (2 out of 2) tripping is desired, use YTUR with an externally wired TRPGS2 terminal board for the desired configuration. 3.8.10.3 TRPA Turbine Primary Trip The Aeroderivative Turbine Primary Trip (TRPA) terminal board works with the YTUR turbine I/O packs or with the TTUR terminal board as part of the Mark VIeS system. Both TRPAS1A and TRPAS2A are compatible with YTUR. TRPA holds the following inputs and outputs on two barrier style terminal blocks: • • • • Twelve passive pulse rate devices (four per R/S/T section) that sense a toothed wheel to measure the turbine speed. Or, six active pulse rate inputs (two per TMR section) One 24 to 125 V dc fail-safe E-Stop input to remove power from trip relays Two 24 V dc (S1) or 125 V dc (S2) TMR voted output contacts to the main breaker coil for trip coil Four 24 to 125 V dc voltage detection circuits for monitoring trip string For TMR systems, signals fan out to the PR3, PS3, PT3, JR4, JS4, and JT4 connectors. TRPA can be configured to provide 12 independent pulse rate speed inputs with 4 per YTUR or fan a single set of 4 inputs to all 3 YTUR packs. Jumpers JP1 and JP2 select the fanning of the four R section passive speed pickups to the S and T section YTURs. Unused jumpers are stored on passive headers located on the corner of the board. 70 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 3.8.11 YDAS Data Acquisition System 3.8.11.1 YDASS1A The Data Acquisition System (YDASS1A) pack provides the electrical interface between one or two IONets and a terminal board. The pack handles up to 21 dynamic pressure sensor inputs. The terminal board also support 21 non-interfering buffered outputs. The YDASS1A I/O pack is rated SIL 2 with HFT of zero. YVIBS1A is compatible with the TCDMS1A terminal board. SIL capability is as follows: • • SIL 2 in HFT = 0 architectures (1 out of 1, 2 out of 2) SIL 3 in HFT = 1 architectures (1 out of 2) 3.8.11.2 TCDM Combustion Dynamics Monitoring The Combustion Dynamics Monitoring (TCDM) terminal board provides 21 dynamic pressure inputs and 21 non-interfering buffered outputs connected directly to three terminal blocks mounted on the board. Each block accepts up to #12 AWG wires. A shield terminal attachment point is located adjacent to each terminal block. The TCDM can hold the following inputs and outputs: • • 21 Dynamic pressure sensor inputs, ±30 Vpk 21 Non-interfering buffered outputs Each of the 21 inputs can be jumper configured: • Jumpers JP1 through JP21 − − Charge Converter Signal Amplifier (CCSA) PCB Piezotronics® charge amplifier System Design GEH-6723W Functional Safety Manual 71 Public Information 3.9 Power Sources The Mark VIeS Safety control is designed to operate on a flexible selection of power sources. Power distribution modules (PDM) support the use of 115/230 V ac, 24 V dc, and 125 V dc power sources in many redundant combinations. The applied power is converted to 28 V dc for I/O pack operation. The controllers may operate from the 28 V dc I/O pack power or from direct 24 V dc battery power. Alternate power sources are acceptable if I/O pack power is regulated to be within ±5% of 28 V dc and overvoltage protection is provided by the power source. The extensive power feedback signals designed into the Mark VIe power distribution system are not critical to system safety but do provide useful information to assist in system maintenance. All Mark VIeS I/O packs include a circuit breaker at the 28 V dc power input that limits the available fault current. The breaker also provides soft-start, permitting the application of power to an I/O pack without concern for other connected loads. All I/O packs monitor input voltage for undervoltage conditions. The voltage monitoring function provides alarms at 25.1 V dc (28 V -5%) and 16 V dc. When the input voltage drops below 25.1 V dc, an alarm is generated. The I/O pack continues to operate, but performance is degraded. For example, on terminal boards with 24 V dc power sources for powered field devices, the voltage begins to drop below 24 V dc and the available drive voltage for analog output is diminished. Action should be taken to begin an orderly shut-down of equipment protected by the affected SIFs. I/O pack operation will continue to permit a controlled shutdown. When the input voltage drops below 16 V dc, another alarm is generated. An output I/O pack enters its power-down state, the safe state for all but energize-to-trip SIFs. The following figures display an example of the power loss application in the ToolboxST application: Input Variables 72 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information Controller Software Blocks Output Variables When designing de-energize-to-trip systems, the power circuits are not critical to safety because all failures are considered safe. This allows power systems with a single power distribution bus and supply to be used if it meets system running reliability requirements. For energize-to-trip systems, an interruption of all control power influences the ability to trip. To maintain an HFT of 1, three fully independent power supplies must be maintained for the redundant control electronics. The power distribution components available as part of the Mark VIe family provide the means to design a system with three separate control power distribution networks. System Design GEH-6723W Functional Safety Manual 73 Public Information 3.9.1 PPDA Power Distribution System Feedback The PPDA I/O pack accepts inputs from up to six different power distribution boards. It conditions the board feedback signals and provides a dual-redundant Ethernet interface to the controllers. PPDA feedback is structured to be plug and play, using electronic IDs to determine the power distribution boards wired into it. This information then populates the IONet output to provide correct feedback from connected boards. For use with the Mark VIeS Safety controller, the PPDA I/O pack can be hosted by the JPDS, JPDC, or JPDM 28 V dc control power boards. It is compatible with the feedback signals created by JPDB, JPDE, and JPDF. The PPDA I/O pack is not SIL-rated, and is authorized for use on a non-interfering basis for power system monitoring purposes only. PPDA feedback information cannot be used in a SIL-rated safety function. Caution 74 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 4 Installation, Commissioning, and Operation 4.1 Installation During installation, complete the following items: • Documentation of a functional safety management plan, including: − − − − − • • • • Organization and resources Risk evaluation and management to identify safety hazards Safety planning, implementing, and monitoring Functional safety assessment, auditing, and revisions System configuration management Clear documentation of the required hardware and programmable logic for each safety loop Safety function validation tests plans Functional testing of each safety loop conducted under site environmental conditions Records of functional tests 4.2 Commissioning During commissioning, the following items should be checked: • • • • • • • All wiring is in accordance with design All software and firmware is up-to-date Test instrumentation is calibrated No diagnostics are present in hardware or software System is properly configured (configuration checklist verified) Power supplies are of proper type and in good working order All forcing points are removed prior to engaging Locked mode Installation, Commissioning, and Operation GEH-6723W Functional Safety Manual 75 Public Information 4.3 Operation To maintain safety integrity during normal operations, the following checks and periodic proof tests must be conducted to expose any DU hazards. • • • • Proof test intervals must be calculated for each SIF Proof tests must be conducted to ensure that the functional safety as designed is maintained and test results recorded All diagnostic alarms must be identified and corrected. Check the front lights on the I/O pack when performing this task. Contact GE if a fault is encountered. 4.3.1 Variable Health The Mark VIeS control detects I/O pack failures, defaults input data, and generates alarms as appropriate. The application code can be alerted to this type of failure by monitoring the health of critical input variables using the VAR_HEALTH block. 4.3.2 Alarming on Diagnostics Alert an operator when a diagnostic alarm is active in the control system. Every pack and controller has a configuration variable L3Diag that is driven to the active state when there is an active diagnostic alarm in the device. Configure these variables as alarms in the application code so that they are available through the Alarm Viewer. 4.3.3 I/O Pack Status LEDs During system operation, alarms or diagnostics must be promptly addressed. The following is a partial listing of I/O pack status LEDs. A green LED labeled PWR indicates the presence of control power. A red LED labeled ATTN indicates five different pack conditions as follows: • • • • • LED out -no detectable problems with the pack LED solid on – a critical fault is present that prevents the pack from operating. Critical faults include detected hardware failures on the processor or acquisition boards, or no application code loaded. LED flashing quickly (¼ second cycle) – an alarm condition is present in the pack such as putting the wrong pack on the terminal board, or there is no terminal board, or there were errors loading the application code. LED flashing at medium speed (¾ second cycle) – the pack is not online LED flashing slowly (two second cycle) – the pack has received a request to flash the LED to draw attention to the pack. This is used during factory test or as an aid to confirm physical location against ToolboxST settings. A green LED labeled LINK is provided for each Ethernet port to indicate that a valid Ethernet connection is present. 76 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 4.3.4 Restrictions Restrictions in the Mark VIeS Safety control are as follows: • The UCCCS05, UCSBS1A, and UCSCS2A are the only controller types certified for use in the Mark VIeS Safety control system. − − − − − − UCCCS05 is in maintenance mode only in Mark VIeS V05.03 beginning with ControlST V07.02 UCSBS1A is supported beginning with ControlST V04.03 and higher UCSCS2A is supported beginning with ControlST V07.02 and higher UCCCS05 □ Does not support Modbus, and only supports 40, 80 and 160 ms frame periods □ Compatible with all YxxxS1A and YxxxS1B I/O modules UCSBS1A and UCSCS2A □ Support both Modbus and the 10, 40, 80 and 160 ms frame periods □ Compatible with all YxxxS1A I/O modules running at 40, 80 and 160 ms frame periods □ Compatible with all YxxxS1B I/O modules running at 10, 40, 80 and 160 ms frame periods Frame idle time must be above 30%. Frame idle time should be periodic as the set of operations implemented in a frame is fixed for a given configuration. It can be monitored for a controller using the FrameIdleTime_x intrinsic variables on Trender or calculating a minimum using blockware. Frame idle time is calculated in the controller every frame. Note To measure minimum frame idle time, measurements must be taken with all inputs healthy and separately with at least one input module unhealthy (for example, with the Ethernet cable removed from the I/O module). In most cases, the scenario with at least one input module unhealthy will have a lower frame idle time. − − − Average system idle time must be above 30%. System idle time is not periodic because of many features that are interrupt-based rather than frame based, such as UDH EGD consumption, communications with ToolboxST/HMI, and so forth. System idle time can be monitored for a controller using the IdleTime_x intrinsic variables on Trender and is calculated as a 1 second average. It is acceptable for measured system idle time to dip below 30%, but this must only occur less than 10% of the time. At frame periods of 40, 80 and 160 ms, any combination of the Safety I/O modules is allowed, up to a maximum of 50 modules per IONet At a frame period of 10 ms, any combination of Safety I/O modules is allowed such that all frame input clients complete within 1.6 ms after the start of the frame Note 1.6 ms allows for a required 20% safety margin. Execution time of the frame input clients varies based on the following user configurable items: • Controller type • Number of I/O modules • Types of I/O modules • Number of voted Boolean variables • Number of voted Analog variables For additional information, refer to the Appendix, Determine Frame Input Client Completion Time. • • Use only GE approved Ethernet switches in the Mark VIeS Safety control I/O network. The YHRA can be used for analog I/O requiring the HART communications interface. HART communications should be used for monitoring only and not for control. Installation, Commissioning, and Operation GEH-6723W Functional Safety Manual 77 Public Information • • • • • • • • • • • • • • The analog outputs of the YHRA are NOT capable of hardware TMR voting and can only be applied as a simplex output. HART communications can be configured for simplex mode input only (no HART multi-drop support). The YHRA configuration parameter AMS_Msg_Only must be set to disable. YVIBS1A is SIL 1 rated with an HFT of 0, SIL 2 with an HFT of 1. YVIB buffered outputs are not safety-certified. YDAS buffered outputs are not safety-certified. SRLY optional fused power distribution card WROx may only be used for power distribution, fuse diagnostic feedback signals are not safety certified. TRLY-F optional fused power distribution card WPDF may only be used for power distribution, fuse diagnostic feedback signals are not safety certified. IR interface to the I/O packs is prohibited while functioning as a safety control. The Mark VIeS Safety control allows communication with other controllers and Human-machine Interface (HMI) devices through the UDH network. The UDH communication channel is not safety-certified so any data accessed from the UDH is not approved for use within a safety loop (Data sent through the black channel BLACK_* blocks is an exception). Commands from the HMI devices (for example setpoint changes) are not accepted by the Mark VIeS control. The presence of active diagnostic alarms in the control system indicates that safety functions may be compromised. All diagnostics should be cleared prior to startup and any diagnostic that occurs should be attended to in a timely fashion. Non-volatile program variables and totalizers are not available for use in safety loops. Non-volatile RAM is not safety certified. Feedback values from the PPDA cannot be used for SIL-rated safety functionality. The PPDA is approved for non-interfering, power distribution system monitoring purposes only. The YTUR flame detection has been designed and analyzed with the safe state being the presence of flame. Flame sensing is not intended for applications where detected flame is the unsafe state. The master reset should be cleared before engaging safety control. The Master Reset command is issued by the controller to the I/O packs to reset any existing trips or suicide latches. If the fault condition remains after the reset has been issued, the trip or suicide is issued again. Because the I/O packs evaluate the Master Reset command at each run cycle, the I/O packs toggle between the cleared and faulted condition if the command remains active for an extended time and a persistent fault condition is present. To prevent this, the Master Reset command must be pulsed to the I/O packs and remain active for at least two frames before returning to the inactive state. The following figure displays the application code that implements this function. Pulsed Master Reset 78 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 4.4 Product Life During operation and maintenance, the following product life guidelines should be followed: • • • • • • • • • • The I/O packs have no known wear-out mechanism and do not require periodic maintenance. There are no wear items on the UCSBS1A or UCSCS2A controllers similar to the I/O packs. The terminal boards have no known wear-out mechanism and do not require periodic maintenance. The bulk 28 V dc power supplies have internal capacitors with finite life. Replacement of the power supplies should be scheduled every 15 years. The recommended Ethernet switches have internal power supply capacitors with finite life. Replacement of the switches should be scheduled every 15 years. Capacitor life predictions are based on an average ambient temperature of 35 ºC (95 ºF). Capacitor life is reduced by ½ for every 10 ºC (18 ºF) of average temperature above 35 ºC (95 ºF). The cooling fan in the UCCC CPCI controller rack has a specified service life of 80,000 hours at 40 ºC (104 ºF). Replacement should be scheduled within this time period. The lithium battery for the UCCC has a service life of 10 years. The battery is disabled in stock and can be disabled when storing a controller. If it is desired to keep the local time-of-day clock operational through power interruptions, the Mark VIeS Safety controller battery should be replaced following the schedule below. This time-of-day is not critical to the safety function, and is overwritten by system time service in many applications. If the controller is stored with the battery disabled, its life expectancy is 10 years, minus the time the controller has been in service. If the controller is stored with the battery enabled, the life expectancy drops to seven years minus the time the controller has been in service. The power supply in the UCCC CPCI rack has internal capacitors with finite life. Replacement of the power supply should be scheduled every 15 years. The UCCC CPCI rack backplane has capacitor filtering with finite life. Replacement of the backplane should be scheduled every 15 years. Installation, Commissioning, and Operation GEH-6723W Functional Safety Manual 79 Public Information Notes 80 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 5 I/O Configuration This chapter contains tables that should be used as checklists for I/O point configuration. Copies of each table should be made and the appropriate values either checked or written in the final column. The ToolboxST module configuration should be verified against the installed I/O module hardware. ➢ To verify terminal board configuration 1. Upon initial installation, prior to securing the module cover, locate and record the terminal board information. a. The terminal board part number contains the Type and Form information. IS200 TBAI S1C [Type] [Form] b. Record the terminal board barcode. This must be entered into the ToolboxST module configuration if offline or there is an ellipse that can automatically detect this ID if online. I/O Configuration GEH-6723W Functional Safety Manual 81 Public Information 5.1 YAIC 5.1.1 YAIC Compatibility The YAIC I/O pack contains an internal processor board. The following table lists the available versions of the YAIC. YAIC Version Compatibility I/O Pack Process Board Compatible (Supported) Firmware ControlST Software Suite Versions YAICS1A YAICS1B BPPB BPPC V04.06 V05.01 and later V04.06 and later V06.01 and later YAICS1A and YAICS1B I/O pack versions cannot be mixed on the same T-type terminal board. Attention All three YAIC I/O packs in a TMR set must be the same hardware form. To upgrade or replace the YAIC, refer to the following procedures in the Mark VIe and Mark VIeS Control Systems Volume II: System Guide for General-purpose Applications (GEH-6721_Vol_II): Replace Mark VIeS Safety I/O Pack with Same Hardware Form Replace Mark VIeS Safety I/O Pack with Upgraded Hardware Form • • The YAIC I/O pack is compatible with the TBAIS1C and STAIS#A terminal boards. YAIC Terminal Board Compatibility Terminal Board I/O Pack Redundancy Description Simplex Dual TMR TBAIS1C TMR Analog input/output terminal board Yes No Yes STAIS#A Simplex Analog input/output terminal board Yes No No I/O pack redundancy refers to the number of I/O packs used in a signal path, as follows: • • Simplex uses one I/O pack. TMR uses three I/O packs. 5.1.2 YAICS1B Configuration 5.1.2.1 Parameters Parameter Description Choices SystemLimits Enable or temporarily disable all system limit checks. Setting this parameter to Disable will cause a diagnostic alarm to occur. Enable, Disable Min_MA_Input Select minimum current for healthy 4-20 mA input 0 to 22.5 mA Max_MA_Input Select maximum current for healthy 4-20 mA input 0 to 22.5 mA 82 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 5.1.2.2 Inputs Input Description Choices AnalogInput01– AnalogInput10 First of 10 Analog Inputs – board point. Point edit (Input REAL) InputType Current or voltage input type Unused or 4-20 mA (for all Analog Inputs), ±5 V or ±10 V (for AnalogInput01 to 08 only), ±1 mA (for AnalogInput09 and 10 only) Low_Input Value of input current (mA) or voltage (V) at low end of input scale -10 to 20 Low_Value Value of input in engineering units at Low_Input -3.4082 e + 038 to 3.4028 e + 038 High_Input Value of input current (mA) or voltage (V) at high end of input scale -10 to 20 High_Value Value of input in engineering units at High_Input -3.4082 e + 038 to 3.4028 e + 038 InputFilter Bandwidth of input signal filter Unused, 0.75 hz, 1.5 hz, 3 hz, 6 hz, 12 hz TMR_DiffLimit Difference limit for voted inputs in percent of (High_Value - Low_Value) 0 to 200 % SysLim1Enabl Enable System Limit 1 fault check Enable, Disable SysLim1Type System Limit 1 fault latch - if set, requires a Reset System Limits (RSTSYS) on SYS_OUTPUTS block to clear System Limit 1 Check Type >= or <= SysLim1 System Limit 1 in engineering units -3.4082 e + 038 to 3.4028 e + 038 SysLim2Enabl Enable System Limit 1 fault check Enable, Disable SysLim1Latch Latch, NotLatch SysLim2Type System Limit 2 fault latch - if set, requires a Reset System Limits (RSTSYS) on SYS_OUTPUTS block to clear System Limit 2 Check Type >= or <= SysLimit2 System Limit 2 in Engineering Units -3.4082 e + 038 to 3.4028 e + 038 DiagHighEnab Enables the generation of a high limit diagnostic alarm when the value of the 4-20 mA input is greater than the value of parameter Max_MA_Input Enable, Disable DiagLowEnab Enables the generation of a low limit diagnostic alarm when the value of the 4-20 mA input is less than the value of parameter Min_MA_Input Enable, Disable TMR_DiffLimt Diag limit, TMR input vote difference, in percent of (High_Value - Low_Value) 0 to 200 % SysLim2Latch I/O Configuration Latch, NotLatch GEH-6723W Functional Safety Manual 83 Public Information 5.1.2.3 Outputs Output Name Output Description Choices AnalogOutput01 AnalogOutput02 First of two analog outputs - board point, Point edit Output REAL Output_MA Output current, mA selection Unused, 0-20 mA State of the outputs when offline. When the PAIC loses communication with the controller, this parameter determines how it drives the outputs: • PwrDownMode - Open the output relay and drive outputs to zero current • HoldLastVal - Hold the last value received from the controller • Output_Value - Go to the configured output value set by the parameter Output_Value OutputState PwrDownMode, HoldLastVal, Output_ Value Output_Value Pre-determined value for the outputs -3.4082 e + 038 to 3.4028 e + 038 Low_MA Output mA at low value 0 to 200 mA Low_Value Output in Engineering Units at Low_MA -3.4082 e + 038 to 3.4028 e + 038 High_MA Output mA at high value 0 to 200 mA High_Value Output value in Engineering Units at High_MA -3.4082 e + 038 to 3.4028 e + 038 TMR_Suicide Enables suicide for faulty output current, TMR only Enable, Disable TMR_SuicLimit D/A_ErrLimit Suicide threshold (Load sharing margin) for TMR operation, in mA Difference between D/A reference and feedback, in percent for suicide, TMR only Dither_Ampl Dither % current of Scaled Output mA Dither_Freq Dither rate in Hertz 5.1.2.4 0 to 200 mA 0 to 200 % 0 to 10 Unused, 12.5 hz, 25 hz, 33.33 hz, 50 hz, 100 hz Variables Variable Name Description Direction Type L3DIAG_YAIC Board diagnostic Input BOOL LINK_OK_YAIC I/O Link OK indication Input BOOL ATTN_YAIC Module Diagnostic Input BOOL IOPackTmpr I/O Pack Temperature (deg F) Input REAL PS18V_YAIC I/O 18V Power Supply Indication Input BOOL PS28V_YAIC I/O 28V Power Supply Indication Input BOOL SysLimit1_1 System Limit 1 Input BOOL ↓ ↓ Input BOOL SysLimit1_10 System Limit 1 Input BOOL SysLimit2_1 System Limit 2 Input BOOL ↓ ↓ Input BOOL SysLimit2_10 System Limit 2 Input BOOL OutSuicide1 Status of Suicide Relay for Output 1 Input BOOL OutSuicide2 Status of Suicide Relay for Output 2 Input BOOL Out1MA Feedback, Total Output Current, mA Input REAL Out2MA Feedback, Total Output Current, mA Input REAL 84 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 5.1.3 YAICS1A Configuration The ToolboxST application configured items should be verified against the selected terminal board configuration. YAIC Module Configuration Description Select Option ✓ or Enter Value I/O pack redundancy Simplex, TMR Hardware group Distributed I/O, Group Terminal board Terminal board type/form/barcode I/O pack configurations Pack form/TB Connector/IONet Parameters Tab Configuration Description Select Option ✓ or Enter Value SystemLimits Enable or disable system limits Enable, Disable Min_MA_Input Select minimum current for healthy 4-20 mA input 0 to 21 mA Max_MA_Input Select maximum current for healthy 4-20 mA input 0 to 21 mA Input Tab (repeat for 10 inputs) Input Description Select Option ✓ or Enter Value InputType Current or voltage input type Unused, 4-20 mA, ±5 V, ±10 V, ±1 mA (Inputs 9 and 10) Low_Input -10 to 20 Low_Value Value of current at the low end of scale Value of input in engineering units at low end of scale High_Input Value of current at the high end of scale -10 to 20 High_Value Value of input in engineering units at high end of scale InputFilter Bandwidth of input signal filter SysLim1Enabl Input fault check -3.4082 e + 038 to 3.4028 e + 038 Unused, 0.75 Hz, 1.5 Hz, 3.0 Hz, 6.0 Hz, 12.0 Hz Enable, Disable SysLim1Latch Input fault latch Latch, Unlatch SysLim1Type Input fault type ≥ or ≤ SysLim1 Input limit in engineering units -3.4082 e + 038 to 3.4028 e + 038 SysLim2Enabl Input fault check Enable, Disable SysLim2Latch Input fault latch Latch, Unlatch SysLim2Type Input fault type ≥ or ≤ SysLim2 Input limit in engineering units -3.4082 e + 038 to 3.4028 e + 038 DiagHighEnab Enable high input limit diagnostic Enable, Disable DiagLowEnab Enable low input limit diagnostic Enable, Disable TMRDiffLimt Diagnostic limit, TMR input vote difference, in percent of 0 to 200 % (High_Value – Low_Value) I/O Configuration -3.4082 e + 038 to 3.4028 e + 038 GEH-6723W Functional Safety Manual 85 Public Information Analog Output Tab (repeat for 2 outputs) Output Description Select Option ✓ or Enter Value Output_MA Type of output current, mA selection Unused, 0 – 20 mA OutputState State of the outputs when offline PwrDownMode, Hold Last Value, Output_Value Output_Value Pre-determined value for the outputs Low_MA Output mA at low value 0 to 20 mA Low_Value Output in engineering units at low mA -3.4082 e + 038 to 3.4028 e + 038 High_MA Output mA at high value 0 to 20 mA High_Value Output value in engineering units at high mA -3.4082 e + 038 to 3.4028 e + 038 TMRSuicide Suicide for faulty output current, TMR only Enable, Disable TMRSuicLimit Suicide threshold for TMR operation 0 to 20 mA D/AErrLimit Difference between D/A reference and output, in % for suicide, TMR only 0 to 100 % DitherAmpl Dither % current of scaled output mA Dither_Freq Dither rate in hertz 86 GEH-6723W 0 to 10 Unused, 12.5 Hz, 25.0 Hz, 33.33 Hz, 50.0 Hz, 100.0 Hz GEH-6723 Mark VIeS Control Functional Safety Manual Public Information TBAI/STAI Terminal Board TBAI Circuit Jumper J1A Input 1 J1B J2A Input 2 J2B J3A Input 3 J3B J4A Input 4 J4B J5A Input 5 J5B J6A Input 6 J6B J7A Input 7 J7B J8A Input 8 J8B J9A Input 9 J9B J10A Input 10 J10B Output 1 Must be set to 20 mA only Output 2 No jumper – 20 mA only I/O Configuration Select ✓ V dc 20 mA Open Ret V dc 20 mA Open Ret V dc 20 mA Open Ret V dc 20 mA Open Ret V dc 20 mA Open Ret V dc 20 mA Open Ret V dc 20 mA Open Ret V dc 20 mA Open Ret V dc 20 mA Open Ret V dc 20 mA Open Ret GEH-6723W Functional Safety Manual 87 Public Information 5.2 YDIA 5.2.1 YDIA Compatibility The YDIA I/O pack contains an internal processor board. The following table lists the available versions of the YDIA. YDIA Version Compatibility I/O Pack Processor Board Compatible (Supported) Firmware ControlST Software Suite Versions YDIAS1A YDIAS1B BPPB BPPC V04.06 and later V06.01 and later V04.06 V05.01 and later YDIAS1A and YDIAS1B I/O pack versions cannot be mixed on the same T-type terminal board. Attention All YDIA I/O packs in a Dual or TMR set must be the same hardware form. To upgrade or replace the YDIA, refer to the following procedures in the Mark VIe and Mark VIeS Control Systems Volume II: System Guide for General-purpose Applications (GEH-6721_Vol_II): Replace Mark VIeS Safety I/O Pack with Same Hardware Form Replace Mark VIeS Safety I/O Pack with Upgraded Hardware Form • • The YDIA I/O pack is compatible with seven discrete contact input terminal boards, including the TBCI and STCI boards. YDIA Terminal Board Compatibility Terminal Board I/O Pack Redundancy Description Simplex Dual TMR TBCIS1, S2, S3 TMR Contact input terminal board with group isolation Yes Yes Yes STCIS1A, S2A, S4A, S6A Simplex Contact input terminal board Yes No No I/O pack redundancy refers to the number of I/O packs used in a signal path, as follows: • • • Simplex uses one I/O pack. Dual uses two I/O packs. TMR uses three I/O packs. 88 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information YDIAS1B Configuration 5.2.2 Parameters Parameter Description Choices ContactInput Mark a specific contact input as Used or Unused Used, Unused SignalInvert Inversion makes signal true if contact is open Normal, Invert SeqOfEvents Record contact transitions in sequence of events Enable, Disable DiagVoteEnab Enable voting disagreement diagnostic Enable, Disable Signal Filter Contact input filter in milliseconds Zero, Ten, Twenty, Fifty, Hundred 5.2.3 Inputs Input Direction Type Contact01 Input BOOL ↓ ↓ ↓ Contact24 Input BOOL 5.2.4 Variables Note The following variable names are displayed differently depending on redundancy of I/O pack (R, S, or T) and if this is a PDIA or YDIA pack. Variable (x = R, S, or T) Description L3DIAG_PDIA_x L3DIAG_YDIA_x I/O diagnostic indication BOOL LINK_OK_PDIA_x LINK_OK_YDIA_x I/O link OK indication BOOL ATTN_PDIA_x ATTN_YDIA_x I/O attention indication IOPackTmpr_x I/O pack temperature REAL PS18V_PDIA_x PS18V_YDIA_x I/O 18 V power supply indication BOOL PS28V_PDIA_x PS28V_YDIA_x I/O 28 V power supply indication BOOL Direction I/O Configuration Input Type BOOL GEH-6723W Functional Safety Manual 89 Public Information 5.2.5 YDIAS1A Configuration YDIA Module Configuration Description Select Option ✓ or Enter Value I/O pack redundancy Simplex, Dual, TMR Hardware group Distributed I/O, Group Terminal board Terminal board type/form/barcode I/O pack configurations Pack form/TB Connector/IONet Parameters Tab Parameter Description Select Option ✓ or Enter Value SystemLimits Enable or disable system limit Enable, Disable Application Digital Input Tab (repeat for 24 inputs) Input Description Select Option ✓ or Enter Value ContactInput Used, Not Used SignalInvert Inversion makes signal True if contact is open. Do not rely on the SignalInvert property of digital inputs to Normal, Invert invert the value. Implement this operation in the application code with the input connected to a NOT block. SeqOfEvents Record contact transitions in sequence of events Enable, Disable DiagVoteEnab Enable voting disagreement diagnostic Enable, Disable SignalFilter Contact input filter in milliseconds Zero, Ten, Twenty, Fifty, Hundred 90 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 5.3 YDOA 5.3.1 YDOA Compatibility The YDIA I/O pack contains an internal processor board. The following table lists the available versions of the YDOA. YDOA Version Compatibility I/O Pack Processor Board Compatible (Supported) Firmware ControlST Software Suite Versions YDOAS1A YDOAS1B BPPB BPPC V04.11 V05.00 and later V05.04 and later V06.01 and later YDOAS1A and YDOAS1B I/O pack versions cannot be mixed on the same T-type terminal board. Attention All three YDOA I/O packs in a TMR set must be the same hardware form. To upgrade or replace the YDOA, refer to the following procedures in the Mark VIe and Mark VIeS Control Systems Volume II: System Guide for General-purpose Applications (GEH-6721_Vol_II): • • Replace Mark VIeS Safety I/O Pack with Same Hardware Form Replace Mark VIeS Safety I/O Pack with Upgraded Hardware Form YDOA is compatible with several types of discrete (relay) output terminal boards. YDOA Terminal Board Compatibility Terminal Board Description TRLYS1B TRLYS1D I/O Pack Redundancy Simplex Dual TMR Relay output with coil sensing Yes No Yes Relay output with solenoid integrity sensing Yes No Yes TRLYS1F, S2F Relay output with TMR contact voting No No Yes SRLYS1A, S2A Form C contact relays Yes No No Yes No Yes SRSAS1A, S3A Compact size with normally open relays Compatible with YDOAS1B firmware V05.00 or later Compatible with the YDOAS1A firmware V04.11 For hardware availability, contact the nearest GE Sales or Service Office, or an authorized GE Sales Representative. I/O pack redundancy refers to the number of I/O packs used in a signal path, as follows: • • Simplex uses one I/O pack. TMR uses three I/O packs. I/O Configuration GEH-6723W Functional Safety Manual 91 Public Information 5.3.2 YDOA Configuration YDOA Module Description Configuration Select Option ✓ or Enter Value I/O pack redundancy Simplex, TMR Hardware group Distributed I/O, Group Terminal board Terminal board type/form/barcode I/O pack configurations Pack form/TB Connector/IONet 5.3.3 Inputs Parameter Description Options ContactInput Enables Relay#Fdbk Unused, Used SignalInvert Inverts Relay#Fdbk signal and Relay#ContactFdbk signal (if available) Do not rely on the SignalInvert property of digital inputs to invert the value. Implement this operation in the application code with the input connected to a NOT block. Normal, Invert SeqOfEvents DiagVoteEnab SignalFilter Record RelayFdbk transitions in sequence of events Not available with TRLY#D. Enable voting disagreement diagnostic Relay feedback digital filter in milliseconds, is only available with TRLYH#C (not available for safety use) Disable, Enable Disable, Enable Zero, Ten, Twenty, Fifty, Hundred 5.3.4 Outputs Parameter Description Options RelayOutput Enable relay output Used, Unused SignalInvert Inversion makes relay closed if signal is False Do not rely on the SignalInvert property of digital inputs to invert the value. Implement this operation in the application code with the input connected to a NOT block. Normal, Invert SeqOfEvents Record relay command transitions in sequence of events Disable, Enable FuseDiag Enable fuse diagnostic (if available) Enable, Disable Select the state of the relay condition based on I/O pack going offline with controller Pre-determined value for the outputs (only displayed if Output_ State is set to Output_Value) PwrDownMode, HoldLastValue, Output_Value Output_State Output_Value Enable Feedback Disagreement Alarm (only displayed for TRLYE and TRLYC). Disables diagnostic generated when relay contact feedback does not match the command. † Not applicable to YDOA EnabAlmFbk† 92 GEH-6723W Off, On Enable, Disable GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 5.3.5 Variables Name (x = R, S, or T) Description L3DIAG_PDOA_x L3DIAG_YDOA_x I/O diagnostic indication Direction Type Input BOOL LINK_OK_PDOA_x I/O link OK indication LINK_OK_YDOA_x Input BIT ATTN_PDOA_x ATTN_YDOA_x I/O Attention Indication Input BIT IOPackTmpr_x I/O pack temperature Input REAL Cap1_Ready_x† I/O pack capture buffer 1 ready for upload (currently not used) Input BIT Cap2_Ready_x† I/O pack capture buffer 2 ready for upload (currently not used) Input BIT CV_Permissive† CV (control valve) permissive for PGEN PLU function Input BIT IV_Permissive† IV (intercept valve) permissive for PGEN PLU function Input BIT † Not applicable to YDOA Name Description Direction Type Relay# Relay# output command Output BIT Relay#Fdbk Relay# Driver Status (set of 12 relays) Input BIT Relay#ContactFdbk Relay# Contact Status (set of 12 relays), available for TRLY#C, TRLY#E, SRSA, and SRLY only Input BIT Fuse#Fdbk Fuse voltage (if available) Input BIT Solenoid#Status Solenoid# Resistance Sense (set of 6 relays), True means resistance within the range, False means resistance out of the range, available for TRLY#D only Input BIT TRLYS1B Jumper Select ✓ JP1 Excited, DRY JP2 Excited, DRY JP3 Excited, DRY JP4 Excited, DRY JP5 Excited, DRY JP6 Excited, DRY I/O Configuration GEH-6723W Functional Safety Manual 93 Public Information 5.4 YHRA YHRA Module Configuration Description Select Option ✓ or Enter Value I/O pack redundancy Simplex Hardware group Distributed I/O, Group Terminal board Terminal board type/form/barcode I/O pack configurations Pack form/TB Connector/IONet Parameters Tab Parameter Description Select Option ✓ or Enter Value SystemLimits Enable or disable system limits Enable, Disable Min_MA_Input Select minimum current for healthy 4-20 mA input 0 to 21 mA Max_MA_Input Select maximum current for healthy 4-20 mA input 0 to 21 mA AMS_Msg_Priority AMS messages have priority over controlled messages. Enable, Disable AMS_Msgs_Only AMS messages only, do not send any control messages. Generates alarm 160 when enabled. Enable, Disable AMS_Mux_Scans_ Permitted Allow AMS scan commands for Hart message one and two. Hart message three is always allowed. Enable, Disable Min_MA_HART_Output Minimum current sent to a HART enabled port. HART COMM will not be possible during offline modes if value is set < 4 mA 0 to 22.5 94 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information Analog Input Tab (repeat for 10 inputs) YHRA Input Description Select Option ✓ or Enter Value InputType Current or voltage input type Unused, 4-20 mA, ±5 V Low_Input -10 to 20 Low_Value Value of current at the low end of scale Value of input in engineering units at low end of scale High_Input Value of current at the high end of scale -10 to 20 High_Value Value of input in engineering units at high end of scale InputFilter Bandwidth of input signal filter -3.4082 e + 038 to 3.4028 e + 038 Unused, 0.75 Hz, 1.5 Hz, 3 Hz, 6 Hz, 12 Hz Hart_Enable Hart_CtrlVars Hart_ExStatus Hart_MfgID -3.4082 e + 038 to 3.4028 e + 038 Allow the HART Protocol on this I/O point. This must be set to TRUE if HART messages are needed from this field device Number of variables to read from the device. Set to zero if not used. Number of extended status bytes to read from the device. Set to zero if not needed for control. HART field device’s manufacturers code. A diagnostic alarm is sent if the field device ID differs from this value and the value is non-zero. This value can be uploaded from the YHRA if the field device is connected. (Right-click on device name and select Update HART IDS.) Enable, Disable 0 to 5 0 to 26 0 to 255 Hart_DevType HART field device – Type of device. (Refer to Hart_ MfgID) 0 to 255 Hart_DevID HART field device – Device ID. (Refer to Hart_MfgID) 0-116777215 SysLim1Enabl Input fault check Enable, Disable SysLim1Latch Input fault latch Latch, Unlatch SysLim1Type Input fault type ≥ or ≤ SysLim1 Input limit in engineering units -3.4082 e + 038 to 3.4028 e + 038 SysLim2Enabl Input fault check Enable, Disable SysLim2Latch Input fault latch Latch, Unlatch SysLim2Type Input fault type ≥ or ≤ SysLim2 Input limit in engineering units -3.4082 e + 038 to 3.4028 e + 038 DiagHighEnab Enable high input limit Enable, Disable DiagLowEnab Enable low input limit Enable, Disable I/O Configuration GEH-6723W Functional Safety Manual 95 Public Information Analog Output Tab (repeat for 2 outputs) YHRA Output Description Select Option ✓ or Enter Value Output_MA Type of output current, mA selection Unused, Enabled Standby_State State of the outputs when offline PwrDownMode, Hold Last Value, Output_Value Output_Value Pre-determined value for the outputs Low_MA Output mA at low value 0 to 20 mA Low_Value Output in engineering units at low mA -3.4082 e + 038 to 3.4028 e + 038 High_MA Output mA at high value 0 to 20 mA High_Value Output value in engineering units at high mA -3.4082 e + 038 to 3.4028 e + 038 D/AErrLimit Difference between D/A reference and output, in % 0 to 100 % Hart_Enable Hart_CtrlVars Hart_ExStatus Allow the HART protocol on this I/O point. This must be Enable, Disable set to TRUE if HART messages are needed from this field device Number of variables to read from the device. Set to zero 0 to 5 if not needed for control. Number of extended status bytes to read from the 0 to 26 device. Set to zero if not needed for control. Hart_MfgID HART field device’s Manufacturers ID 0 to 255 Hart_DevType HART field device – Type of device. (Refer to Hart_ MfgID) 0 to 255 Hart_DevID HART field device – Device ID. (Refer to Hart_MfgID) 0-116777215 96 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information SHRA (JP1A – JP10A and JP1B – JP10B) Circuit Jumper J1A Input 1 J1B J2A Input 2 J2B J3A Input 3 J3B J4A Input 4 J4B J5A Input 5 J5B J6A Input 6 J6B J7A Input 7 J7B J8A Input 8 J8B J9A Input 9 J9B J10A Input 10 J10B I/O Configuration Select ✓ V dc 20 mA Open Ret V dc 20 mA Open Ret V dc 20 mA Open Ret V dc 20 mA Open Ret V dc 20 mA Open Ret V dc 20 mA Open Ret V dc 20 mA Open Ret V dc 20 mA Open Ret 1 mA 20 mA Open Ret 1 mA 20 mA Open Ret GEH-6723W Functional Safety Manual 97 Public Information 5.5 YTCC 5.5.1 YTCC Configuration YTCC Parameters Parameter Description Choices SysFreq Parameters System frequency (used for noise rejection) 50 or 60 Hz SystemLimits Auto Reset Allows user to temporarily disable all system limit checks for testing purposes. Setting this parameter to Disable will cause a diagnostic alarm Enable, Disable to occur. Automatic restoring of thermocouples removed from scan Enable, Disable Thermocouples ThermCplType Select thermocouples type or mV input Unused inputs are removed from scanning, mV inputs are primarily for maintenance, but can also be used for custom remote CJ compensation. Standard remote CJ compensation also available. Unused, mV, T, K, J, E, S Select thermocouples display unit in °C or °F. This value needs to match units of attached variable. The ThermCplUnit parameter affects the native units of the controller application variable. It is only indirectly related to the tray icon and associated unit switching capability of the HMI. This parameter should not be used to switch the display units of the HMI. ThermCplUnit Caution Do not change the ThermCplUnit parameter because these changes will require corresponding changes to application code and to the Format Specifications or units of the connected variable. This parameter modifies the actual value sent to the controller as seen by application code. Application code that is written to expect degrees Fahrenheit will not work correctly if this setting is changed. External devices, such as HMIs and Historians, may also be affected by changes to this parameter deg_F, deg_C LowPassFiltr Enable 2 Hz low pass filter Enable, Disable SysLimit1 System Limit 1 in °C, °F, or mV -60 to 3500 (FLOAT) SysLim1Enabl SysLim1Latch Enable system limit 1 fault check, a temperature limit which can be used Enable, Disable to create an alarm. Latch system limit 1 fault Determines whether the limit condition will latch NotLatch, Latch or unlatch; reset used to unlatch SysLim1Type System limit 1 check type limit occurs when the temperature is greater than or equal (≥), or less than or equal to (≤) a preset value ≥ or ≤ SysLimit2 System Limit 2 in °C, °F, or mV -60 to 3500 (FLOAT) 98 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information YTCC Parameters (continued) Parameter SysLim2Enabl SysLim2Latch Description Choices Enable system limit 2 fault check, a temperature limit which can be used Enable, Disable to create an alarm. Latch system limit 2 fault Determines whether the limit condition will latch or unlatch; reset used to unlatch System limit 2 check type limit occurs NotLatch, Latch when the temperature is greater than or equal (≥), or less than or equal to (≤) a preset value SysLim2Type System limit 2 check type limit occurs when the temperature is greater than or equal (≥), or less than or equal to (≤), a preset value ≥ or ≤ TMR_DiffLimt Diagnostic limit, TMR input vote difference in engineering units Limit condition occurs if three temperatures in R, S, T differ by more than a preset value (engineering units); this creates a voting alarm condition. -60 to 3500 (FLOAT) 5.5.1.1 YTCC Cold Junctions Cold junctions are similar to thermocouples but without low pass filters. Cold Junction Name Description Choices ColdJuncType Select CJ Type Remote, Local SysLimit1 Select TC Display Unit Deg °C or °F. Value needs to match units of attached variable System Limit 1 - Deg °F or Deg °C SysLim1Enabl Enable System Limit 1 Fault Check Disable, Enable SysLim1Latch Latch System Limit 1 Fault NotLatch, Latch SysLim1Type System Limit 1 Check Type (≥ or ≤) ≥ or ≤ SysLimit2 System Limit 2 - Deg °F or Deg °C -40 to 185 (FLOAT) SysLim2Enabl Enable System Limit 2 Fault Check Disable, Enable SysLim2Latch Latch System Limit 2 Fault NotLatch, Latch SysLim2Type System Limit 2 Check Type (≥ or ≤) ≥ or ≤ TMR_DiffLimt Diag Limit, TMR Input Vote Difference, in Eng Units -60 to 3500 (FLOAT) ColdJuncUnit I/O Configuration Deg_F, Deg_C -40 to 185 (FLOAT) GEH-6723W Functional Safety Manual 99 Public Information 5.5.1.2 YTCC Variables I/O Points (Signals) Points (Signals) Description - Point Edit (Enter Signal Connection Name) Direction Type L3DIAG_YTCC I/O diagnostic indication Input BIT LINK_OK_YTCC I/O link OK indication Input BIT ATTN_YTCC I/O attention indication Input BIT IOPackTmpr I/O pack temperature Input FLOAT SysLim1TC1 System limit 1 for thermocouple 1 Input BIT ↓ ↓ ↓ ↓ SysLim1TC12 System limit 1 for thermocouple 12 Input BIT SysLim1CJ1 System limit 1 for cold junction Input BIT SysLim2JC1 System limit 2 for cold junction Input BIT SysLim2TC1 System limit 2 for thermocouple 1 Input BIT ↓ ↓ ↓ ↓ SysLim2TC12 System limit 2 for thermocouple 12 Input BIT CJBackup Cold junction backup Output FLOAT CJRemote1 Cold junction remote Output FLOAT Thermocouple01 Thermocouple reading Output FLOAT ↓ ↓ ↓ ↓ Thermocouple12 Thermocouple reading Output FLOAT ColdJunction1 Cold junction for TCs 1-12 Output FLOAT 100 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 5.6 YVIB 5.6.1 YVIB Compatibility The YVIB I/O pack contains an internal processor board. The following table lists the available versions of the YVIB. YVIB Version Compatibility I/O Pack Processor Board Compatible (Supported) Firmware ControlST Software Suite Versions YVIBS1A YVIBS1B BPPB BPPC V04.06 V05.01 and later V04.06 and later V06.02 and later Use the following table to determine the correct replacement for the YVIB I/O pack firmware. For replacement instructions, refer to the section Mark VIeS Safety I/O Pack Replacement (Same Hardware Form) or Mark VIeS I/O Pack Replacement (Upgraded Hardware Form). YVIB I/O Pack Replacement Use Cases Module Redundancy Simplex Failed Hardware Form YVIBS1A YVIBS1B YVIBS1A TMR New Hardware Form YVIBS1A YVIBS1B YVIBS1B YVIBS1A YVIBS1B (all three must be replaced with S1Bs) YVIBS1B YVIBS1B YVIBS1A and YVIBS1B cannot be mixed on a TMR module. Attention If upgrading to YVIBS1B from an existing YVIBS1A configuration, correct the GAP12 configuration using ToolboxST. Attention After upgrading existing YVIBS1A applications to YVIBS1B, the user may need to use the configurable low-pass filter to roll-off responses to match existing peak-to-peak calculations. This is because the YVIBS1B has an increased input signal bandwidth of 4500 Hz. Do NOT upgrade the firmware of any YVIBS1A to a version beyond V04.06.03C. Making this mistake is extremely difficult to reverse, and would be best if the site then upgrades to YVIBS1B. Attention I/O Configuration GEH-6723W Functional Safety Manual 101 Public Information The YVIB I/O pack is compatible with the Vibration (TVBA) terminal board. Note Refer to the section TVBA Compatibility for additional information. YVIB Terminal Board Compatibility Terminal Board I/O Pack Redundancy Description Does not have buffered outputs. IEC 61805 certified with YVIB. Provides buffered outputs and output connections. IEC 61805 certified with YVIB. Safety vibration terminal board with buffered outputs; N28 function integrated into terminal board and YVIB S-position is lined up vertically with R and T positions. TVBAS1A TVBAS2A TVBAS2B Simplex Dual TMR Yes No Yes Yes No Yes Yes No Yes I/O pack redundancy refers to the number of I/O packs used in a signal path, as follows: • • Simplex uses one I/O pack. TMR uses three I/O packs. The following table provides a summary of differences between the YVIBS1A and YVIBS1B. Summary of YVIB Version Differences I/O Pack Processor Board† Application Enhanced Board(s)† Signal Mode‡ Channels Sensor Types YVIBS1A BPPB BAFA KAPA No 13 Refer to the table YVIB Supported Sensor Inputs YVIBS1B BPPC BBAA Yes 13 Refer to the table YVIB Supported Sensor Inputs † These boards are internal to the I/O pack and are not replaceable. ‡ YVIBS1B supports an additional KeyPhasor* input, a CDM input, and other enhanced processing capabilities. The following table displays the available sensor types per channel for YVIBS1A and YVIBS1B. YVIB Supported Sensor Inputs YVIB Channel YVIBS1A YVIBS1B Sensor Type Typical Application Accelerometer Dynamic pressure probe Aero-derivative gas turbines 1-8 1-8 Land-Marine (LM) and Heavy-duty gas turbines (HDGT) N/A 1-8 Radial or axial measurements of turbine-driven generators, compressors, and pumps. 1-8 1-8 Proximitors* (Vibration) Velomitor* Pedestal or slot-type Keyphasor Structural Vibration (mounted to case) 1-8 1-8 Rotor velocity and phase measurements 13 12, 13 Seismics Structural Vibration (mounted to case) 1-8 1-8 Proximitors (Position) Axial measurements 1-13 1-13 102 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 5.6.2 YVIBS1B Configuration Parameters Tab Parameter SystemLimits OperatingMode Description Choices Allows user to temporarily disable all system limit checks for testing purposes. Setting this parameter to Disable will cause a diagnostic alarm to occur. Legacy is the backwards compatibility mode for PVIBH1A. Enhanced enables enhanced algorithms for PVIBH1B and YVIBS1B that are not compatible with PVIBH1A, including Low Latency Peak-Peak Algorithm and Vibration RMS Algorithm Enable, Disable (default: Enable) Legacy, Enhanced (default: Legacy) Vib_PP_Fltr First order filter time constant (sec) — cannot be disabled 0.01 to 2 (default: 0.10) MaxVolt_Prox Maximum Input Volts (pk-neg), healthy Input, Prox -4 to 0 (default: -1.5) MinVolt_Prox Minimum Input Volts (pk-neg), healthy Input, Prox -24 to -16 (default: –18.5) MaxVolt_KP Maximum Input Volts (pk-neg), healthy Input, Keyphasor -4 to 0 (default: -1.5) MinVolt_KP Minimum Input Volts (pk-neg), healthy Input, Keyphasor -24 to -16 (default: -22.0) MaxVolt_Seis Maximum Input Volts (pk-pos), healthy Input, Seismic:Values > 1.25 require use of GnBiasOvride 0 to 2.75 (default: 1.0) MinVolt_Seis Minimum Input Volts (pk-neg), healthy Input, Seismic:Values < -1.25 require use of GnBiasOvride -2.75 to 0 (default: -1.0) MaxVolt_Acc Maximum Input Volts (pk), healthy Input, Accel -12 to 1.5 (default: -8.5) MinVolt_Acc Minimum Input Volts (pk-neg), healthy Input, Accel -24 to -1 (default: -11.5) MaxVolt_Vel Maximum Input Volts (pk), healthy Input, Velomitor -12 to 1.5 -24 to -1 MinVolt_Vel Minimum Input Volts (pk-neg), healthy Input, Velomitor MaxVolt_CDM_BN Maximum Input Volts (pk), healthy Input, CDM Bently Nevada -12 to 24 MinVolt_CDM_BN Minimum Input Volts (pk-neg), healthy Input, CDM Bently Nevada -24 to 12 MaxVolt_CDM_PCB Maximum Input Volts (pk), healthy Input, CDM PCB -12 to 24 MinVolt_CDM_PCB Minimum Input Volts (pk-neg), healthy Input, CDM PCB -24 to 12 CDM_Scan_Period The scan period for CDM sensor inputs in seconds Only assign as 0.01 increments 0.01 to 2.0 I/O Configuration GEH-6723W Functional Safety Manual 103 Public Information Variables Tab Variables Description Direction Data Type L3DIAG_XXXX_x I/O Pack Diagnostic Indicator (XXXX = I/O pack name and x = R, S, or T) Input BOOL LINK_OK_XXXX_x IONet Link OK Indicator (XXXX = I/O pack name and x = R, S, or T) Input BOOL ATTN_XXXX_x I/O Pack Status Indicator (XXXX = I/O pack name and x = R, S, or T) Input BOOL PS18V_XXXX_x I/O Pack 18 V Power Supply Indication (XXXX = I/O pack name and x = R, S, or T) Input BOOL PS28V_XXXX_x I/O Pack 28 V Power Supply Indication (XXXX = I/O pack name and x = R, S, or T) Input BOOL IOPackTmpr_x I/O Pack Temperature at the processor (x = R, S, or T) Input BOOL RPM_KPH1 Speed (RPM)of KP#1, calculated from input#13 Analog Input REAL RPM_KPH2 Speed (RPM)of KP#2, calculated from input#12 (PVIBH1B only) Analog Input REAL LM_RPM_A Speed A(RPM), calculated externally to the I/O Pack Analog Output REAL LM_RPM_B Speed B(RPM), calculated externally to the I/O Pack Analog Output REAL LM_RPM_C Speed C(RPM), calculated externally to the I/O Pack Analog Output REAL SysLim1GAPx (x = 1 to 13) Boolean set TRUE if System Limit 1 exceeded for Gap x input Input BOOL SysLim2GAPx (x = 1 to 13) Boolean set TRUE if System Limit 2 exceeded for Gap x input Input BOOL SysLim1VIBx (x = 1 to 8) Boolean set TRUE if System Limit 1 exceeded for Vib x input Input BOOL SysLim2VIBx (x = 1 to 8) Boolean set TRUE if System Limit 2 exceeded for Vib x input Input BOOL SysLim1ACCx (x = 1 to 9) Boolean set TRUE if System Limit 1 exceeded for Accelerometer x input Input BOOL SysLim2ACCx (x = 1 to 9) Boolean set TRUE if System Limit 2 exceeded for Accelerometer x input Input BOOL 104 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information Probe Nominal Settings Probe Type Gain † Snsr_Offset (Vdc) Scale (typical value) Proximity 1x 9 200 mv/mil Seismic 4x 0 150 mv/ips Velomitor 2x 12 100 mv/ips Accelerometer 2x 10 150 mv/ips Keyphasor 1x 9 200 mv/mil Bently Nevada CDM 2x 10 170 mv/psi PCB CDM 2x -12 170 mv/psi † These are the default settings used if GnBiasOvride = Disable. LM 1–3 Tab (1 of 2) Name Description Direction Data Type LMVib#A ↓ LMVib#C Magnitude of 1X harmonic relative to LM_RPM_A, B, or C calculated from input #1, 2, or 3 (9 total inputs) AnalogInput REAL LM 1–3 Tab (2 of 2) Description Choices TMR_DiffLimit Difference Limit for Voted TMR Inputs in Volts or Mils -100 to 100 (default: 2) SysLim1Enabl Enable System Limit 1 Enable, Disable (default: Disable) SysLim1Latch Latch the alarm Latch, NotLatch (default: Latch) SysLimit1Type System Limit 1 Check Type >= or <= (default: >=) SysLimit1 System Limit 1 – Vibration in mils (prox) or Inch/sec (seismic, acel) -100 to 100 (default: 50) SysLim2Enabl Enable System Limit 2 Enable, Disable (default: Disable) SysLim2Latch Latch the alarm Latch, NotLatch (default: Latch) SysLim2Type System Limit 2 Check Type >= or <= (default: >=) SysLimit2 System Limit 2 – Vibration in mils (prox) or Inch/sec (seismic, acel) -100 to 100 (default: 0) I/O Configuration GEH-6723W Functional Safety Manual 105 Public Information Vib1x 1-8 Tab Data Type Name Description VIB_1X1 Magnitude of 1X harmonic relative to key phasor speed calculated from input #1 AnalogInput ↓ ↓ VIB_1X8 Magnitude of 1X harmonic relative to key phasor speed calculated from input #8 AnalogInput REAL Vib1xPH1 ↓ Angle of 1X harmonic relative to key phasor calculated from input #1 AnalogInput ↓ ↓ REAL ↓ Vib1xPH8 Angle of 1X harmonic relative to key phasor calculated from input #8 AnalogInput REAL Name Description Direction Data Type VIB_2X1 Magnitude of 2X harmonic relative to key phasor speed calculated from input #1 AnalogInput ↓ ↓ VIB_2X8 Magnitude of 2X harmonic relative to key phasor speed calculated from input #8 AnalogInput REAL Vib2xPH1 ↓ Angle of 2X harmonic relative to key phasor calculated from input #1 AnalogInput ↓ ↓ REAL ↓ Vib2xPH8 Angle of 2X harmonic relative to key phasor calculated from input #8 AnalogInput REAL Direction ↓ REAL ↓ Vib2x 1-8 Tab ↓ REAL ↓ Vib 1-8 Tab (1 of 2) Name Description Direction Data Type VIB1 Vibration displacement (pk-pk) or velocity (pk), AC component of input #1 AnalogInput REAL ↓ ↓ ↓ ↓ VIB8 Vibration displacement (pk-pk) or velocity (pk), AC component of input #8 AnalogInput REAL Vib 1-8 Tab (2 of 2) Description Choices VIB_Pk-Pk, Vib_RMS ‡ (default: VIB_Pk-Pk) VIB_CalcSel TMR_DiffLimt Difference Limit for Voted TMR Inputs in Volts or Mils -100 to 100 (default: 2) Filter Type Filter used for Velomitor and Seismic only None, Low Pass, High Pass, Band Pass (default: None) Filtrhpcutoff High Pass 3db point (cutoff in Hz) 4 to 300 (default: 6) fltrlpattn Slope or attenuation of high pass filter after cutoff 2-pole, 4-pole, 6-pole, 8-pole, 10-pole (default: 2-pole) Filtrlpcutoff Low Pass 3db point (cutoff in Hz) 15 to 4300 (default: 500) fltrlppattn Slope or attenuation of low pass filter after cutoff 2-pole, 4-pole, 6-pole, 8-pole, 10-pole (default: 2-pole) SysLim1Enabl Enable System Limit 1 Enable, Disable (default: Disable) SysLim1Latch Latch the alarm Latch, NotLatch (default: Latch) SysLim1Type System Limit 1 Check Type >= or <= (default: >=) SysLimit1 System Limit 1 – GAP in negative volts (Velomitor) or positive mils (Prox) -100 to 100 (default: 50) SysLim2Enabl Enable System Limit 2 Enable, Disable (default: Disable) SysLim2Latch Latch the alarm Latch, NotLatch (default: Latch) SysLim2Type System Limit 2 Check Type >= or <= (default: >=) SysLimit2 System Limit 2 – GAP in negative volts (Velomitor) or positive mils (Prox) -100 to 100 (default: 0) ‡Vib_RMS is only valid when OperatingMode is Enhanced and when using a PVIBH1B or YVIBS1B 106 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information Gap 1-3 (1 of 2) Name Description Direction Data Type GAP1_VIB1 Average Air Gap (for Prox) or DC volts(for others), DC component of input #1 AnalogInput REAL GAP2_VIB2 Average Air Gap (for Prox) or DC volts(for others), DC component of input #2 AnalogInput REAL GAP3_VIB3 Average Air Gap (for Prox) or DC volts(for others), DC component of input #3 AnalogInput REAL Gap 1-3 (2 of 2) Description Choices VIB_Type4 Type of vibration probe, group 4 CDM_BN_ChgAmp†, CDM_PCB_ChgAmp†, PosProx, Unused, VibLMAccel ‡, VibProx, VibProx-KPH1, VibProx-KPH2, VibSeismic, VibVelomitor (default: Unused) Scale Volts/mil or Volts/ips 0 to 2 (default: 0.2) Scale_Off Scale offset for Prox position only, in mils 0 to 90 (default: 0) TMR_DiffLimit Difference Limit for Voted TMR Inputs in Volts or Mils -100 to 100 (default: 2) GnBiasOvride Gain Bias Override Enable, Disable (default: Disable) Snsr_Offset Gain Amount of bias voltage (dc) to remove from input signal used to ±13.5 (default: 10) max. A/Ds signal range used only when GnBiasOvride is enabled Resolution of input signal (net gain unchanged), select based 1x, 2x, 4x, 8x (default: 1x) on expected range, use only if GnBiasOvride is enabled LMlpcutoff Low pass 3dB point (cutoff Hz) for LM tracking filters 1.5Hz, 2.0Hz, 2.5Hz, 3.0Hz, 3.5Hz, 4.0Hz, 4.5Hz, 5.0Hz (default: 2.5Hz) SysLim1Enabl Enable System Limit 1 Enable, Disable (default: Disable) SysLim1Latch Latch the alarm Latch, NotLatch (default: Latch) SysLim1Type System Limit 1 Check Type >= or <= (default: >=) SysLimit1 System Limit 1 – GAP in negative volts (Velomitor) or positive mils (Prox) -100 to 100 (default: 90) SysLim2Enabl Enable System Limit 2 Enable, Disable (default: Disable) SysLim2Latch Latch the alarm Latch, NotLatch (default: Latch) SysLim2Type System Limit 2 Check Type >= or <= (default: >=) SysLimit2 System Limit 2 – GAP in negative volts (Velomitor) or positive mils (Prox) -100 to 100 (default: 10) CDM_Probe_Gain PCB Probe Gain, pico-coulombs per psi 1 to 100 (default: 17) CDM_Amp_Gain PCB Charge amplifier Gain, millivolts per pico-coulomb 1 to 100 (default: 10) † only valid with PVIBH1B or YVIBS1B. ‡ LM Tracking Filter magnitude value may be inaccurate at 160, 320 ms frame periods. I/O Configuration GEH-6723W Functional Safety Manual 107 Public Information Gap 4-8 (1 of 2) Name Description Direction Data Type GAP4_VIB4 Average Air Gap (for Prox) or DC volts(for others),DC component of input #4 AnalogInput REAL ↓ ↓ ↓ ↓ GAP8_VIB8 Average Air Gap (for Prox) or DC volts(for others),DC component of input #8 AnalogInput REAL Gap 4-8 (2 of 2) Description Choices VIB_Type Type of vibration probe, group 1 CDM_BN_ChgAmp†, CDM_PCB_ChgAmp†, PosProx, Unused, VibLMAccel, VibProx, VibProx-KPH1, VibProx-KPH2, VibSeismic, VibVelomitor (default: Unused) Scale Volts/mil or Volts/ips 0 to 2 (default: 0.2) Scale_Off Scale offset for Prox position only, in mils 0 to 90 (default: 0) TMR_DiffLimit Difference Limit for Voted TMR Inputs in Volts or Mils -100 to 100 (default: 2) GnBiasOvride Gain Bias Override Enable, Disable (default: Disable) Snsr_Offset Gain Amount of bias voltage (dc) to remove from input signal used to ±13.5 (default: 10) max. A/Ds signal range used only when GnBiasOvride is enabled Resolution of input signal (net gain unchanged), select based 1x, 2x, 4x, 8x (default: 1x) on expected range, use only if GnBiasOvride is enabled SysLim1Enabl Enable System Limit 1 Enable, Disable (default: Disable) SysLim1Latch Latch the alarm Latch, NotLatch (default: Latch) SysLim1Type System Limit 1 Check Type >= or <= (default: >=) SysLimit1 System Limit 1 – GAP in negative volts (Velomitor) or positive mils (Prox) -100 to 100 (default: 90) SysLim2Enabl Enable System Limit 2 Enable, Disable (default: Disable) SysLim2Latch Latch the alarm Latch, NotLatch (default: Latch) SysLim2Type System Limit 2 Check Type >= or <= (default: >=) SysLimit2 System Limit 2 – GAP in negative volts (Velomitor) or positive mils (Prox) -100 to 100 (default: 10) CDM_Probe_Gain PCB Probe Gain, pico-coulombs per psi 1 to 100 (default: 17) CDM_Amp_Gain PCB Charge amplifier Gain, millivolts per pico-coulomb 1 to 100 (default: 10) † only valid with PVIBH1B or YVIBS1B. 108 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information Gap 9-11 (1 of 2) Name Description Direction Data Type GAP9_POS1 Average Air Gap, DC component of input #9 AnalogInput REAL GAP10_POS2 Average Air Gap, DC component of input #10 AnalogInput REAL GAP11_POS3 Average Air Gap, DC component of input #11 AnalogInput REAL Gap 9-11 (2 of 2) Description Choices VIB_Type2 Sensor Type, group 2 Unused, PosProx (default: Unused) Scale Volts/mil or Volts/ips 0 to 2 (default: 0.2) Scale_Off Scale offset for Prox position only, in mils 0 to 90 (default: 0) TMR_DiffLimit Difference Limit for Voted TMR Inputs in Volts or Mils -100 to 100 (default: 2) GnBiasOvride Gain Bias Override Enable, Disable (default: Disable) Snsr_Offset Gain Amount of bias voltage (dc) to remove from input signal used to ±13.5 (default: 10) max. A/Ds signal range used only when GnBiasOvride is enabled Resolution of input signal (net gain unchanged), select based 1x, 2x, 4x, 8x (default: 1x) on expected range, use only if GnBiasOvride is enabled SysLim1Enabl Enable System Limit 1 Enable, Disable (default: Disable) SysLim1Latch Latch the alarm Latch, NotLatch (default: Latch) SysLim1Type System Limit 1 Check Type >= or <= (default: >=) SysLimit1 System Limit 1 – GAP in negative volts (Velomitor) or positive mils (Prox) -100 to 100 (default: 90) SysLim2Enabl Enable System Limit 2 Enable, Disable (default: Disable) SysLim2Latch Latch the alarm Latch, NotLatch (default: Latch) SysLim2Type System Limit 2 Check Type >= or <= (default: >=) SysLimit2 System Limit 2 – GAP in negative volts (Velomitor) or positive mils (Prox) -100 to 100 (default: 10) I/O Configuration GEH-6723W Functional Safety Manual 109 Public Information KPH Tab (1 of 2) Name Description Direction Data Type GAP12_KPH2 Average Air Gap, DC component of input #9 AnalogInput REAL GAP13_KPH1 Average Air Gap, DC component of input #10 AnalogInput REAL KPH Tab (2 of 2) Description Choices VIB_Type3 Sensor Type, group 3 Unused, PosProx, KeyPhasor† (default: Unused) Scale Volts/mil or Volts/ips 0 to 2 (default: 0.2) Scale_Off Scale offset for Prox position only, in mils 0 to 90 (default: 0) TMR_DiffLimit Difference Limit for Voted TMR Inputs in Volts or Mils -100 to 100 (default: 2) KPH_Thrshld Voltage difference from gap voltage where keyphasor triggers 1.0 to 5.0 (default: 2.0) KPH_Type Keyphasor type Slot, Pedestal (default: Slot) GnBiasOvride Gain Bias Override Enable, Disable (default: Disable) Snsr_Offset Gain Amount of bias voltage (dc) to remove from input signal used to ±13.5 (default: 10) max. A/Ds signal range used only when GnBiasOvride is enabled Resolution of input signal (net gain unchanged), select based 1x, 2x‡, 4x, 8x‡ (default: 1x) on expected range, use only if GnBiasOvride is enabled SysLim1Enabl Enable System Limit 1 Enable, Disable (default: Disable) SysLim1Latch Latch the alarm Latch, NotLatch (default: Latch) SysLim1Type System Limit 1 Check Type >= or <= (default: >=) SysLimit1 System Limit 1 – GAP in negative volts (Velomitor) or positive mils (Prox) -100 to 100 (default: 90) SysLim2Enabl Enable System Limit 2 Enable, Disable (default: Disable) SysLim2Latch Latch the alarm Latch, NotLatch (default: Latch) SysLim2Type System Limit 2 Check Type >= or <= (default: >=) SysLimit2 System Limit 2 – GAP in negative volts (Velomitor) or positive mils (Prox) -100 to 100 (default: 10) † only valid with PVIBH1B or YVIBS1B. ‡ Gain 2x and Gain 8x are Never valid on GAP12_KPH2. 110 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 5.6.3 YVIBS1A Configuration YVIB Module Configuration Description Select Option ✓ or Enter Value I/O pack redundancy Simplex, TMR Hardware group Distributed I/O, Group Main terminal board Terminal board type/ HW form/ barcode/ Group/ TB Location I/O pack configurations Pack form/ TB Connector/ IONet YVIB Parameter Description Choices SystemLimits Enable system limits Enable, Disable TVBA Parameters Tab Vib_PP_Fltr First order filter time constant (sec) 0.04 to 2 MaxVolt_Prox Maximum Input Volts (pk-neg), healthy Input, Prox -4 to 0 MinVolt_Prox Minimum Input Volts (pk-neg), healthy Input, Prox -24 to -16 MaxVolt_KP Maximum Input Volts (pk-neg), healthy Input, Keyphasor transducer -4 to 0 MaxVolt_Seis Minimum Input Volts (pk-neg), healthy Input, Keyphasor -24 to -16 transducer Maximum Input Volts (pk-pos), healthy Input, Seismic 0 to 2.5 MinVolt_Seis Minimum Input Volts (pk-neg), healthy Input, Seismic -2.5 to 0 MaxVolt_Acc Maximum Input Volts (pk-neg), healthy Input, Accel -12 to 1.5 MinVolt_Acc Minimum Input Volts (pk-neg), healthy Input, Accel -24 to -1 MinVolt_KP MaxVolt_Vel MinVolt_Vel Maximum Input Volts (pk-neg), healthy Input, Velomitor* -12 to 1.5 sensors Maximum Input Volts (pk-neg), healthy Input, Velomitor -24 to -1 sensors Variables YVIB Variables Description Setting LM_RPM_A Speed A in RPM (calculated externally to the YVIB) (Output FLOAT) LM_RPM_B Speed B in RPM (calculated externally to the YVIB) (Output FLOAT) LM_RPM_C Speed C in RPM (calculated externally to the YVIB) (Output FLOAT) I/O Configuration GEH-6723W Functional Safety Manual 111 Public Information Vib 1-8 Configuration 1 Tab Vib 1-8 Description Setting TMR_DiffLmt Difference Limit for Voted TMR Inputs in V or Mils FilterType Filter used for Velomitor sensors and Seismic only -1200 to 1200 None, Low Pass, High Pass, Band Pass Fltrhpcutoff High Pass 3db point (cutoff in Hz) 4 to 30 Hz Fltrhpattn Slope or attenuation of filter after cutoff 2 pole, 4 pole, 6 pole, 8 pole Fltrlpcutoff Low Pass 3db point (cutoff in Hz) 300 to 2300 Hz Fltrhpattn Slope or attenuation of filter after cutoff 2 pole, 4 pole, 6 pole, 8 pole SysLim1Enabl Enable system limit 1 fault check Disable, Enable SysLim1Latch Latch system limit 1 fault Latch, Not Latch SysLim1Type System limit 1 - check type (≥ or ≤) ≥ or ≤ SysLimit1 System limit 1 - vibration in mils (Prox) or inch/sec (seismic, acel) -1200 to 1200 SysLim2Enabl Enable system limit 2 fault check Disable, Enable SysLim2Latch Latch system limit 2 fault Latch, Not Latch SysLim2Type System limit 2 - check type (≥ or ≤) ≥ or ≤ SysLimit2 System limit 2 - vibration in mils (Prox) or inch/sec (seismic, acel) -1200 to 1200 Gap 1-3 Tab Gap 1-3 VIB_Type Description Setting Unused, PosProx, VibProx, VibProx-KPH, VibLMAccel, VibSeismic, VibVelomitor 0 to 2 Type of vibration probe Scale V/mil or V/ips Scale_Off Scale offset for Prox position only, in mils GnBiasOvride Gain Bias Override Amount of bias voltage (dc) to remove from input signal used to max. A/Ds signal range used only when GnBiasOvride is enabled Used only when GnBiasOvride = Enables and modifies the resolution of the incoming signal Snsr_Offset Gain 0 to 1200 Enable, Disable ±13.5 V dc 1x, 2x, 4x, 8x LMlpcutoff Tracking filter lowpass cutoff frequency in Hz TMR_DiffLmt Difference Limit for Voted TMR Inputs in V or Mils -1200 to 1200 SysLim1Enabl Enable system limit 1 fault check Disable, Enable 1.5, 2, 2.5, 3, 3.5, 4, 4.5, 5 SysLim1Latch Latch system limit 1 fault Latch, Not Latch SysLim1Type System limit 1 - check type (≥ or ≤) ≥ or ≤ SysLimit1 System limit 1 - gap in negative V (for Vel) or positive mils (for Prox) -1200 to 1200 SysLim2Enabl Enable system limit 2 fault check Disable, Enable SysLim2Latch Latch system limit 2 fault Latch, Not Latch SysLim2Type System limit 2 - check type (≥ or ≤) ≥ or ≤ SysLimit2 System limit 2 - gap in negative V (for Vel) or positive mils (for Prox) -1200 to 1200 112 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information Gap 4-8 Tab Gap 4-8 Description Setting VIB_Type Type of vibration probe Unused, PosProx, VibProx, VibProx-KPH, VibSeismic, VibVelomitor Scale V/mil or V/ips 0 to 2 Scale_Off Scale offset for Prox position only, in mils GnBiasOvride Gain Bias Override Amount of bias voltage (dc) to remove from input signal used to max. A/Ds signal range used only when GnBiasOvride is enabled Used only when GnBiasOvride = Enables and modifies the resolution of the incoming signal 0 to 1200 Enable, Disable Snsr_Offset Gain ±13.5 V dc 1x, 2x, 4x, 8x TMR_DiffLmt Difference Limit for Voted TMR Inputs in V or Mils -1200 to 1200 SysLim1Enabl Enable system limit 1 fault check Disable, Enable SysLim1Latch Latch system limit 1 fault Latch, Not Latch SysLim1Type System limit 1 - check type (≥ or ≤) ≥ or ≤ SysLimit1 System limit 1 - gap in negative V (for Vel) or positive mils (for Prox) -1200 to 1200 SysLim2Enabl Enable system limit 2 fault check Disable, Enable SysLim2Latch Latch system limit 2 fault Latch, Not Latch SysLim2Type System limit 2 - check type (≥ or ≤) ≥ or ≤ SysLimit2 System limit 2 - gap in negative V (for Vel) or positive mils (for Prox) -1200 to 1200 Gap 9-12 Tab Gap 9-12 Description Setting VIB_Type Type of vibration probe Unused, PosProx Scale V/mil or V/ips 0 to 2 Scale_Off Scale offset for Prox position only, in mils GnBiasOvride 0 to 1200 Enable, Disable Gain Bias Override Amount of bias voltage (dc) to remove from input signal ±13.5 V dc used to max. A/Ds signal range used only when GnBiasOvride is enabled Used only when GnBiasOvride = Enables and modifies 1x, 4x the resolution of the incoming signal Snsr_Offset Gain TMR_DiffLmt Difference Limit for Voted TMR Inputs in V or Mils -1200 to 1200 SysLim1Enabl Enable system limit 1 fault check Disable, Enable SysLim1Latch Latch system limit 1 fault Latch, Not Latch SysLim1Type System limit 1 - check type (≥ or ≤) ≥ or ≤ SysLimit1 System limit 1 - gap in negative V (for Vel) or positive mils (for Prox) -1200 to 1200 SysLim2Enabl Enable system limit 2 fault check Disable, Enable SysLim2Latch Latch system limit 2 fault Latch, Not Latch SysLim2Type System limit 2 - check type (≥ or ≤) ≥ or ≤ SysLimit2 System limit 2 - gap in negative V (for Vel) or positive mils (for Prox) -1200 to 1200 I/O Configuration GEH-6723W Functional Safety Manual 113 Public Information KPH Tab KPH Description Setting VIB_Type Type of vibration probe Unused, PosProx, KeyPhasor Scale V/mil or V/ips 0 to 2 Scale_Off Scale offset for Prox position only, in mils 0 to 1200 KPH_Thrshld Sets voltage threshold point for pulse detect comparator 1 to 5 KPH_Type GnBiasOvride Snsr_Offset Gain Slot, Pedestal Enable, Disable Gain Bias Override Amount of bias voltage (dc) to remove from input signal ±13.5 V dc used to max. A/Ds signal range used only when GnBiasOvride is enabled Used only when GnBiasOvride = Enables and modifies 1x, 2x, 4x, 8x the resolution of the incoming signal TMR_DiffLmt Difference Limit for Voted TMR Inputs in V or Mils SysLim1Enabl Enable system limit 1 fault check Disable, Enable SysLim1Latch Latch system limit 1 fault Latch, Not Latch SysLim1Type System limit 1 - check type (≥ or ≤) ≥ or ≤ SysLimit1 System limit 1 - gap in negative V (for Vel) or positive mils (for Prox) -1200 to 1200 SysLim2Enabl Enable system limit 2 fault check Disable, Enable SysLim2Latch Latch system limit 2 fault Latch, Not Latch SysLim2Type System limit 2 - check type (≥ or ≤) ≥ or ≤ SysLimit2 System limit 2 - gap in negative V (for Vel) or positive mils (for Prox) -1200 to 1200 114 GEH-6723W -1200 to 1200 GEH-6723 Mark VIeS Control Functional Safety Manual Public Information TVBA Jumper TVBA Jumper Select Seismic (S) J1A Prox or Accel (P, A) Velomitor sensors (V) J2A Seismic (S) Prox or Accel (P, A) Velomitor sensors (V) J3A Seismic (S) Prox or Accel (P, A) Velomitor sensors (V) J4A Seismic (S) Prox or Accel (P, A) Velomitor sensors (V) J5A Seismic (S) Prox or Accel (P, A) Velomitor sensors (V) J6A Seismic (S) Prox or Accel (P, A) Velomitor sensors (V) J7A Seismic (S) Prox or Accel (P, A) Velomitor sensors (V) J8A Seismic (S) Prox or Accel (P, A) Velomitor sensors (V) I/O Configuration GEH-6723W Functional Safety Manual 115 Public Information TVBA Jumper (continued) TVBA Jumper Select Seismic (S) J1B Prox, Velomitor sensors or Accel (P, V, A) 116 J2B Seismic (S) Prox, Velomitor sensors or Accel (P, V, A) J3B Seismic (S) Prox, Velomitor sensors or Accel (P, V, A) J4B Seismic (S) Prox, Velomitor sensors or Accel (P, V, A) J5B Seismic (S) Prox, Velomitor sensors or Accel (P, V, A) J6B Seismic (S) Prox, Velomitor sensors or Accel (P, V, A) J7B Seismic (S) Prox, Velomitor sensors or Accel (P, V, A) J8B Seismic (S) Prox, Velomitor sensors or Accel (P, V, A) J1C PCOM, OPEN J2C PCOM, OPEN J3C PCOM, OPEN J4C PCOM, OPEN J5C PCOM, OPEN J6C PCOM, OPEN J7C PCOM, OPEN J8C PCOM, OPEN GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 5.7 YPRO YPRO Module Configuration Description Select Option ✓ or Enter Value I/O pack redundancy Simplex, TMR Hardware group Distributed I/O, Group Terminal board type/ HW form/ Barcode/ Group/ TB Location Terminal board Phy Pos/ Type/ HW form/ Group/ TB Location SPRO TPRO I/O pack configurations Pack form/ TB Connector/ IONet S1B YPRO Parameter Description Select Option ✓ or Enter Value TurbineType Turbine type and trip solenoid configuration Unused, GT_1Shaft, LM_3Shaft, MediumSteam, SmallSteam, GT_ 2Shaft, Stag_GT_1Sh, Stag_GT_2Sh, LargeSteam, LM_2Shaft LMTripZEnabl On LM machine, when no PR on Z, enable a vote for trip Disable, Enable TA_Trp_Enab1 Steam, enable trip anticipate on ETR1 Disable, Enable TA_Trp_Enab2 Steam, enable trip anticipate on ETR2 Disable, Enable TA_Trp_Enab3 Steam, enable trip anticipate on ETR3 Disable, Enable Main terminal board Auxiliary terminal board TREG Parameters Tab StaleSpdEn Enable trip on speed difference between controller and YPRO Enable trip on speed from controller freezing RotateLeds LedDiags Rotate the status LEDs if all status are OK Generate diagnostic alarm when LED status lit RatedRPM_TA Rated RPM, used for trip anticipator and for speed diff protection SilMode Perform additional SIL diagnostic and trip checks AccelCalType Select acceleration calculation time (ms) OS_Diff Absolute speed difference in percent for trip threshold SpeedDifEn Disable, Enable Disable, Enable Disable, Enable Disable, Enable Disable, Enable Pulse Rate Tab (3 each) YPRO Pulse Rates Description Select Option ✓ or Enter Value PRType Pulse rate type Unused, Flow, Speed, Speed High, Speed LM PRScale OSHW_Setpoint Pulses per revolution 0 to 1000 Hardware overspeed trip set point in RPM 0 to 20000 OS_Setpoint Overspeed trip set point in RPM 0 to 20000 OS_Tst_Delta Offline overspeed test set point delta in RPM -2000 to 2000 Zero_Speed Zero speed for this shaft in RPM 0 to 20000 Min_Speed Minimum speed for this shaft in RPM 0 to 20000 Accel_Trip Enable acceleration trip Enable, Disable Acc_Setpoint Acceleration trip set point in RPM 0 to 20000 TMR_DiffLimit Diagnostic limit, TMR vote difference limit in engineering units 0 to 20000 I/O Configuration GEH-6723W Functional Safety Manual 117 Public Information PT Input Tab (BUS and GEN) YPRO Parameter Description Select Option ✓ or Enter Value PT_Input PT primary in engineering nits (kv or percent) for PT_Output 0 to 1000 PT_Output PT output in volts rms for PT_Input – typically 115 0 to 150 TMR_DiffLimt Diag Limit, TMR input vote difference, in engineering units 0 to 1000 E-stop (SPRO) Tab YPRO Parameter Description Select Option ✓ or Enter Value DiagVoteEnab Enable voting disagreement diagnostic Disable, Enable E-stop Tab (TREA) YPRO Parameter Description Select Option ✓ or Enter Value EstopEnab Enable E-stop detection on TREA board Disable, Enable DiagVoteEnab Enable voting disagreement diagnostic Disable, Enable ETR Relays Tab (3 TREG, 2 TREA) YPRO Parameter Description Select Option ✓ or Enter Value RelayOutput Relay signal Unused, Used DiagVoteEnab Enable voting disagreement diagnostic Disable, Enable DiagSolEnab Enable solenoid voltage diagnostic Disable, Enable K25 Tab YPRO Parameter Description Select Option ✓ or Enter Value SynchCheck Synch check relay K25A used Unused, Used DiagVoteEnab Enable voting disagreement diagnostic Disable, Enable SystemFreq System frequency in hertz 60 Hz, 50 Hz ReferFreq Select freq reference for PLL, PR_Std input (If single shaft PR1, otherwise PR2) or from signal space PR_Std, SgSpace TurbRPM Rated RPM, load turbine 0 to 20000 VoltageDiff Maximum voltage diff in engineering nits (kv or percent) for synchronizing 1 to 1000 FreqDiff Maximum frequency difference in hertz for synchronizing 0 to 0.5 PhaseDiff GenVoltage BusVoltage 118 GEH-6723W Maximum phase difference in degrees for synchronizing 0 to 30 Allowable minimum generator voltage, engineering units (kv or percent) for synchronizing. Typically 50% of 1 to 1000 rated Allowable minimum bus voltage, engineering units (kv 1 to 1000 or percent) for synchronizing. Typically 50% of rated GEH-6723 Mark VIeS Control Functional Safety Manual Public Information K4CL Tab YPRO Parameter Description Select Option ✓ or Enter Value Signal Relay signal Unused, Used DiagVoteEnab Enable voting disagreement diagnostic Disable, Enable Econ Relays (3) Tab YPRO Parameter Description Select Option ✓ or Enter Value Signal Relay signal Unused, Used DiagVoteEnab Enable voting disagreement diagnostic Disable, Enable Contacts (7) Tab YPRO Parameter Description Select Option ✓ or Enter Value ContactInput Contact input Unused, Used SeqOfEvents Record contact transitions in sequence of events Disable, Enable DiagVoteEnab Enable voting disagreement diagnostic Disable, Enable TripMode Trip mode Direct, Conditional, Disable TREA YPRO Speed Input Connections Function Jumper Wire to all 9 pulse inputs: PR1_X – PR3_Z Each set of three pulse inputs goes to its Cannot use jumper: Place in STORE own dedicated YPRO I/O pack. position. Wire to bottom 3 pulse inputs only: PR1_X – PR3_X; No wiring to PR1_Y-PR3_Z The same set of signals is fanned to all the YPRO I/O packs. Use jumper: Place over pin pairs. TREA Jumper YPRO Jumper Select ✓ P1 FAN, STORE P2 FAN, STORE I/O Configuration GEH-6723W Functional Safety Manual 119 Public Information 5.8 YSIL YSIL Protection Hardware & Field Upgrade Kits I/O Pack or Terminal Board or Mod Kit Description YSILS1B YSIL Protection I/O pack(s), Qty 3 TCSAS1A TMR only Turbine Protection Terminal board Turbine Protection daughter board that plugs onto the TCSAS1A TMR terminal board Auxiliary simplex (SMX) terminal board(s), Qty 3 WCSAS1A SCSAS1A SSUPS1A Snubber Protection terminal board for use with solid-state ETR channels Field Mod kit – includes SSUP and mounting hardware 134T9179G0001 Field Mod kit for Emergency Stop input to withstand the IEC 61326-3-1:2017 EMC Immunity Surge test 136T0260G0001 5.8.1 YSIL Configuration 5.8.1.1 Parameters YSIL Parameters Parameter Description Choices PRGrouping Select grouping of speed inputs: 2 Shafts (3 speed sensors/shaft), 3 shafts (2 speed sensors/shaft), 3 shafts (3 speed sensors/shaft) 2Shafts_3Sensors, 3Shafts_2Sensors, 3Shafts_3Sensors (default: 3Shafts_2Sensors) LMTripZEnabl On LM machine, when no PR on Z, Enable a vote for Trip Enable, Disable (default: Enable) TA_Trp_Enab1 Steam, Enable Trip Anticipate on ETR1 Enable, Disable (default: Disable) TA_Trp_Enab2 Steam, Enable Trip Anticipate on ETR2 Enable, Disable (default: Disable TA_Trp_Enab3 Steam, Enable Trip Anticipate on ETR3 Enable, Disable (default: Disable) SpeedDifEn Enable Trip on Speed Difference between Controller and YSIL Enable, Disable (default: Enable) StaleSpdEn Enable Trip on Speed from Controller Freezing Enable, Disable (default: Enable) No_T_PS_Req No Flame Detect Power Supply required for T Enable, Disable (default: Disable) RotateLeds Rotate the Status LEDs if all status are OK Enable, Disable (default: Enable) LedDiags Generate diag alarm when LED status lit Enable, Disable (default: Disable) TemperatureUnits Used for SCSA Thermocouples and Cold Junctions °C, °F (default: °F) SystemFreq System frequency in Hz 50Hz, 60Hz (default: 60Hz) Turbine Type and Trip Solenoid Configuration Unused, GT_1Shaft, GT_2Shaft, LargeSteam, LM_2Shaft, LM_3Shaft, MediumSteam, SmallSteam, Stag_GT_1Sh, Stag_GT_2Sh (default: Unused) TurbineType 120 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information YSIL Parameters (continued) Parameter Description Choices AccelCalType Rated RPM, used for Trip Anticipater and for Speed Diff Protection Select Acceleration Calculation Time (msec) OS_Diff Absolute Speed Difference in Percent For Trip Threshold Default: 5.0 AMS_Mux_Scans_Permitted AMS mulitplexer scans for command 1 and 2 are allowed (command 3 always allowed). Refer to the section Asset Management System Tunnel Command for more information. Enable, Disable (default: Disable) Min_MA_Input Minimum mA for Healthy 4–20 mA Input Default: 3.8 Max_MA_Input Maximum mA for Healthy 4–20 mA Input Default: 20.5 Excitation_Volt Contact Input Excitation (wetting) Voltage (SCSA and TCSA must use the same voltage level) 125V, 24V, 48V (default: 24V) RBOS1_Enab HP Rate-based Overspeed enable Disable, Enable † RBOS1_AccelSetptn, n=1-5 HP Rate-based Overspeed acceleration setpoint n, RPM/s 0 to 20,000 † RBOS1_OSSetptn, n=1-5 HP Rate-based Overspeed setpoint n, RPM 0 to 20,000 RatedRPM_TA Default: 3600 Default: 70 RBOS2_Enab LP Rate-based Overspeed enable Disable, Enable † RBOS2_AccelSetptn, n=1-5 LP Rate-based Overspeed acceleration setpoint n, RPM/s 0 to 20,000 † RBOS2_OSSetptn, n=1-5 LP Rate-based Overspeed setpoint n, RPM 0 to 20,000 RBOS3_Enab IP Rate-based Overspeed enable Disable, Enable † RBOS3_AccelSetptn, n=1-5 IP Rate-based Overspeed acceleration setpoint n, RPM/s 0 to 20,000 † RBOS3_OSSetptn, n=1-5 IP Rate-based Overspeed setpoint n, RPM 0 to 20,000 † RBOS setpoints have restrictions in their relative values. Refer to the section RBOS Parameter Restrictions for further details. 5.8.1.2 RBOS Parameter Restrictions The following restrictions apply to the relative values of RBOS setpoints (within a given shaft): 1. RBOS#_AccelSetpts must increase in value by at least 0.1 RPM/s (RBOS1_AccelSetpt2 must be 0.1 RPM/s or greater than RBOS1_AccelSetpt1). This prevents an infinite slope calculation in the overspeed setpoint profile. 2. RBOS#_OSSetpts must be either equal to or less than the previous entry (RBOS1_OSSetpt2 must be less than or equal to RBOS1_OSSetpt1). This ensures the functionality of the RBOS feature in that as Acceleration increases the RBOS overspeed setpoint either stays the same or decreases, but never increases. These restrictions are enforced by the build in ToolboxST, with errors that provide help to the user to identify the issues in their configuration. I/O Configuration GEH-6723W Functional Safety Manual 121 Public Information 5.8.1.3 Variables Variable (x = R, S, or T) Description Direction Type L3DIAG_YSIL_x I/O Diagnostic Indication Input BOOL LINK_OK_YSIL_x I/O Link OK Indication Input BOOL ATTN_YSIL_x I/O Attention Indication Input BOOL PS18V_YSIL_x I/O 18V Power Supply Indication Input BOOL PS28V_YSIL_x I/O 28V Power Supply Indication Input BOOL SCSA_Comm_Status_x BOOL SCSA Serial Communication Status Input L3SS_Comm Controller Communication Status Input BOOL GT_1Shaft Config – Gas Turb,1 Shaft Enabled Input BOOL GT_2Shaft Config – Gas Turb,2 Shaft Enabled Input BOOL LM_2Shaft Config – LM Turb,2 Shaft Enabled Input BOOL BOOL LM_3Shaft Config – LM Turb,3 Shaft Enabled Input LargeSteam Config – Large Steam Enabled Input BOOL MediumSteam Config – Medium Steam Enabled Input BOOL SmallSteam Config – Small Steam Enabled Input BOOL Stage_GT_1Sh Config – Stage 1 Shaft, Enabled Input BOOL BOOL Stage_GT_2Sh Config – Stage 2 Shaft, Enabled Input IOPackTmpr_x IO Pack Temperature (deg F) AnalogInput REAL LockedRotorByp LL97LR_BYP - Locked Rotor Bypass Output BOOL L97ZSC_BYP - HP Zero Speed Check Bypass Output BOOL HPZeroSpdByp RefrFreq - Drive (Gen) Freq (Hz), used for non standard drive config Can be used for zero speed logic in Dead Bus Closure of breaker Shaft Speed 1 in RPM AnalogOutput REAL AnalogOutput REAL ControllerWdog Controller Watchdog Counter Output DINT CJBackup_x CJ Backup Value °C/°F Based on configured TemperatureUnits AnalogOutput REAL CJRemote_x CJ Remote Value °C/°F Based on configured TemperatureUnits AnalogOutput REAL TA_StptLoss (L30TA) True if Trip Anticipate overspeed setpoint from TR_Spd_Sp is too far from rated RPM RatedRPM_TA Input BOOL Variable (x = R, S, or T) Description Direction Type AnalogInput01_Trip_x SCSA Analog Input Trip Status Input BOOL ↓ ↓ ↓ ↓ AnalogInput16_Trip_x SCSA Analog Input Trip Status Input BOOL DriveFreq Speed1 5.8.1.4 122 Vars-Al Trip GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 5.8.1.5 Vars-Trip Variable Description Direction Type WatchDog_Trip Enhanced diag - Watch Dog trip Input BOOL StaleSpeed_Trip Enhanced diag - Stale Speed trip Input BOOL SpeedDiff_Trip Enhanced diag - Speed Difference trip Input BOOL FrameMon_Flt Enhanced diag - Frame Monitor Fault Input BOOL OverSpd1_Trip L12HP_TP - HP overspeed trip Input BOOL OverSpd2_Trip L12LP_TP - LP overspeed trip Input BOOL OverSpd3_Trip L12IP_TP - IP overspeed trip Input BOOL Decel1_Trip L12HP_DEC - HP de-acceleration trip Input BOOL Decel2_Trip L12LP_DEC - LP de-acceleration trip Input BOOL Decel3_Trip L12IP_DEC - IP de-acceleration trip Input BOOL Accel1_Trip L12HP_ACC - HP acceleration trip Input BOOL Accel2_Trip L12LP_ACC - LP acceleration trip Input BOOL Accel3_Trip L12IP_ACC - IP acceleration trip Input BOOL HW_OverSpd1_Trip L12HP_HTP - HP Hardware detected overspeed trip Input BOOL HW_OverSpd2_Trip L12LP_HTP - LP Hardware detected overspeed trip Input BOOL HW_OverSpd3_Trip L12IP_HTP - IP Hardware detected overspeed trip Input BOOL TA_Trip Trip Anticipate Trip, L12TA_TP Input BOOL TSCA_Contact01_Trip Contact Trip (L5Cont01_Trip) Input BOOL ↓ ↓ ↓ ↓ TSCA_Contact20_Trip Contact Trip (L5Cont20_Trip) Input BOOL LPShaftLock LP Shaft Locked Input BOOL PR1_Zero L14HP_ZE - HP shaft at zero speed Input BOOL PR2_Zero L14LP_ZE - LP shaft at zero speed Input BOOL PR3_Zero L14IP_ZE - IP shaft at zero speed Input BOOL CompositeAnalog_Trip Composite Analog Trip Status Input BOOL CompositeTrip Composite Trip Status Input BOOL Estop_Trip ESTOP Trip (L5ESTOP1) Input BOOL Config1_Trip HP Config Trip (L5CFG1_Trip) Input BOOL Config2_Trip LP Config Trip (L5CFG2_Trip) Input BOOL Config3_Trip IP Config Trip (L5CFG3_Trip) Input BOOL Cross_Trip L4Z_XTRP - Control Cross Trip Output BOOL Variable Description Direction Type FlameDetPwrStat 335 V dc status Input BOOL 5.8.1.6 Vars-Flame FD1_Flame Flame Detect present Input BOOL ↓ ↓ ↓ ↓ FD8_Flame Flame Detect present Input BOOL FD1_Level 1 = High Detection Cnts Level Output BOOL ↓ ↓ ↓ ↓ FD8_Level 1 = High Detection Cnts Level Output BOOL I/O Configuration GEH-6723W Functional Safety Manual 123 Public Information 5.8.1.7 Vars-Contacts Variable Description Direction Type TCSA_Contact01_TripEnab Config – Contact Trip Enabled – Direct Input ↓ ↓ ↓ BOOL ↓ TCSA_Contact20_TripEnab Config – Contact Trip Enabled – Direct Input BOOL 5.8.1.8 Vars-Speed Vars-Speed Variable Description Direction Type Accel1_TrEnab Config – Accel 1 Trip Enabled Input BOOL Accel2_TrEnab Config – Accel 2 Trip Enabled Input BOOL Accel3_TrEnab Config – Accel 3 Trip Enabled Input BOOL HW_OverSpd1_Setpt_Pend Hardware HP overspeed setpoint changed after power up Input BOOL HW_OverSpd2_Setpt_Pend Hardware LP overspeed setpoint changed after power up Input BOOL HW_OverSpd3_Setpt_Pend Hardware IP overspeed setpoint changed after power up Input BOOL HW_OverSpd1_Setpt_CfgErr Hardware HP Overspd Setpoint Config Mismatch Error Input BOOL HW_OverSpd2_Setpt_CfgErr Hardware LP Overspd Setpoint Config Mismatch Error Input BOOL HW_OverSpd3_Setpt_CfgErr Hardware IP Overspd Setpoint Config Mismatch Error Input BOOL OverSpd1_Setpt_CfgErr HP Overspd Setpoint Config Mismatch Error Input BOOL OverSpd2_Setpt_CfgErr LP Overspd Setpoint Config Mismatch Error Input BOOL OverSpd3_Setpt_CfgErr IP Overspd Setpoint Config Mismatch Error Input BOOL RBOS1_TestEnable Enable Test Mode for RBOS feature for HP. RBOS1_Accel_Test will be used as Accel input to RBOS. Output BOOL RBOS2_TestEnable Enable Test Mode for RBOS feature for LP. RBOS2_Accel_Test will be used as Accel input to RBOS. Output BOOL RBOS3_TestEnable Enable Test Mode for RBOS feature for IP. RBOS3_Accel_Test will be used as Accel input to RBOS. Output BOOL PR1_Accel HP Accel in RPM/SEC AnalogInput REAL PR2_Accel LP Accel in RPM/SEC AnalogInput REAL PR3_Accel AnalogInput REAL PR1_Max IP Accel in RPM/SEC HP Max Speed since last Zero Speed in RPM AnalogInput REAL PR2_Max LP Max Speed since last Zero Speed in RPM AnalogInput REAL PR3_Max IP Max Speed since last Zero Speed in RPM AnalogInput REAL PR1_Spd PR1 - Speed sensor 1 (1A if three or two groups, see PRGrouping parameter) AnalogInput REAL PR2_Spd PR2 - Speed sensor 2 (2A if three groups, 1B if two groups, see PRGrouping parameter) AnalogInput REAL PR3_Spd PR3 - Speed sensor 3 (3A if three groups, 2A if two groups, see PRGrouping parameter) AnalogInput REAL PR4_Spd PR4 - Speed sensor 4 (1B if three groups, 1C if two groups, see PRGrouping parameter) AnalogInput REAL PR5_Spd PR5 - Speed sensor 5 (2B if three or two groups, see PRGrouping parameter) AnalogInput REAL PR6_Spd PR6 - Speed sensor 6 (3B if three groups, 2C if two groups, see PRGrouping parameter) AnalogInput REAL OS1_Setpoint_Fbk Current firmware overspeed setpoint for HP shaft in RPM AnalogInput REAL OS2_Setpoint_Fbk Current firmware overspeed setpoint for LP shaft in RPM AnalogInput REAL 124 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information Vars-Speed (continued) Variable Description Direction Type OS3_Setpoint_Fbk Current firmware overspeed setpoint for IP shaft in RPM AnalogInput REAL OverSpd1_Test_OnLine L97HP_TST1 - OnLine HP Overspeed Test Output BOOL OverSpd2_Test_OnLine L97LP_TST1 - OnLine LP Overspeed Test Output BOOL OverSpd3_Test_OnLine L97IP_TST1 - OnLine IP Overspeed Test Output BOOL OverSpd1_Test_OffLine L97HP_TST2 - OffLine HP Overspeed Test Output BOOL OverSpd2_Test_OffLine L97LP_TST2 - OffLine LP Overspeed Test Output BOOL OverSpd3_Test_OffLine L97IP_TST2 - OffLine IP Overspeed Test Output BOOL TripAnticipateTest L97A_TST - Trip Anticipate Test Output BOOL PR_Max_Reset Max Speed Reset Output BOOL BOOL OnLineOverSpd1X L43EOST_ONL - On Line HP Overspeed Test,with auto reset Output OverSpd1_Setpt HP Overspeed Setpoint in RPM AnalogOutput REAL OverSpd2_Setpt LP Overspeed Setpoint in RPM AnalogOutput REAL OverSpd3_Setpt IP Overspeed Setpoint in RPM AnalogOutput REAL OverSpd1_TATrip_Setpt PR1 Overspeed Trip Setpoint in RPM for Trip Anticipate Fn AnalogOutput REAL HWOverSpd_Setpt1 HP Hardware Overspeed Setpoint in RPM AnalogOutput REAL HWOverSpd_Setpt2 LP Hardware Overspeed Setpoint in RPM AnalogOutput REAL HWOverSpd_Setpt3 IP Hardware Overspeed Setpoint in RPM AnalogOutput REAL RBOS1_Accel_Test Test Accel signal for RBOS feature for HP shaft, RPM/s AnalogOutput REAL RBOS2_Accel_Test Test Accel signal for RBOS feature for LP shaft, RPM/s AnalogOutput REAL RBOS3_Accel_Test Test Accel signal for RBOS feature for IP shaft, RPM/s AnalogOutput REAL Repeater1 Speed Repeater Fault Status Input ↓ ↓ ↓ BOOL ↓ Repeater6 Speed Repeater Fault Status Input BOOL I/O Configuration GEH-6723W Functional Safety Manual 125 Public Information 5.8.1.9 Vars-Relay The following are the contact feedbacks for the electromechanical safety relays. They must be closed (feedback True) for current to flow in the ETRs. Contact Feedbacks Description Variable Direction Type Mech1_Fdbk Mechanical relay feedback, controls group 1 (K1–3) Input BOOL Mech2_Fdbk Mechanical relay feedback, controls group 2 (K4–6) Input BOOL Mech3_Fdbk Mechanical relay feedback, controls group 3 (K7–9) Input BOOL The following are the Output Bits, which can be used to open ETR Relays. They are only available when the ETRs are configured as Used and TripMode configuration as Enable (from the ETR Relay tab). Output Bits Description Variable Direction Type ETR1_Open ETR1 Open Command, True de-energizes relay Output BOOL ETR2_Open ETR2 Open Command, True de-energizes relay Output BOOL ETR3_Open ETR3 Open Command, True de-energizes relay Output BOOL ETR4_Open ETR4 Open Command, True de-energizes relay Output BOOL ETR5_Open ETR5 Open Command, True de-energizes relay Output BOOL ETR6_Open ETR6 Open Command, True de-energizes relay Output BOOL ETR7_Open ETR7 Open Command, True de-energizes relay Output BOOL ETR8_Open ETR8 Open Command, True de-energizes relay Output BOOL ETR9_Open ETR9 Open Command, True de-energizes relay Output BOOL Note When the relay outputs are configured as TripMode Disable, the associated mechanical relay will pick up when any of the three solid state relays pick up within that group, and drops when all the solid state relays are False in that group. 5.8.1.10 Vars-Sync Variable Description Direction Type GenFreq DF2 hz AnalogInput REAL BusFreq SFL2 hz AnalogInput REAL GenVoltsDiff DV_ERR KiloVolts rms - Gen Low is Negative AnalogInput REAL GenFreqDiff SFDIFF2 Slip hz - Gen Slow is Negative AnalogInput REAL GenPhaseDiff SSDIFF2 Phase degrees - Gen Lag is Negative AnalogInput REAL SyncCheck_Enab L25A_PERM - Sync Check Permissive Output BOOL SyncCheck_ByPass L25A_BYPASS - Sync Check ByPass Used for dead bus breaker closure feature Output BOOL DiagVoteEnab Trip Mode 5.8.1.11 TSCA Contacts Name Description Direction Type TCSA_Contact01 Contact Input 1 Input ↓ ↓ ↓ TCSA_Contact20 Contact Input 20 Input 126 GEH-6723W BOOL ↓ BOOL Contact Input Used, Unused (default: Unused) SeqOfEvents Enable, Disable Enable, Disable (default: Disable) (default: Enable) Enable, Disable (default: Disable) GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 5.8.1.12 EStop Description Name ESTOP_Fdbk 5.8.1.13 Direction Input ESTOP, inverse sense, True = Run Type DiagVoteEnab BOOL Enable, Disable (default: Enable) RelayOutput TripMode† ETR Relay Name Description Direction Type K4 K4 Relay Output, Emergency Trip Relay when Trip Mode Enabled Output BOOL Enable, Disable ‡ (default: Disable) K5 K5 Relay Output, Emergency Trip Relay when K4 Trip Mode Enabled Output BOOL N/A K6 K6 Relay Output, Emergency Trip Relay when K4 Trip Mode Enabled Output BOOL K7 K7 Relay Output, Emergency Trip Relay when Trip Mode Enabled Output BOOL K8 K8 Relay Output, Emergency Trip Relay when K7 Trip Mode Enabled Output BOOL N/A K9 K9 Relay Output, Emergency Trip Relay when K7 Trip Mode Enabled Output BOOL N/A Used, Unused (default: Unused) N/A Enable, Disable ‡ (default: Disable) Note † TripMode on ETR Relay can only be selected in groups. K4-K6 are in one group, and K7-K9 are in another group. Note ‡ When the relay outputs are configured as TripMode Disable, the associated mechanical relay will pick up when any of the three solid state relays pick up within that group, and drops when all the solid state relays are False in that group. 5.8.1.14 ETR Fdbk Name Description Direction Type K1_Fdbk Trip Relay Feedback Input BOOL K2_Fdbk Trip Relay Feedback Input BOOL K3_Fdbk Trip Relay Feedback Input BOOL K4_Fdbk Normal / Trip Relay Feedback Input BOOL K5_Fdbk Normal / Trip Relay Feedback Input BOOL K6_Fdbk Normal / Trip Relay Feedback Input BOOL K7_Fdbk Normal / Trip Relay Feedback Input BOOL K8_Fdbk Normal / Trip Relay Feedback Input BOOL K9_Fdbk Normal / Trip Relay Feedback Input BOOL I/O Configuration SeqOfEvents DiagVoteEnab Enable, Disable (default: Disable) Enable, Disable (default: Disable) GEH-6723W Functional Safety Manual 127 Public Information 5.8.1.15 TCSA Relay Name Description Direction Type TCSA_Relay01 Under control of SyncCheck if SyncCheck is configured for Relay01 Output BOOL Under control of SyncCheck if SyncCheck is configured for Relay02 Output TCSA_Relay02 5.8.1.16 RelayOutput Output_State Output_Value Used, Unused (default: Unused) HoldLastVal, Output_Value, PwrDownMode (default: PwrDownMode) On, Off (default: Off) BOOL TCSA Relay Fdbk Name Description Direction Type SeqOfEvents DiagVoteEnab TCSA_Relay01Fdbk Relay Feedback Input BOOL TCSA_Relay02Fdbk Relay Feedback Input BOOL Enable, Disable (default: Disable) Enable, Disable (default: Disable) 5.8.1.17 K25A Name Description Direction Type K25A_Cmd_Status Synch Check Relay Input BOOL Parameter Description Choices BusVoltage Allowable Minimum Bus Voltage, Eng Units (kv or percent) for Synchronizing. Typically 50% of rated 1 to 1000 (default: 6.9) DiagVoteEnab Enable Voting Disagreement Diagnostic Disable, Enable (default: Enable) FreqDiff Maximum Frequency Difference in hz for Synchronizing 0 to 0.5 (default: 0.30) GenFreqSource Select the Generator Frequency source for the PLL. PR_Std PR_Std, DriveFreq input (If single shaft PR1, otherwise PR2) or from Signal Space, (default: PR_Std) DriveFreq GenVoltage Allowable Minimum Gen Voltage, Eng Units (kv or percent) for Synchronizing. Typically 50% of rated 1 to 1000 (default: 6.9) PhaseDiff Maximum Phase Difference in degrees for Synchronizing 0 to 30 (default: 10) SynchCheck Select which relay to be used for the K25A Synch Check Relay or unused Relay01, Relay02, Unused (default: Unused) TurbRPM Rated RPM, Load Turbine 0 to 20,000 (default: 3600) VoltageDiff Maximum Voltage Diff in Eng Units (kv or percent) for Synchronizing 1 to 1000 (default: 2.8) 128 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 5.8.1.18 Pulse Rate Parameter Description Choices PRType Selects the type of Pulse Rate Input, (For Proper Resolution) Unused, Speed, Flow, Speed_LM, Speed_High (default: Unused) PRScale Pulses per Revolution (outputs RPM) 0 to 1,000 (default: 60) HwOverSpd_Setpt Hardware Overspeed Trip Setpoint in RPM 0 to 20,000 (default: 0) OverSpd_Setpt Overspeed Trip Setpoint in RPM 0 to 20,000 (default: 0) OverSpd_Test_Delta Off Line Overspeed Test Setpoint Delta in RPM -2,000 to 2,000 (default: 0) Zero_Speed Zero Speed for this Shaft in RPM (1 RPM hysteresis), 0 RPM sets PR#_Zero always False 0 to 20,000 (default: 0) Min_Speed Min Speed for this Shaft in RPM 0 to 20,000 (default: 0) Accel_Trip Enable Acceleration Trip Disable, Enable (default: Disable) Acc_Setpt Acceleration Trip Setpoint in RPM / Sec 0 to 20,000 (default: 0) Decel_Trip Enable Deceleration Trip Enable, Disable (default: Enable) TMR_DiffLimt Diag Limit, TMR Input Vote Difference, in Eng Units 0 to 20,000 (default is 5) Dual_DiffLimit Diag Limit, Dual speed sensor, in Eng Units 0 to 20,000 (default is 25) 5.8.1.19 PT Inputs The following PT inputs on the TCSA are fanned, single phase (75 to 130 V rms). Name Description Direction Type GenPT_KVolts Kilo-Volts RMS (Active only AnalogInput if K25A is Enabled) REAL BusPT_KVolts Kilo-Volts RMS (Active only AnalogInput if K25A is Enabled) REAL 5.8.1.20 PT_Input PT_Output TMR_DiffLimt Default: 13.8 Default: 115 Default: 1 TCSA Analog Inputs Name Description Direction Type FlameAnalogInput01 Flame Analog Input AnalogInput ↓ ↓ ↓ REAL ↓ FlameAnalogInput10 Flame Analog Input AnalogInput REAL Input Low_Input Low_Value Used, Unused (default: Unused) Default: 4 Default: 0 High_Input High_Value InputFilter DiagHighEnab DiagLowEnab TMR_DiffLimt Default: 20 Default: 100 Used, Unused (default: Unused) Enable, Disable (default: Enable) Enable, Disable (default: Enable) Default: 5 5.8.1.21 Flame Name Description Direction Type FlameInd1 ↓ Flame Intensity (Hz) AnalogInput ↓ ↓ REAL ↓ FlameInd8 Flame Intensity (Hz) AnalogInput REAL FlmDetTime 0.040sec, 0.080sec, 0.160sec (default: 0.040sec) FlameLimitHi FlameLimitLow Flame_Det TMR_DiffLimt Default: 5 Default: 3 Used, Unused (default: Unused) Default: 5 I/O Configuration GEH-6723W Functional Safety Manual 129 Public Information 5.8.1.22 SCSA Analog Inputs Name (x = R, S, or T) Type Input Desc AnalogInput01_x 4–20 mA ↓ ↓ REAL 4–20ma, ↓ Unused (default: REAL Unused) AnalogInput16_x 4–20 mA Low_Input Low_Value High_Input High_Value InputFilter Default: 4 Default: 0 Default: 20 0.75hz, 1.5hz, 3hz, 6hz, 12hz, Unused (default: Unused) Default: 100 DiagHighEnab TripEnab DiagLowEnab TripSetPoint TripDelay HART_Enable HART_MfglD HART_DevType HART_DevID Enable, Disable (default: Enable) Default: 0 Default: 100 (milliseconds) Enable, Disable (default: Disable) Default: 0 5.8.1.23 Enable, Disable (default: Disable) SCSA Thermocouple Inputs Name (x = R, S, or T) Type Thermocouple01_x Fail_Hot, Fail_Cold (default: Fail_Cold) Unused, Type_J, Type_K, Type_ ReportOpenTC sets the failed state of an open S, Type_T, Type_E, mV thermocouple to either hot (high) or cold (low). This does (default: Unused) not apply when Type = mV. Thermocouple02_x Thermocouple03_x 5.8.1.24 ReportOpenTC SCSA Cold Junction Name (x = R, S, or T) Description Direction Type ColdJuncType ColdJunction_x Cold Junction for TCs 1 to 3 AnalogInput REAL Local, Remote (default: Local) 5.8.1.25 SCSA Relay Name (x = R, S, or T) Direction Type SCSA_Relay01_x Output BOOL SCSA_Relay02_x 5.8.1.26 Output BOOL RelayOutput Output_State Output_Value Used, Unused (default: Unused) HoldLastVal, Output_Value, PwrDownMode (default: PwrDownMode) On, Off (default: Off) SCSA Relay Fdbk Name (x = R, S, or T) Description Direction Type SCSA_Relay01Fdbk_x Relay Feedback Input BOOL SCSA_Relay02Fdbk_x Relay Feedback Input BOOL 130 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 5.8.1.27 SCSA Contacts Name (x = R, S, or T) Desc Direction Type SCSA_Contact01_x Contact Input Input ↓ ↓ ↓ BOOL ↓ SCSA_Contact03_x Contact Input Input BOOL ContactInput SignalInvert SignalFilter Used, Unused (default: Unused) Invert, Normal (default: Normal) 100ms, 10ms, 20ms, 50ms, Unfiltered (default: Unfiltered) 5.8.2 Asset Management System Tunnel Command The Asset Management System (AMS) scans the HART-enabled field devices to determine health. This scan command decision is made in the AMS (not the I/O pack). The AMS can send scan commands over channels 1, 2, or 3. The YSIL I/O pack (or if using PHRA/YHRA) can be configured to either only allow for the scan command to occur on the default channel 3 or it can allow these scan commands to occur on any of the three channels (as determined by the AMS). By changing the parameter, AMS_Mux_Scans_Permitted to Enable (it is disabled by default), the I/O pack will accept a change from channel 3 (which is the default channel). From the perspective of the AMS, the multiplexer is the I/O pack (YSIL, YHRA, or PHRA). † In electronics, a multiplexer (or mux) is a device that selects one of several analog or digital input signals and forwards the selected input into a single line. Note † Retrieved Nov 13, 2014 from http://en.wikipedia.org/wiki/Multiplexer HMI Asset Management System (AMS) WorkstationST Application UDH YSIL TCSA IONet WCSA Serial B us TMR Mark VIeS Controller Set SCSA HART Field Device SCSA Tunnel command sent from AMS to I/O pack, then I /O pack sends status of HART field devices to AMS S CSA Example of YSIL HART Communications I/O Configuration GEH-6723W Functional Safety Manual 131 Public Information 5.9 YTUR YTUR Module Configuration Description Select Option ✓ or Enter Value I/O pack redundancy Simplex, TMR Hardware group Distributed I/O, Group Main terminal board Terminal board type/ HW form/ Barcode/ Group/ TB Location TTUR, TRPA Auxiliary terminal board Terminal board Phy Pos/ Type/ HW form/ Group/ TB Location TRPG, TRPA I/O pack configurations Pack form/ TB Connector/ IONet Parameters Tab YTUR Parameter Description Select Option ✓ or Enter Value SystemLimits Enable or disable all system limit checking Enable, Disable SMredundancy Used to determine how shaft monitor testing is controlled if a TMR application Simplex, TMR AccelCalType Select acceleration calculation type 10 to 100 TripType Select fast trip algorithm Unused, PR_Single, PR_Max AccASetpoint Acceleration Trip Setpoint, Chan A, RPM/Sec 0 to 1500 AccAEnable Acceleration Trip Enable, Chan A Enable, Disable AccBSetpoint Acceleration Trip Setpoint, Chan B, RPM/sec 0 to 1500 AccBEnable Acceleration Trip Enable, Chan B Enable, Disable Trip Type (PR_Single) PR1Setpoint Fast overspeed trip #1, set point, PR1, RPM 0 to 20000 PR1TrEnable Fast overspeed trip #1, enable Disable, Enable PR2Setpoint Fast overspeed trip #2, set point, PR1, RPM 0 to 20000 PR2TrEnable Fast overspeed trip #2, enable Disable, Enable PR3Setpoint Fast overspeed trip #3, set point, PR1, RPM 0 to 20000 PR3TrEnable Fast overspeed trip #3, enable Disable, Enable PR4Setpoint Fast overspeed trip #4, set point, PR1, RPM 0 to 20000 PR4TrEnable Fast overspeed trip #4, enable Disable, Enable InForChanA Input change selection for Accel/Decel trip Accel1, Accel2, Accel3, Accel4 InForChanB Input change selection for Accel/Decel trip Accel1, Accel2, Accel3, Accel4 InForChanA Input change selection for Accel/Decel trip Accel1, Accel2, Accel3, Accel4 Accel1, Accel2, Accel3, Accel4 Trip Type (PR_Max) InForChanB Input change selection for Accel/Decel trip AccelCalType Select acceleration calculation type 10 to 100 DecelStpt Deceleration set point, RPM/sec 0 to 1500 (FLOAT) DecelEnab FastOS1Stpt Deceleration enable Fast overspeed trip #1 set point, max (PR1,PR2), RPM Disable, Enable FastOS1Enabl Fast overspeed trip #1, enable Disable, Enable FastOS2Stpt Fast overspeed trip #2 set point, max (PR3,PR4), RPM 0 to 20000 (FLOAT) FastOS2Enabl Fast overspeed trip #2, enable Disable, Enable DiffSetpoint Diff Setpoint 0 to 20000 (FLOAT) DiffEnable Difference speed trip, enable Disable, Enable 132 GEH-6723W 0 to 20000 (FLOAT) GEH-6723 Mark VIeS Control Functional Safety Manual Public Information Flame Tab YTUR Flame Detector Description Select Option ✓ or Enter Value FlmDetTime Flame detector time interval (seconds) 0.040 sec, 0.080 sec, 0.160 sec FlameLimitHI Flame threshold LimitHI (HI detection cnts means Low sensitivity) 0 to 160 FlameLimitLow Flame threshold LimitHI (LOW detection cnts means high sensitivity) 0 to 160 Flame_Det TMR_DiffLimit Flame detector used/unused Diag Limit, TMR input difference limit, in Hz Used, Unused 0 to 160 Pulse Rate Tab (4 each) YTUR Pulse Rate Description Choices PRType Selects the type of pulse rate input, n (for proper resolution) Unused, Flow, Speed, Speed_High, Speed_LM PRScale Pulses per revolution (outputs RPM) 0 to 1,000 SysLim1Enabl Enable system limit 1 fault check Enable, Disable SysLim1Latch Latch system limit 1 fault Latch, Not Latch SysLim1Type System limit 1 check type (= or <=) = or <= SysLimit1 System limit 1 – RPM 0 to 20,000 SysLim2Enabl Enable system limit 2 fault check (as above) Enable, Disable SysLim2Latch Latch system limit 2 fault Latch, Not Latch SysLim2Type System limit 2 check type (= or <=) = or <= SysLimit2 System limit 2 – RPM 0 to 20,000 TMR_DiffLimit Diag Limit, TMR input vote difference, in engineering units 0 to 20,000 Shunt V Tab YTUR Shaft Voltage Monitor Description Select Option ✓ or Enter Value SysLim1Enabl Enable system limit 1 Enable, Disable SysLim1Latch Latch system limit 1 fault Latch, Not Latch SysLim1Type System limit 1 check type (= or <=) = or <= SysLimit1 Select alarm level in frequency Hz 0 to 100 SysLim2Enabl Select system limit 2 (as above) Enable, Disable SysLim2Latch Latch system limit 1 fault Latch, Not Latch SysLim2Type System limit 1 check type (= or <=) = or <= SysLimit2 Select alarm level in frequency Hz 0 to 100 TMR_DiffLimit Diag Limit, TMR input vote difference, in engineering units 0 to 100 Shunt C Tab YTUR Shaft Current Monitor Description Select Option ✓ or Enter Value ShuntOhms ShuntLimit BrushLimit Shunt ohms Shunt maximum test ohms Shaft (Brush) maximum ohms 0 to 100 0 to 100 0 to 100 SysLim1Enabl Select system limit 1 Enable, Disable SysLim1Latch Select whether alarm will latch Latch, Not Latch SysLim1Type Select type of alarm initiation = or <= SysLimit1 Current Amps, select alarm level in Amps 0 to 100 I/O Configuration GEH-6723W Functional Safety Manual 133 Public Information Shunt C Tab (continued) YTUR Shaft Current Monitor Description Select Option ✓ or Enter Value SysLim2Enabl Select system limit 2 Enable, Disable SysLim2Latch Select whether alarm will latch Latch, Not Latch SysLim2Type Select type of alarm initiation = or <= SysLimit2 Current Amps, select alarm level in Amps 0 to 100 TMR_DiffLimit Diag Limit, TMR input vote difference, in engineering units 0 to 100 PT Tab (Gen and Bus) YTUR Potential Transformer Description Select Option ✓ or Enter Value PT_Input PT primary in engineering units (kv or percent) for PT_ Output 0 to 1,000 PT_Output PT output in volts rms, for PT_Input – typically 115 0 to 150 SysLim1Enabl Select system limit 1 Enable, Disable SysLim1Latch Select whether alarm will latch Latch, Not Latch SysLim1Type Select type of alarm initiation = or <= 0 to 1,000 SysLimit1 Current Amps, select alarm level in Amps SysLim2Enabl Select system limit 2 Enable, Disable SysLim2Latch Select whether alarm will latch Latch, Not Latch SysLim2Type Select type of alarm initiation = or <= SysLimit2 Current Amps, select alarm level in Amps 0 to 1,000 TMR_DiffLimit Diag Limit, TMR input vote difference, in engineering units 0 to 1,000 Circuit Breaker Tab YTUR Circuit Breaker Description Select Option ✓ or Enter Value SystemFreq Select frequency in Hz 60 Hz, 50 Hz CB1CloseTime CB1AdaptLimt Breaker 1 closing time, ms 0 to 500 Breaker 1 self adaptive limit, ms 0 to 500 CB1AdaptEnab Enable breaker 1 self adaptive adjustment Enable, Disable CB1FreqDiff Breaker 1 special window frequency difference, Hz 0.15 to 0.66 CB1PhaseDiff Breaker 1 special window phase Diff, degrees 0 to 20 CB1DiagVoteEnab Enable voting disagreement diagnostic Enable, Disable 0 to 500 CB2CloseTime Breaker 2 closing time, ms (as above) CB2 AdaptLimit Breaker 2 self adaptive limit, ms 0 to 500 CB2 AdaptEnabl Enable breaker 2 self adaptive adjustment Enable, Disable CB2FreqDiff Breaker 2 special window frequency difference, Hz 0.15 to 0.66 CB2PhaseDiff Breaker 2 special window phase diff, degrees 0 to 20 CB2DiagVoteEnab Enable voting disagreement diagnostic Enable, Disable Relays Tab YTUR Relays Description Select Option ✓ or Enter Value PTR_Output Primary protection relay used/unused Unused, Used DiagVoteEnab Enable voting disagreement diagnostic Enable, Disable 134 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information E-Stop Tab YTUR E-Stop Description Select Option ✓ or Enter Value DiagVoteEnab Enable voting disagreement diagnostic Enable, Disable TTUR Jumper Jumper Select ✓ JP1 TMR, SMX JP2 TMR, SMX TRPA (P1 and P2 jumpers) Speed Input Connections Function Jumper Wire to all 12 pulse inputs: Each set of four pulse inputs goes to its own dedicated YTUR I/O pack. Cannot use jumper PR1_R – PR4_T Place in STORE position Each set of two pulse inputs goes to its own dedicated YTUR I/O pack. Wire to TTL pulse inputs: TTL1_R – TTL2_T Cannot use jumper Place in STORE position Wire to bottom 4 pulse inputs only: PR1_R – PR4_R The same set of signals is fanned to all the YTUR I/O packs. NO wiring to TTL1_R-TTL2_T or PR1_S-PR4_ T Wire to bottom 2 pulse inputs: Use jumper Place over pin pairs Cannot fan the TTL signals. Only the R YTUR will receive data. TTL1_R – TTL2-R Cannot use jumper Place in STORE position TRPA Jumper Jumper Select ✓ P1 FAN, STORE P2 FAN, STORE I/O Configuration GEH-6723W Functional Safety Manual 135 Public Information 5.10 YUAA The ToolboxST configuration for PUAA/YUAA is different than most I/O packs. Since each point can process different types of I/O, there is a Mode selection in the Configuration tab that has to be set in the ToolboxST application Component Editor for each IOPoint (or left Unused if not used). The ToolboxST application does not enforce any limitations for available mA outputs with respect to the potential ambient environment inside the cabinet. 5.10.1 Parameters The following are global configuration options for the PUAA/YUAA. Parameter Description Choices TempUnits Temperature unit selection is use for RTDs, Thermocouples, and Cold Junction values °C, °F (default: °F) ColdJuncType Cold Junction source for thermocouple inputs Local, Remote (default: Local) AMS_Msgs_Only AMS_Mux_Scans_Permitted Min_MA_Hart_Output 136 GEH-6723W AMS Messages only - do not send control messages if Enable, Disable (default: Disable) enabled. AMS mulitplexer scans for command 1 and 2 are allowed Enable, Disable (default: Disable) (command 3 always allowed) Minimum MA output for a Hart Enabled Device 0 to 22.5 (default: 4.0) GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 5.10.2 Configuration (Modes) Channel configuration can be done at any time, but requires a channel be taken from an Unused mode to an assigned mode (or from an assigned mode to Unused), but not directly from one mode to a different mode. This does not require a device reboot or impact adjacent channels. The PUAA/YUAA allows changing individual point configuration though an Online Load (parameter download without rebooting) without affecting any other point, however changing from any one type of point to another first requires that the point be configured as Unused. The product will protect against an invalid transition and will fail the download and issue a diagnostic alarm to indicate the issue. Name IOPoint01 ↓ IOPoint16 Caution Caution 5.10.3 Description Modes Direction Data Type Universal I/O Point01 ↓ Universal I/O Point16 Unused (default) CurrentInput VoltageInput RTD CurrentOutput Thermocouple PulseAccum DigitalInput AnalogInput AnalogInput AnalogInput AnalogOutput AnalogInput AnalogInput Input REAL REAL REAL REAL REAL REAL BOOL To prevent damage to the SUAA, when the PWR_RET terminals are serving as a ground return for the channel, verify that the current to the ground is limited to 50 mA or less. If the ground path is capable of higher currents, then an external series resistor should be inserted in series with the terminal connection to serve as a current limit. As an example, if a 24 V circuit was capable of being incorrectly wired to the PWR_RET terminal, then a 510 Ω 2 W resistor would be used in series as a protection device. To prevent damage to field devices, verify wiring prior to configuring the I/O pack. Avoid any incorrectly wired channel that could act as an output driving back into an analog input device. The PUAA is capable of acting as an output or input channel under software command. The terminal blocks are in groups of 3 screws to allow for channels to be attached one at a time as part of wiring checks. Current Inputs Current Input Description Choices Low_Input Input mA at Low Value (default: 4) Low_Value Low Input in Engineering Units (default: 0) High_Input Input MA at High Value (default: 20) High_Value High Input in Engineering Units (default: 100) InputFilter Filter Bandwidth in Hz Unused, 0.75hz, 1.5hz, 12hz, 3hz, 6hz (default: Unused) ExternPwrEnab Enable External Power for 4-20ma inputs Enable, Disable (default: Enable) Min_MA_Input Set the minimum mA for healthy input (default: 3) Max_MA_Input Set the maximum mA for healthy input (default: 22.5) Low_Input, Low_Value, High_Input, High_Value settings are used by the PUAA/YUAA firmware to define the linear relationship between mA and customer-defined engineering units. The I/O Point value will be in Engineering units. Engineering units are specific to the field device being used. I/O Configuration GEH-6723W Functional Safety Manual 137 Public Information Current Input Description Choices Hart_Enable ‡ Enable Hart protocol on this channel Enable, Disable (default: Enable) Hart_CtrVars Hart_ExStatus Hart_MfgID Number of control vars to read from Hart device Set to zero if not used. Number of extended status bytes to read from Hart device Set to zero if not used. Hart Field Device - Manufacture ID For HART7 field devices, this is the upper byte of Expanded Device Type A diagnostic alarm is sent if the field device ID differs from this value and the value is non-zero. This value can be uploaded from the PUAA if the field device is connected. (Right-click on device name and select Update HART IDS) 0 to 5 (default: 0) 0 to 26 (default: 0) 0 to 255 (default: 0) Hart_DevType Hart Field Device - Device Type For HART7 field devices, this is lower byte of Expanded Device Type 0 to 255 (default: 0) Hart_DevID Hart Field Device - Device ID 0 to 116777215 (default: 0) ‡ The first time all channel 1–8 are disabled, the I/O pack will require a reboot. The first time all channel 9–16 are disabled, the I/O pack will require a reboot. Attention 5.10.4 The first time any channel 1–8 is enabled, the I/O pack will require a reboot. The first time any channel 9–16 is enabled, the I/O pack will require a reboot. Current Outputs Current Output Description Choices OutputState State of the output when offline HoldLastValue, OutputValue, PwrDownMode (default) Low_MA Output low in mA (default: 4) Low_Value Low output value in engineering units (default: 0) High_MA Output high in mA (default: 20) High_Value High output in engineering units (default: 100) Output_Value ‡ This field is only available if OutputState = OutputValue (default: 0) ‡ Scroll all the way to the right to find this value because the field does not appear directly right of the High_Value as expected. If the I/O pack loses communication with the controller, OutputState determines how it drives the outputs as follows: • • • PwrDownMode: drive outputs to zero current HoldLastVal: hold the last value received from the controller Output_Value: go to the configured output value set by the Output_Value (units are Engineering Units, not mA) Low_MA, Low_Value, High_MA, High_Value settings are used by the I/O pack firmware to define the linear relationship between customer-defined engineering units and output mA. The I/O Point value will be in Engineering units, and the firmware will convert it to mA. Engineering units are specific to the field device being used. Current Output Description Choices Hart_Enable ‡ Enable Hart protocol on this channel Enable, Disable (default: Disable) Hart_CtrVars Number of control vars to read from Hart device Set to zero if not used. 0 to 5 (default: 0) 138 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information Current Output Hart_ExStatus Hart_MfgID Description Choices Number of extended status bytes to read from Hart device Set to zero if not used. Hart Field Device - Manufacture ID For HART7 field devices, this is the upper byte of Expanded Device Type A diagnostic alarm is sent if the field device ID differs from this value and the value is non-zero. This value can be uploaded from the PUAA if the field device is connected. (Right-click on device name and select Update HART IDS) 0 to 26 (default: 0) 0 to 255 (default: 0) Hart_DevType Hart Field Device - Device Type For HART7 field devices, this is lower byte of Expanded Device Type 0 to 255 (default: 0) Hart_DevID Hart Field Device - Device ID 0 to 116777215 (default: 0) ‡ The first time any channel 1–8 is enabled, the I/O pack will require a reboot. The first time any channel 9–16 is enabled, the I/O pack will require a reboot. Attention 5.10.5 The first time all channel 1–8 are disabled, the I/O pack will require a reboot. The first time all channel 9–16 are disabled, the I/O pack will require a reboot. Voltage Inputs Voltage Input Description Choices InputType Type of Analog Input +/-10volt, +/-5volt (default: +/-5volt) Low_Input Input Volts at Low Value (default: -5) Low_Value Low Input in Engineering Units (default: 0) High_Input Input Volts at High Value (default: 5) High_Value High Input in Engineering Units (default: 100) InputFilter Filter Bandwidth in Hz Unused, 0.75, 1.5, 3, 6, 12 (default: Unused) Low_Input, Low_Value, High_Input, High_Value settings are used by the I/O pack firmware to define the linear relationship between Volts and customer-defined engineering units. The I/O Point value will be in Engineering units. Engineering units are specific to the field device being used. I/O Configuration GEH-6723W Functional Safety Manual 139 Public Information 5.10.6 RTDs RTDType Compatible Type MINCO_NA N 120 MINCO_PA PT100 PURE MINCO_PB PT100 USIND MINCO_PD (default) PT100 DIN MINCO_PIA MINCO_PK PT 200 MINCO_PN MINCO_CA CU10 Ohms PT100_SAMA SAMA 100 5.10.7 RTDType selects the type of RTD device connected to the input. The ohms type returns a value of resistance, with the TempUnits parameter ignored. The temperature units parameter, TempUnits, can be either Fahrenheit or Celsius, and is set from the Parameters tab. Thermocouples ThermCplType ReportOpenTC Notes ThermCplType selects the type of TC device connected to the input. The mV type shall only return a value of millivolts, the Units parameter shall be ignored for this type, and no cold junction compensation shall be performed. B E J K mV (default) N R S T 5.10.8 Notes ReportOpenTC is a Fail_Hot/Fail_Cold configuration to control the reported TC Fail_Cold (default), value when an open circuit occurs. On open circuit detection the PUAA will report Fail_Hot the calculated value at -40 mV (Open TC Threshold) when Fail_Cold in enabled, and will report 3632 ºF (2000 ºC) when Fail_Hot is enabled. The temperature units parameter, TempUnits, can be either Fahrenheit or Celsius, and is set from the Parameters tab. Digital Inputs Digital Input Description Choices SignalInvert Inversion makes signal true if contact is open Normal, Invert (default: Normal) SeqOfEvents Record contact transitions in sequence of events Enable, Disable (default: Disable) Open/shorted input detection LineMonitoring Does not apply when InputMode is set to NAMUR, as line monitoring is inherent in NAMUR operation. Enable, Disable (default: Disable) InputMode Internal/ExternalWetting, NAMUR Sensor Internal, External, NAMUR (default: Internal) SignalFilter Contact input filter in milliseconds Unfiltered, 10 ms, 20 ms, 50 ms, 100 ms (default: Unfiltered) External wetting voltage ExtWettingVoltage (default: 24.0) Only applicable if InputMode is set to External Wetting 140 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 5.10.9 Pulse Accumulators Pulse Accumulator Description PAThreshold Choices Pulse threshold voltage (default: 3.0) This example configuration with connected variable is used in the following two example applications. It is recommended that the user set a threshold midway between the expected low and high input levels. I/O Configuration GEH-6723W Functional Safety Manual 141 Public Information 5.10.10 Pulse Accumulator Buffer Example This user block example connects to PUAA/YUAA pulse accumulator inputs to provide a Total Counts output that is a 32-bit integer. It handles PUAA 16-bit rollovers and implements a user reset of total counts to zero. The 16-bit accumulator resets to zero when the I/O pack reboots or the channel’s mode is changed. The counter increments when the input voltage transitions above the PAThreshold setting. The next pulse after accumulator is at 65535 will result in the accumulator rolling over to zero and continuing to count from there on following pulses. 142 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 5.10.11 Frequency Calculation Example This user block example connects to PUAA/YUAA pulse accumulator inputs to provide a frequency output. Rollover is handled. Three configuration values are offered. I/O Configuration GEH-6723W Functional Safety Manual 143 Public Information 144 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 5.10.12 Variables Name (XXXX = PUAA or YUAA) (xx = channel number) Description Direction Data Type L3DIAG_XXXX_R I/O Diagnostic Indication Input BOOL LINK_OK_XXXX_R I/O Link OK Indication Input BOOL I/O Attention Indication Current Output Feedback in mA Input BOOL AnalogInput REAL ATTN_XXXX_R OutxxMA PS18V_XXXX_R I/O 18V Power Supply Indication Input BOOL PS28V_XXXX_R I/O 28V Power Supply Indication Input BOOL IOPackTmpr_R IO Pack Temperature (deg F) AnalogInput REAL CJBackup Backup Cold Junction Temperature (Deg F/C based on Cold Junction config) AnalogOutput REAL CJRemote Remote Cold Junction Temperature. Used when ColdJuncType is set to Remote (Deg F/C based on Cold Junction config) AnalogOutput REAL ColdJunc01 Cold Junction sensor #1 AnalogInput REAL ColdJunc02 Cold Junction sensor #2 Toggle to True to reset Hart configuration change alarms on rising edge AnalogInput REAL Output BOOL Hart Mux Health Input BOOL AckHartCfgChange HartMux_Health I/O Configuration GEH-6723W Functional Safety Manual 145 Public Information 5.10.13 HART Signal Definitions Signal Description Hxx_CommCnt Number of times the CommStat signal was not zero after a HART message Integer Type Most Recent Slave-Reported Communication Status Error Hxx_CommStat Bit 1 – RX buffer overflow Bit 3 – Checksum error Bit 4 – Framing error Bit encoded integer Bit 5 – Overrun error Bit 6 – Parity error Hxx_DevCnt Number of times the DevStat signal was not zero after a HART message. Integer Most Recent Device Response Codes: bits 0-7 Bit 0 – Primary variable out of limits Bit 1 – Non primary var out of limits Bit 2 – Analog output saturated Bit 3 – Analog output current fixed Bit 4 – More status available (ExStat) Bit 5 – Cold start Bit 6 – Configuration changed Hxx_DevStat Bit 7 – Field device malfunction Command response byte: bits 8-15 Bit encoded integer 2: Invalid selection requested 3: Passed parameter too large 4: Passed parameter too small 5: Too few bytes received 6: Device specific device error 7: In write protect mode 8-15: Device specific 16: Access restricted 32: Device is busy 64: Command not implemented Hxx_DevRev Hxx_HwSwRev Field Device - Device revision code as read from the device. Byte 0 - Field device software revision Byte 1 - Field device hardware revision Integer Integer Hxx_mA † Field Parm 1 – current reading of the primary signal Float Hxx_PV † Field Device Specific Control Parm 2 - Primary field device value Float Hxx_SV † Field Device Specific Control Parm 3 - Secondary value Float Hxx_TV † Field Device Specific Control Parm 4 -Third value Float Hxx_FV † Field Device Specific Control Parm 5 -Fourth value Float † To view these variables, the Hart_CtrlVars parameter must have a value greater than zero. 146 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 5.10.14 HART Extended Status The extended status bits are device-specific, and can be interrogated by using an AMS system. In general, the status bits are grouped as follows: • • • • • • • • • • Bytes 0-5: Device specific status Byte 6: Extended Device Status Byte 7: Device Operating Mode Byte 8: Standardize Status 0 Byte 9: Standardize Status 1 Byte 10: Analog Channel Saturated Byte 11: Standardize Status 2 Byte 12: Standardize Status 3 Byte 13: Analog Channel Fixed Bytes 14-26: Device-specific Each field device supports a specific number of control parameters and extended status bits. Refer to the Field Device documentation to determine the correct number and configure the ToolboxST application accordingly. A diagnostic alarm message will be generated if the Field Device and ToolboxST configuration do not match. Hxx_ExStat_1 Bit Encoded Extended Status Bytes 1-4 Hxx_ExStat_2 Bit Encoded Extended Status Bytes 5-8 Hxx_ExStat_3 Bit Encoded Extended Status Bytes 9-12 Hxx_ExStat_4 Bit Encoded Extended Status Bytes 13-16 Hxx_ExStat_5 Bit Encoded Extended Status Bytes 17-20 Hxx_ExStat_6 Bit Encoded Extended Status Bytes 21-24 Hxx_ExStat_7 Bit Encoded Extended Status Bytes 25-26 I/O Configuration GEH-6723W Functional Safety Manual 147 Public Information 5.11 YDAS 5.11.1 YDAS Compatibility The IS420YDASS1A module is composed of a COM Express processor module which executes the firmware, and an analog processor module that processes and digitizes the CDM input signals. Data Acquisition System Compatibility Data Acquisition System Minimum Firmware Version Minimum ControlST Version IS420YDASS1A† V05.16 V07.09.01C †IS420YDASS1A requires Mark VIeS V06.03 or later The YDAS supports the Combustion Dynamics Monitoring terminal board (TCDM) with Simplex or Dual redundancy. The bare terminal board is GE part IS400TCDMS1A, but it is normally ordered as part of one of the following terminal board assemblies that also contains mounting brackets and plastic covers. Terminal Board Compatibility Terminal Board Description IS410TCDMS1A – with covers for Simplex IS410TCDMS2A – with covers for Dual Terminal board assembly that supports 21-channel CCSA or PCB charge amplifier inputs. Fans signals to one or two YDAS modules for Simplex or Dual redundancy. 5.11.2 YDAS Configuration 5.11.2.1 Parameters and Variables Configure the YDAS in the ToolboxST Component Editor Hardware Tabs using the following tables. YDAS Parameters Parameter Description Choices PwrLineFilFreq Power Line notch filter frequency 50Hz, 60Hz (default: 60Hz) HPF_Cutoff_Freq High Pass filter cutoff frequency (Hz) - Removes DC bias voltage on 2 to 30 Hz (default: 5 Hz) input signal before performing FFT. Sample_Rate FFT Sample Rate (Hz) – Rate at which input signals are sampled for RMS and FFT. (12887 Hz selection is for backward compatibility 16384 Hz, 12887 Hz (default: 16384 Hz) with PAMC.) Modifying this parameter requires a reboot. WindowSelect Selects FFT windowing function applied to input signal before performing FFT. Rectangular Hanning Hamming Blackman Blackman-Har Flat-Top Triangular (default: Hanning) BinReject Number of adjacent bins to reject from second peak search around Peak #1. See the section Frequency Search for more information. 0 to 6 bins (default: 3 bins) PwrLineFilWidth Power Line Frequency notch filter width (+/- Hz on each side of notch frequency) 0 to 100 Hz (default: 1 Hz) PwrLineFilTol Power Line Frequency notch filter tolerance (per unit). Higher number de-sensitizes filter so other energy peaks near power line frequency are rejected 0 to 1 pu (default: 0.1 pu) 148 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information YDAS Parameters (continued) Parameter Description Choices PhDeltaRefCan Phase Delta Reference Can Number – Selected Can from which the phase delta to all the other Cans is referenced. 1 to 21 (default: 1) MaxVoltCCSA Maximum sensor volts for CCSA (Endevco) type sensor (pk volts) -30 to 30 pk volts (default: 8.568) MinVoltCCSA Minimum sensor volts for CCSA (Endevco) type sensor (pk volts) -30 to 30 pk volts (default: -8.568) MaxVoltPCB Maximum sensor volts for PCB type sensor (pk volts) -30 to 30 pk volts (default: 20.0) MinVoltPCB Minimum sensor volts for PCB type sensor (pk volts) -30 to 30 pk volts (default: 3.5) MaxVoltCustm Maximum sensor volts for custom type sensor (pk volts) -30 to 30 pk volts (default: 5.25) MinVoltCustm Minimum sensor volts for custom type sensor (pk volts) -30 to 30 pk volts (default: -5.25) YDAS Variables Variable (x = R or S) Description Direction Data Type L3DIAG_YDAS_x I/O Pack Diagnostic Indication Input BOOL LINK_OK_YDAS_x I/O Link OK Indication Input BOOL ATTN_YDAS_x Input I/O Pack Attention Indication Primary Selection Status – Indicates which I/O packs data (R or S) is Input being published to signal space for consumption by the controller BOOL Primary_Status_x IOPackTmpr_x BOOL I/O pack Temperature at the processor (°F) Input REAL BapcTmpr_x Acquisition Card Temperature (°F) Input REAL PrimaryCommand Primary Command – Command to select which I/O pack should present its data to signal space. False = Select R, True = Select S Output If the selected I/O pack is offline, the data from the other I/O pack will be presented until the selected I/O pack LINK_OK is True. BOOL DiagTestComplete_x Diagnostic Test Complete Status False = Test in progress, True = Test Complete or Idle Input BOOL Output BOOL Output UDINT Input UDINT Input UDINT DiagTestActivate_x DiagTestRequest_x FreqInTimeStampSec Activates a Diagnostic Test of the selected channel specified by DiagTestRequest_R,S on the rising edge of the signal. If a Diagnostic Test is in progress (DiagTestComplete_R,S is False), then this signal is ignored. See the section Diagnostic Test for more information. Specifies the Channel (1-21) on which to run a Diagnostic Test. Inputting an invalid channel will be ignored. Once the channel is selected, then toggle DiagTestActivate_R,S to start the Diagnostic test. See the section Diagnostic Test for more information. Frequency Domain Timestamp Seconds – Indicates the time of the last FFT scan. Value is seconds since January 1, 1970 (that is, Epoch time) FreqInTimeStampNsec Frequency Domain Timestamp Nanoseconds – Nanosecond portion of the timestamp of the last FFT scan. Can01_Health_x Combustor Can 1 signal health Input ↓ ↓ ↓ BOOL ↓ Can21_Health_x Combustor Can 21 signal health Input BOOL I/O Configuration GEH-6723W Functional Safety Manual 149 Public Information 5.11.2.2 Configuration Variables Configuration variables are signal space variables that drive the configuration of the module and can be changed on the fly without performing a configuration build and download from the ToolboxST download wizard. Configuration variables are validated by the I/O module and must be activated before they are used by the I/O module for configuration. Each configuration variable consists of two signal space variables: Signal Space Variables Variable Type Description Configuration variable Configuration variable status Direction A configuration variable that is sent as an output from signal space and provides configuration for the I/O module. Each configuration variable has set Output of valid values or ranges that must be satisfied before being used by the I/O module. A status feedback of a specified configuration variable. Indicates the actual value used for configuring the I/O module operation. This should match the value of the Configuration variable if it has been activated. Input Configuration variable status will be unhealthy if the Configuration variable is set to an invalid value. (A diagnostic alarm is also generated.) Configuration Variable Controls Variable ActivatePermissive ActivateConfig ActivateConfigDone 150 GEH-6723W Description Direction Configuration variable health permissive – Must be True before any Configuration variables can be activated. If False, then a Input corresponding diagnostic alarm will indicate which Configuration variable has an issue. Activates pending configuration variables on rising edge of the Output signal. Will only activate configuration variables when ActivatePermissive is True. Indicates when the new Configuration has been activated. Set False when ActivateConfig is toggled and transitions to True once the Input new configuration has been activated. Data Type BOOL BOOL BOOL GEH-6723 Mark VIeS Control Functional Safety Manual Public Information On start-up, if an invalid or zero command is provided for one of the configuration variables, the YDAS will default to the specified value. All Frequency bands will be disabled until valid values are provided to FftScanLength, RmsScanLength, ScanPerAvgFft, and ScanPerAvgRms. Configuration Variables/Statuses Variable Description Direction Data Type FftScanLength Configurable FFT Scan Length. Valid values are 2048, 4096, 8192, 16384. (default: 4096) Output UDINT FftScanLength_Status Valid FFT Scan Length Configuration Status Input UDINT RmsScanLength Configurable RMS Scan Length. Valid values are 256, 512, 1024, 2048. (default: 256) Output UDINT RmsScanLength_Status Valid RMS Scan Length Configuration Status Input UDINT ScanPerAvgFft Configurable Number of Scans Per Average FFT. Valid values are 1 to 64. (default: 32) Output UDINT ScanPerAvgFft_Status Valid number of Scans Per Average FFT Configuration Status Input UDINT ScanPerAvgRms Configurable Number of Scans per Average RMS. Valid values are 1 to 50. (default: 50) Output UDINT ScanPerAvgRms_Status Valid number of Scans Per Average RMS Configuration Status Input UDINT FftWindow_Status Valid FFT Window Configuration Status (from Parameters tab). Valid values are: 0 – Rectangular 1 – Hanning 2 – Hamming 3 – Blackman 4 – Blackman-Harris 5 – Flat-Top 6 – Triangular Input UDINT PhDelta_RefCan_Status Valid Phase Delta Reference Can Configuration Status (from Parameters tab). Valid values are 1-21. Input UDINT FreqBn_StartHz Frequency Band n Start Frequency (Hz) (n = 01-15 frequency bands) Valid values are: 0-5000 Hz where 0 – Disable. FreqBn_StartHz must be less than FreqBn_EndHz AnalogOutput REAL FreqBn_StartHz_Status Frequency Band n Start Frequency Status (Hz) (n = 01-15 frequency bands) AnalogInput REAL FreqBn_EndHz Frequency Band n End Frequency (Hz) (n = 01-15 frequency bands) Valid values are: 0-5000 Hz where 0 – Disable. FreqBn_EndHz must be greater than FreqBn_StartHz AnalogOutput REAL FreqBn_EndHz_Status Frequency Band n End Frequency Status (Hz) (n = 01-15 frequency bands) AnalogInput REAL I/O Configuration GEH-6723W Functional Safety Manual 151 Public Information 5.11.2.3 Can 1-7, Can 8-14, Can 15-21 Variable (x = 01-21, n = 01-15) Description Direction CanxFreqBn_Pk01Amp Frequency Band n Peak 1 Amplitude (PSI pk-pk) AnalogInput REAL CanxFreqBn_Pk01Hz Frequency Band n Peak 1 Frequency (Hz) AnalogInput REAL CanxFreqBn_Pk01PhDelta Frequency Band n Peak 1 Phase Delta (degrees) – phase is referenced to the Can specified by PhDeltaRefCan. AnalogInput REAL CanxFreqBn_Pk01Coherence Frequency Band n Peak 1 Coherence AnalogInput REAL CanxFreqBn_Pk02Amp Frequency Band n Peak 2 Amplitude (PSI pk-pk) AnalogInput REAL CanxFreqBn_Pk02Hz Frequency Band n Peak 2 Frequency (Hz) AnalogInput REAL CanxFreqBn_Pk02PhDelta Frequency Band n Peak 2 Phase Delta (degrees) – phase is referenced to the Can specified by PhDeltaRefCan. AnalogInput REAL CanxFreqBn_Pk02Coherence Frequency Band n Peak 2 Coherence AnalogInput REAL 5.11.2.4 Data Type Acoustic Summary Variable (n = 01-15) Description Direction Data Type FreqBn_Pk01Amp_AllChanAvg All Channel Frequency Band n Average Amplitude for Peak 1 AnalogInput REAL FreqBn_Pk01Hz_AllChanAvg All Channel Frequency Band n Average Frequency for Peak 1 AnalogInput REAL FreqBn_Pk02Amp_AllChanAvg All Channel Frequency Band n Average Amplitude for Peak 2 AnalogInput REAL FreqBn_Pk02Hz_AllChanAvg All Channel Frequency Band n Average Frequency for Peak 2 AnalogInput REAL FreqBn_AmpMx All cans, Frequency Band n Amplitude Max (PSI pk-pk) AnalogInput REAL FreqBn_HzMx All cans, Frequency Band n Frequency Max (Hz) AnalogInput REAL FreqBn_CanMx All cans, Frequency Band n Can at Max Amplitude AnalogInput REAL FreqBn_AmpAvg All cans, Frequency Band n Amplitude Average (PSI pk-pk) AnalogInput REAL FreqBn_HzAvg All cans, Frequency Band n Frequency Average (Hz) AnalogInput REAL 152 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 5.11.2.5 RMS Variable (x = 01-21) Description Direction Data Type RmsMeanAllChs RMS Mean of all Channels – Sums all healthy input channels and calculates RMS and scan averaging on the signal and then divides AnalogInput by the number of healthy input channels to calculate the RMS mean in engineering units. REAL SIGx Channel x Acoustic Signal in PSI-RMS REAL AnalogInput SIGx Parameters Parameter Description Choices InputUse Charge Amplifier type used Unused, CCSA, PCB, Custom (default: Unused) CanId Can (chamber) identification number assigned to this input. Each CanId must be unique (no duplicates) 1-21 (default: CanId matches Signal number) DiagHighEnab Enable High Input Sensor Limit Diagnostic Disable, Enable (default: Enable) DiagLowEnab Enable Low Input Sensor Limit Diagnostic Disable, Enable (default: Enable) PwrLineFilEnab Power line frequency notch filter enable Disable, Enable (default: Disable) DiagOCChk Enable open sensor error diagnostic Disable, Enable (default: Enable) DiagBiasNull Enable excessive DC bias diagnostic Disable, Enable (default: Enable) DiagSigSat Enable signal saturation diagnostic Disable, Enable (default: Enable) Low_Input Input mV (pk-pk) at Low Value. Applies to CCSA, Custom sensor types only. -10000 to 10000 (default: 0.0) Low_Value Input Value in Engineering Units, PSI (pk-pk) at Low mV (pk-pk). Applies to CCSA, Custom sensor types only. -1000000 to 1000000 (default: 0.0) High_Input Input mV (pk-pk) at High Value. Applies to CCSA, Custom sensor types only. -10000 to 10000 (default: 170.0) High_Value Input Value in Engineering Units, PSI (pk-pk) at High mV (pk-pk). -1000000 to 1000000 (default: 1.0) Applies to CCSA, Custom sensor types only. Bias Vendor’s DC Bias Voltage Level. Applies to Custom sensor type only. -13.5 to 13.5 (default: 0) Range Analog input range. Applies to Custom sensor type only. +/-10Volt, +/-5Volt, +/-2.5Volt (default: +/-2.5Volt) Bias_Range Allowable deviation (+/-) of DC Bias (Volts) Applies to Custom sensor type only. 0 to 10 (default: 1.0) PCB_Probe_Gn PCB Probe Gain (pC/psi) Applies to PCB sensor type only 5 to 40 (default: 17) PCB_Amp_Gain PCB Charge Amplifier Gain (mV/pC) Applies to PCB sensor type only 1 to 20 (default: 10) HPF_Freq High Pass Filter Adjustable -3dB Corner Frequency (Hz) 0.5 to 200 (default: 0.5) HPF_Order High Pass Filter Poles – Disable to turn HPF off Disabled, 2p, 4p, 6p, 8p, 10p (default: 2p) LPF_Freq Low Pass Filter Adjustable -3db Corner Frequency (Hz) 0.5 to 8191 (default: 5000) LPF_Order Low Pass Filter Poles – Disable to turn LPF off Disabled, 2p, 4p, 6p, 8p, 10p (default: 2p) Note When any of the Wideband filter parameters (HPF_Freq, HPF_Order, LPF_Freq, LPF_Order) are modified, the corresponding input will be marked unhealthy for up to 10 seconds. I/O Configuration GEH-6723W Functional Safety Manual 153 Public Information 5.11.2.6 Capture Buffers There are two tabs where the Capture buffers are defined. • • Cap Buff Vars tab defines signal space variables that configure the triggers and provide a status for each capture buffer. Capture Buffers tab allows a user to configure the capture buffer pre and post samples, the period multiplier and assign variables. Each capture buffer is configured by the following settings: Property Description Name Name of capture buffer. CapBuffer01 – CapBuffer12 Description A user specified description of the capture buffer (optional) Capture Buffer Type Type of capture buffer. Presently, Time Domain is the only capture buffer type. Upload Type Upload capture buffer type configurable either Manual or Automatic. When configured as Automatic, the capture buffer gets uploaded automatically by the Recorder on WorkstationST and saved in the path specified in the recorder configuration. When configured as Manual, capture buffer must be uploaded using Trender in ToolboxST. Period multiplier Extends the sample rate of the capture buffer. For example, a multiplier of 4 will sample every 4th point and extend the collection time of the capture buffer by 4. The base sampling period is defined by the Sample_Rate configuration parameter. Pre-Trigger Samples The number of samples collected before the trigger. Supports a maximum of 10,000,000. Post Trigger Samples The number of samples collected after the trigger, including the trigger sample. Supports a maximum of 10,000,000 samples. Memory (MB) Specifies the amount of memory allocated for this capture buffer. This value is calculated from: • Number of variables connected to the capture buffer • Period multiplier • Pre and post trigger samples Count Number of variables connected to the specified capture buffer Time The length of time (in seconds) to collect for the capture buffer Sample Rate Base sample rate of the capture buffer. Defined by the Sample_Rate configuration parameter. Note The YDAS allows a maximum of 1024 MB configured for capture buffer data. If this memory allocation is exceeded, an error is reported during validation. Each capture buffer can have up to 32 variables configured. Variable (x = 01-21) Description Units SIGx_RawData Raw input data from hardware for SIGx. Raw counts SIGx_AdjustedData Gain compensated input data – Reflects SIGx after auto-ranging gain compensation Normalized counts SIGx_FilteredData Wideband filtered SIGx input data Normalized counts FrcTimestamp FRC time stamp for sample 25 MHz clock ticks 154 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information The Capture Buffers tab provides a calculation of: • • • Used Memory Max Memory Percentage Used The user can determine how close to the limit the current allocation of capture buffers is. The values turn red if the current capture buffer configuration is beyond the allocation limit and the configuration cannot be downloaded to the YDAS. ➢ To download the capture buffer: click the Download button on the Capture Buffers tab. The capture buffer configuration is also downloaded on a configuration download to the YDAS. The Capture Buffers tab displays the Current Revision and F/W Revision to indicate whether the capture buffers need to be downloaded to the YDAS to be made equal to the ToolboxST capture buffer configuration. Refer to ToolboxST documentation for how to upload the capture buffers in Trender. Cap Buff Vars Tab Variables Variable (z = 01-12) Description Direction Data Type CapBufferz_Trigger Triggers Capture Buffer z when True Output BOOL CapBufferz_Status Capture Buffer z Status 0 – Not configured 1 – Waiting for Trigger 2 – Capturing 3 – Capture Complete 4 – Upload Complete Input UDINT I/O Configuration GEH-6723W Functional Safety Manual 155 Public Information Notes 156 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 6 Proof Tests Certain periodic proof tests must be satisfied for IEC-61511 SIL certification eligibility. The testing schedule and resources are dependent on the designated proof test interval. This test plan is to be used to validate SIL requirements for the Mark VIeS Safety Control during proof testing. Proof tests shall be conducted periodically to reveal any faults that may be undetected by system diagnostics during normal operation. This test plan provides the following: • • Identifies the nature and extent of tests necessary to verify that the Mark VIeS Safety Control is fully compliant with SIL requirements Identifies equipment and describes test methodologies used to provide proof test coverage Adhere to the following guidelines before and during proof tests: • • • • • • All test equipment must have up-to-date calibrations. Record the make, model, serial numbers, and calibration dates in the test record. The accuracy of measuring devices adds to the acceptance criteria. Where possible, replace the terminal board field-wired terminal block with a test block to preserve field wiring with minimum disturbance. Only test inputs or outputs of any Mark VIeS Functional Safety System I/O packs that are connected and used. Unused I/O do not have to be proof tested. Only apply the specific proof test that is appropriate for the I/O pack channel configuration. For example, only apply the thermocouple proof test for the YUAA I/O channel that is configured as a thermocouple. These test procedures do not require configuration modifications to an existing SIS. The system configurations that are listed are suggested configurations for test purposes. If the configuration does not match the system under test, either the test does not apply or the test results need to be adjusted. Before each proof test: − − − Verify that no diagnostic alarms are present. Bypass any safety loop being tested or take other action to avoid an inadvertent trip. Check for inadvertent or unauthorized application changes by checking the Branding Code and compare to the application code recorded after commissioning or after the last authorized and verified change. Verify that the Branding Code matches the application code. The following table lists the pluggable connectors that are available for order to facilitate proof tests. Available Pluggable Connectors Pluggable Connector Part Number Phoenix 2, 3, 4, 6, 8, and 12 screw-pluggable connectors PDJF1000TBPLUG# (where # is 3, 4, 6, 8 or 12 to identify number of screws the user wants the pluggable connector to have) 24 point (screw) isolated-barrier black terminal block 173C9123BB 003 Proof Tests GEH-6723W Functional Safety Manual 157 Public Information 6.1 Proof Test Requirements 6.1.1 Dual and TMR System Test Requirements Dual and TMR system configurations have automatic voting comparison diagnostics that provide random failure detection. If field device test procedures have met the following test requirements, and the alarm system has been checked to verify that no comparison diagnostics have been generated by the test, the system and the voting diagnostics shall be tested using the field device test procedures provided in this document. Additionally, when power (or the communications cable) is removed from one I/O pack in a hardware fault tolerant channel for each safety loop, the comparison diagnostic will indicate a fault. When power exceeding the hardware fault tolerance is removed from the I/O packs), the system fails to its configured Safe state. YAIC: Each analog sensor shall be separately tested, one sensor at a time. Each test, if practicable, shall range the sensor beyond the normal range of operation within the upper and lower limits of the sensors detectable range. Each output shall be tested when the output is ranged through a full range transition required to test the field device. When power (or the communications cable) is removed from one I/O pack in a hardware fault tolerant channel, the system shall maintain the required output. YDIA: Each sensor causing a logical transition on the controller shall be tested. YDOA: The safety function shall be stimulated such that the output makes a transition. When power (or the communications cable) is removed from one I/O pack in a hardware fault tolerant channel, the system shall maintain the required output. Any output failures shall generate an error indication. YHRA: Each analog sensor connected to an input shall be tested separately. Each output shall be tested when the output is ranged through a full scale transition required to test the field device. The YHRA is a simplex only board, fault detection and failure modes shall be tested per the 61511 certified application code. YPRO: Speed inputs shall be tested when input signals are varied and compared to the reference signal. E-Stop and contact input interlocks shall be tested when actuated and ETRs are observed to drop out. When power (or the communications cable) is removed from one I/O pack in a hardware fault tolerant channel, the system shall maintain the required output. YSIL: E-Stop interlocks shall be tested when actuated and ETRs are observed to drop out. Speed inputs shall be tested by injecting a signal of known frequency or by independently verifying the speed with an oscilloscope. Overspeed protection shall be tested by injecting a signal of known frequency that exceeds the trip threshold. Flame detection inputs shall be tested by injecting and then removing a 500 Hz sawtooth waveform. Analog inputs on the SCSA and/or TCSA shall be tested for accuracy by injecting known currents from 3 to 22 mA. If these analog inputs are used in the ETR logic string, then the ETRs shall be observed to drop out as well. Thermocouple inputs shall be tested with a millivolt-capable signal source. Both relay inputs and outputs shall be tested. When power (or the communications cable) is removed from one I/O pack in a hardware fault tolerant channel, the system shall maintain the required output. When power is removed from two I/O packs in a TMR system, all signals shall go unhealthy. YTCC: Thermocouple inputs shall be tested in place if an independent reference temperature is available to compare. Open Thermocouple (TC) detection shall be tested by disconnecting one lead per TC at the terminal board screws. The cold junction temperature shall be tested by checking the temperature with the ToolboxST Cold Junction tab. YTUR: Speed inputs shall be tested when input signals are varied and compared to the reference signal. Flame detector (Geiger-Muller) inputs shall be tested when presence of flame is observed. E-Stop input shall be tested when actuated and PTRs are observed to drop out. When power (or the communications cable) is removed from one I/O pack in a hardware fault tolerant channel, the system shall maintain the required output. YUAA: Each configurable mode shall be separately tested: mA input or output, TC input, RTD input and discrete input. Each mA input, if possible, shall range the sensor beyond the normal range of operation within the upper and lower limits of the sensors detectable range. Each mA output shall be tested when the output is ranged through the full range transition required to test the field device. Open thermocouple / RTD detection shall be tested by disconnecting one lead per thermocouple / RTD at the terminal board screws. Each discrete input shall be tested, resulting in a logical transition, plus check for proper detection of open and shorted field wiring. 158 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information YVIB: Each sensor connected to an input shall be separately tested, one sensor at a time (VibProx, VibProx-KPH, VibSiesmic, PosProx). Each test (if practicable) shall range the sensor beyond the normal range of operation within the upper and lower limits of the sensors detectable range. KeyPhasor* input accuracy shall be tested in place if a reference speed is available to compare. When power (or the communications cable) is removed from one I/O pack in a hardware fault tolerant channel, the system shall maintain the required output. YDAS: User-initiated single-channel diagnostics shall be performed while the gas turbine is online. A single channel shall be taken offline and run through an automated test sequence to exercise the signal processing path of the channel. The diagnostic test shall be performed on each active channel once every 732 hours (30.5 days). Open circuit and short circuit detection shall be performed while the gas turbine is offline. Each YDAS module shall be power cycled to ensure that the other successfully takes over operation. Sensor inputs shall be tested, first by removing the terminal blocks that hold the sensor leads (to confirm open-circuit diagnostic), and then by individually shorting each PCB input (to confirm shorted-sensor diagnostics). The YDAS shall raise alarms during these tests. 6.1.2 Simplex System Test Requirements Simplex systems do not benefit from having comparison diagnostics between the redundant controllers. Therefore, functional testing is the most effective way to detect random failures within the controller. Proof Tests GEH-6723W Functional Safety Manual 159 Public Information 6.2 YAIC/YHRA Test Procedures 6.2.1 Input Accuracy Test Overview: • • Test the accuracy of the YAIC or YHRA analog inputs for the configured I/O pack Test out of range detection for the configured I/O pack Note Only test channels used and enabled for the assigned configuration. Test Setup: 1. Obtain a multi-meter and a signal source capable of generating current and voltages within the ranges of the configured YAIC I/O pack. 2. Confirm configured limits for 4-20 mA input types. If configured for ranges other than 4-20 mA, adjust the test limits accordingly. Note Channels 9 and 10 only allow current input; do not test input voltage on these channels. A set of test values are provided in the following table. Use only those test values associated with the configured I/O point. Configuration changes are not required. Test Steps: • • • For the configured I/O, select the appropriate test values from the following table, Test Values for Configuration Settings, and apply them to the input. Document the value that the YAIC reads for each test value, as seen in the Input tab in the ToolboxST application. Perform these test steps for each configured input channel. Acceptance Criteria: • • 160 All measured values must be within 2% of the full range input values for the input accuracy test to be accepted. For out of range values using the ToolboxST application, confirm that the YAIC alerts the system that the input is out of range through the Diagnostics tab and that the channel goes unhealthy. GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information YAIC/YHRA Test Values for Configuration Settings Configured Input Type 1 mA Test Values Expected Reading -1.1 mA Out of Range Diagnostic -1 mA -0.5 mA 0.5 mA 1 mA 1.1 mA -1 mA ±.04 -0.5 mA ±.04 0.5 mA ±.04 1.0 mA ±.04 Out of Range Diagnostic ↓ 4-20 mA 5V 3 mA Out of Range Diagnostic 4 mA 8 mA 12 mA 16 mA 20 mA 22 mA 4 mA ±.4 8 mA ±.4 12 mA ±.4 16 mA ±.4 20 mA ±.4 Out of Range Diagnostic ↓ ↓ -6 V Out of Range Diagnostic -5 V -2.5 V 0V 2.5 V 5V 6V -5.0 V ±.2 -2.5 V ±.2 0.0 V ±.2 2.5 V ±.2 5.0 V ±.2 Out of Range Diagnostic ↓ 10 V ↓ ↓ -12 V Out of Range Diagnostic -10 V -5 V 0V 5V 10 V 12 V -10.0 V ±.4 -5.0 V ±.4 0.0 V ±.4 5.0 V ±.4 10.0 V ±.4 Out of Range Diagnostic Proof Tests GEH-6723W Functional Safety Manual 161 Public Information 6.2.2 Output Accuracy Test Overview: To test the accuracy of the YAIC I/O pack analog outputs for the configured I/O packs. Test Setup: 1. Connect a multi-meter to the configured mA outputs. 2. Add a load to the output of approximately 250 Ω or meter in line with actual load device. Test Steps: 1. Connect the first channel of the output of the YAIC pack to a multi-meter capable of measuring voltage and current. 2. Set the output of the pack to the first value in the following table. To set the output, go to the Output tab in the ToolboxST application and change the value of AnalogOutputxx. 3. Record the measured output current (mA) reading for this channel and output level. 4. Repeat steps 2 and 3 for each value in the following table. 5. Repeat steps 1-4 above for all channels configured for mA outputs. Acceptance Criteria: All measured values must be within 2% of the expected output values for the accuracy test to be accepted. Output Ranges to Test 162 Output Value Expected Value 0 mA 4 mA 8 mA 12 mA 16 mA 20 mA 0 mA ±.4 4 mA ±.4 8 mA ±.4 12 mA ±.4 16 mA ±.4 20 mA ±.4 GEH-6723W Observed Reading GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 6.2.3 Low Source Voltage Test Overview: The common source voltage for the analog input loop voltages for two-wire transmitters is monitored to detect low loop voltage and provide fault tolerance for this function when more than one I/O processor is present. Test Setup: 1. Prepare the system for a fail-safe response from the I/O pack. 2. Connect a multi-meter to any configured mA outputs of the I/O pack from the Output Accuracy test. Test Steps: 1. Disconnect the 28 V power supply connection from the I/O pack. For a TMR terminal board, disconnect the power supply from two I/O packs. 2. Confirm that all the inputs go unhealthy and that the outputs drop to 0 mA. Acceptance Criteria: With the I/O pack’s power removed, the inputs become Unhealthy and drop any configured output channels to 0 mA current. Proof Tests GEH-6723W Functional Safety Manual 163 Public Information 6.3 YDIA Test Procedures Items that are configurable in the YDIA pack are identified in this test plan by including (CFG) at the end of the name of the item. Any configurable items that must be set for a particular test are defined in the detailed test instructions below. If a setting is not given for a configurable item, then it is not relevant to that test. Unless otherwise noted in the test plan, the tester should verify that there are no diagnostics faults on the YDIA pack under test prior to performing each test case. Any diagnostic fault(s) that are expected to occur as a result of performing a test case will be detailed in the acceptance criteria for the test case. If additional diagnostics faults are generated in the course of testing that are not detailed in the acceptance criteria, they must be fully explained prior to acceptance of the test. The following tests can be performed in any order. Individual steps within a test should be performed in the order presented. 6.3.1 Digital Input Status Test Overview: The test verifies that the controllers can receive the input data. This tests the following items that are configurable on each digital input using the ToolboxST application: • • • ContactInput(CFG) (Used/Unused) SignalInvert(CFG) (Normal/Invert) DiagVoteEnab(CFG) (Enable/Disable) Test Setup: Perform the applicable test case (refer to the following sections) on each of the inputs as they are configured. Check if a test screw terminal is available to avoid de-wiring a field signal. Test Steps: Test Case 1: Test Input Used, Normal 1. Verify that all inputs are as follows: • • • ContactInput(CFG) = Used SignalInvert(CFG) = Normal DiagVoteEnab(CFG) = Enable 2. With Input X open, verify that all three controllers indicate the status of the input as False. 3. Connect a jumper between Input X (Positive) and Input X (Return). 4. Verify that each controller (R, S, T) correctly reads the status of Input X as True. 5. Check that there is no cross-interference by verifying that the status of all other inputs is False. 6. Repeat this procedure for the remaining inputs. Acceptance Criteria: • • • 164 Inputs are jumpered and all three controllers indicate the status as True. All inputs not jumpered have a status of False. There are no voting diagnostics. GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information Test Case 2: Test Input Used, Invert 1. Verify that all inputs that are as follows: • • • ContactInput(CFG) = Used SignalInvert(CFG) = Invert DiagVoteEnab(CFG) = Enable 2. With Input X open, verify that all three controllers indicate the status of the input as True. 3. Connect a jumper between Input X (Positive) and Input X (Return). 4. Verify that each controller (R, S, T) correctly reads the status of Input X as False. 5. Check that there is no cross-interference by verifying that the status of all other inputs is True. 6. Repeat this procedure for the remaining inputs. Acceptance Criteria: • • • Inputs are jumpered and all three controllers indicate the status as False. All inputs not jumpered have a status of True. There are no voting diagnostics. 6.3.2 Low Source Voltage Test Overview: This test verifies that YDIA: • • • Monitors its 28 V dc supply Generates diagnostics if the supply is out of limits Performs an orderly shutdown if power supply voltage is too low for safe operation Test Setup: Prepare the system for a fail-safe response from the I/O pack. Test Steps: 1. Disconnect the 28 V dc power supply connection from the I/O pack. In a TMR system, disconnect the power connection from two I/O packs. 2. Confirm that all the inputs go unhealthy. 3. For loss of power on one I/O pack of TMR, check for disagreement diagnostic. Acceptance Criteria: When the I/O pack is disconnected, a diagnostic is generated and all inputs display as Unhealthy. Proof Tests GEH-6723W Functional Safety Manual 165 Public Information 6.4 YDOA Test Procedures Items that are configurable in the YDOA pack are identified by including (CFG) at the end of the name of the item. Any configurable items that must be set for a particular test are defined in the detailed test instructions below. If a setting is not given for a configurable item, then it is not relevant to that test. Unless otherwise noted in the test plan, the tester should verify that there are no diagnostics faults on the YDOA pack under test prior to performing each test case. Any diagnostic fault(s) that are expected to occur as a result of performing a test case will be detailed in the acceptance criteria for the test case. If additional diagnostics faults are generated in the course of testing that are not detailed in the acceptance criteria, they must be fully explained prior to acceptance of the test. The following tests can be performed in any order. Individual steps within a test should be performed in the order presented. 6.4.1 Digital Output Control Test Overview: This functional test verifies that: • • • The Mark VIeS controller can control each output The outputs are controlled through fault tolerant voting in TMR system There is no cross-interference between outputs Note This test is relevant to all terminal board types. Note Tests should be performed based on the configuration of each of the outputs. Relay actuation can be detected as follows: 1. If the device controlled by the relay is safe to actuate, it may be used to determine the relay output state. 2. With wetting voltage applied, the voltage at the relay terminal board may be read. When the YDOA is mounted on a TRLY, two pluggable terminal blocks used: − − 173C9123BB 003 (24-point pluggable terminal block, 1-24) 173C9123BB 004 (24-point pluggable terminal block, 25-48) When the YDOA is mounted on an SRLY (Simplex configuration), one pluggable terminal block is used: 64G6940-224L (48-point pluggable terminal block, 1-48). 3. Remove any wetting voltage and read the relay contact path resistance. Note For methods two and three, GE recommends removing the terminal board screw blocks and replacing them with test blocks. For method three, GE recommends taking a voltage reading prior to the resistance reading for safety purposes. Test Setup: Perform the appropriate test based on configuration of each of the outputs. 166 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information Test Case 1: Test Output Used, Normal 1. Verify that each output is as follows: • • RelayOutput(CFG) = Used SignalInvert(CFG) = Normal 2. Verify that all outputs are initially turned off. 3. Turn on the relay output. 4. Verify that only the correct relay on the terminal board is energized. 5. Repeat this procedure for all configured relay outputs. Acceptance Criteria: With the output turned on in the controller, only the correct relay on the terminal board is energized. Test Case 2: Test Output Used, Invert 1. Verify that each output is as follows: • • RelayOutput(CFG) = Used SignalInvert(CFG) = Invert 2. All outputs should initially be turned on. 3. Turn off the output. 4. Verify that only the correct relay on the terminal board is energized. 5. Repeat for all configured relay outputs Acceptance Criteria: With the output turned off in the controller, only the correct relay on the terminal board is energized. Proof Tests GEH-6723W Functional Safety Manual 167 Public Information 6.4.1.1 SRSA Digital Output Control The SRSA uses the JF1 connector to supply 125 V dc or 24 V dc power across the Bank A positive power connections, PWRAx_P and the power negative connections, PWRAx_N where x is equal to 2, 3, 4, 5 and 6. Likewise, the JF2 connector supplies power to the Bank B positive power connections, PWRBy_P and the power negative connections, PWRBy_N where y is equal to 8, 9, 10, 11 and 12. The user closes the normally open contacts (NOx) in Bank A by first closing the mechanical force-guided relay, K1 followed by the solid-state relay, Kx. Similarly, the normally open contacts (NOy) in Bank B are closed by commanding the K7 mechanical relay to close followed by the solid-state relay, Ky. Test Case 1: Test Output Used, Normal 1. Verify that each output is as follows: • • RelayOutput(CFG) = Used SignalInvert(CFG) = Normal 2. Verify that all outputs are initially turned off. 3. Turn on the mechanical relay, K1 for Bank A or K7 for Bank B relay outputs. 4. Turn on the Bank A solid-state relay, Kx where x = 2, 3, 4, 5 or 6. Or, turn on the Bank B solid-state relay, Ky where y = 8, 9, 10, 11 or 12. 5. Verify that only the correct relay on the termination board is energized. 6. Repeat this procedure for all configured relay outputs. Acceptance Criteria: With the output turned on in the controller, only the correct relay on the terminal board is energized. Test Case 2: Test Output Used, Invert 1. Verify that each output is as follows: • • RelayOutput(CFG) = Used SignalInvert(CFG) = Invert 2. Verify that all outputs are initially turned off. 3. Turn on the mechanical relay, K1 for Bank A or K7 for Bank B relay outputs. 4. Turn on Bank A’s solid-state relay, Kx where x = 2, 3, 4, 5 or 6. Or, turn on Bank B’s solid-state relay, Ky where y = 8, 9, 10, 11 or 12. 5. Verify that only the correct relay on the termination board is energized. 6. Repeat this procedure for all configured relay outputs. Acceptance Criteria: With the output turned on in the controller, only the correct relay on the terminal board is energized. 168 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 6.4.2 Energized to Trip Applications 6.4.2.1 Relay Diagnostics for TRLYS1D Test Overview: This test verifies that the I/O pack: • • • Reads feedback signals from the output circuits Verifies that the outputs are in the correct state Generates diagnostic messages if they are not in the correct state Test Setup: This test is to be performed on the TRLYS1D, and either 24 or 125 V dc. Test Steps: Test Case 1: Solenoid Integrity on TRLYS1D with 24 V DC Note Perform this test on all configured outputs. 1. Using a YDOA/TRLYS1D combination, connect 24 V dc power to connector JF1 on the terminal board with configure outputs: • • RelayOutput(CFG) = Used SignalInvert(CFG) = Normal 2. Connect a 0-250 Ω potentiometer across the NO and SOL terminals for the input under test; set the wiper to the middle of travel. All outputs should initially be turned off. 3. Gradually decrease the potentiometer resistance until a diagnostic is generated indicating that there is a failure of the external solenoid. 4. Disconnect the potentiometer and measure the resistance. 5. Reset the wiper of the potentiometer to the middle of travel and reconnect it to the terminals for the output under test. 6. Gradually increase the potentiometer resistance until a diagnostic indicates an external solenoid failure. 7. Disconnect the potentiometer and measure the resistance. Acceptance Criteria: The output is de-energized and the external resistance is: • • Below 7 Ω, a diagnostic is generated to indicate solenoid failure Above 200 Ω, a diagnostic is generated to indicate solenoid failure Proof Tests GEH-6723W Functional Safety Manual 169 Public Information Test Case 2: Solenoid Integrity on TRLYS1D with 125 V DC Note Perform this test on all configured outputs. 1. Connect 125 V dc power to connector JF1 on the terminal board with configure outputs: • • RelayOutput(CFG) = Used SignalInvert(CFG) = Normal 2. Connect a 0–5000 Ω potentiometer across the NO and SOL terminals for the input under test. Set the wiper to the middle of travel. All outputs should initially be turned off. 3. Gradually decrease the potentiometer resistance until a diagnostic indicates an external solenoid failure. 4. Disconnect the potentiometer and measure the resistance. 5. Reset the potentiometer wiper to the middle of travel and reconnect it to the terminals for the output under test. 6. Gradually increase the potentiometer resistance until a diagnostic indicates an external solenoid failure. 7. Disconnect the potentiometer and measure the resistance. Acceptance Criteria: The output is de-energized and the external resistance is: • • Below 122 Ω, a diagnostic is generated to indicate solenoid failure Above 3250 Ω, a diagnostic is generated to indicate solenoid failure 6.4.3 Low Source Voltage Test Overview: This test verifies that the I/O pack: • • • Monitors its 28 V dc supply Generates diagnostics if the supply is out of limits Performs an orderly shutdown if the power supply voltage is too low for safe operation Test Setup: Prepare system for a fail-safe response from the I/O pack. Test Steps: 1. Disconnect the 28 V power supply connection from the I/O pack. For TMR, disconnect 28 V power supply connections from two I/O packs. 2. Confirm that all the outputs go to their safe state, displays as Unhealthy, and a diagnostic is generated. Acceptance Criteria: When the I/O pack is disconnected, a diagnostic is generated and all inputs display as Unhealthy. 170 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 6.5 YPRO Test Procedures Items that are configurable in the YPRO I/O pack are identified in this test plan by including (CFG) at the end of the name of the item. Any configurable items that must be set for a particular test are defined in the detailed test instructions below. If a setting is not given for a configurable item, it is not relevant to that test. Unless otherwise noted in the test plan, the tester should verify that there are no diagnostics faults on the YPRO under test prior to performing each test case. Any diagnostic fault(s) expected to occur as a result of performing a test case are detailed in the acceptance criteria for the test case. If additional diagnostics faults are generated in the course of testing that are not detailed in the acceptance criteria, they must be fully explained prior to acceptance of the test. The following tests can be performed in any order. Individual steps within a test should be performed in the order presented. 6.5.1 Contact Input Trip Tests Test Overview: This test verifies action of the contact input trips including trip logic in YPRO firmware. Test Setup: Select the Test Case below according to configuration of the Contact Inputs. Test Steps: These tests are relevant for TREG terminal boards. Test Case 1: TripMode: Direct Trip (CFG) 1. Energize Contact Input and reset trip relays. a. Close contacts on E-stop button or connect a jumper across E-TRP (H) and TRP (L). b. Clear all trip sources and reset the YPRO such that the emergency trip relays (ETR1-3) are picked up. c. Verify that each controller (R, S, T) correctly reads the status of the contact input. Acceptance criteria: Controllers correctly read status of contact input. 2. Initiate trip. a. Open the contact input to generate a trip. b. Verify that each controller (R, S, T) correctly reads the status of the contact input. Acceptance criteria: The controllers correctly read the status of the contact input and a diagnostic alarm message is generated indicating that the YPRO has tripped. Proof Tests GEH-6723W Functional Safety Manual 171 Public Information 3. Confirm trip cannot be reset. Attempt to reset the trip by turning on the MasterReset output in the controller and confirm that the trip cannot be cleared with a reset as long as the contact remains open. Acceptance criteria:. The ETRs remain open and the diagnostic alarm message is generated indicating that the YPRO has tripped. Test Case 2: TripMode: Conditional Trip (CFG) 1. Test Conditional Trip – Negative. a. Close contacts on E-stop button or connect a jumper to energize the contact input. b. Clear all trip sources and reset the YPRO such that the emergency trip relays (ETR1-3) are picked up. c. In the controller Vars-CI tab, set the value of trip#_inhibit to True. d. Open E-stop button or remove the jumper from the contact input and confirm that the contact input does not cause a trip. Acceptance criteria: Contact input does not cause trip when inhibit signal is True. 2. Test Conditional Trip – Positive. a. Close contacts on E-stop button or connect a jumper to energize the contact input. b. Clear all trip sources and reset the YPRO such that the emergency trip relays (ETR1-3) are picked up. c. In the controller Vars-CI tab, set the value of trip#_inhibit to False. d. Open E-stop button or remove the jumper from the contact input and confirm that the contact input does cause a trip. Acceptance criteria: Contact input causes trip when inhibit signal is False. 172 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 6.5.2 E-Stop Test Test Overview: This test verifies the E-stop trip logic in YPRO. Test Setup: These tests are relevant for TREG and TREA terminal boards. These tests can move valves take precautions or use bypass procedures. Warning Test Case 1: E-stop on TREG terminal board 1. Energize E-stop Input and reset trip relays. a. Place E-stop button in run position. b. Clear all trip sources and reset the YPRO such that the emergency trip relays (ETR1-3) are picked up. c. Verify that each controller (R, S, T) correctly reads the status of the E-stop input (L5ESTOP1). Acceptance criteria: The trip relays reset to the running condition and all controllers correctly read status of contact input. 2. Initiate trip. a. Press the E-stop button. b. Verify that each controller (R, S, T) correctly reads the status of the E-stop input (L5ESTOP1). Acceptance criteria: YPRO commands the trip relays to open all trip relay circuits, and the controllers correctly read the status of the E-stop input and a LED indication on the pack is generated indicating that the YPRO has tripped due to an E-stop. Proof Tests GEH-6723W Functional Safety Manual 173 Public Information Test Case 2: E-stop on TREA terminal board 1. Energize E-stop Input and reset trip relays. a. Place E-stop button in run position. b. Clear all trip sources and reset the YPRO such that the emergency trip relays (ETR1-3) are picked up. c. Verify that each controller (R, S, T) correctly reads the status of the E-stop input (L5ESTOP1). Acceptance criteria: The trip relays reset to the running condition and all controllers correctly read status of L5ESTOP1_Fdbk = True, and all controllers read the status of L5ESTOP1 = False. 2. Initiate trip. a. Press the E-stop button. b. Verify that each controller (R, S, T) correctly reads the status of the E-stop input (L5ESTOP1). Acceptance criteria: All three trip relays open with contact de-energization and the controllers correctly read the status of the contact input. 174 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 6.5.3 Speed Inputs Accuracy Test Overview: This test simultaneously checks the characteristics of speed inputs (range, accuracy) and verifies that the YPRO/SPRO/TREA support applications by allowing speed inputs to be sent to the controllers without cross-interference. Alternative Accuracy Test: Compare YPRO speed signal at several different operating points with basic process control system (BPCS) speed signals. Test Steps: 1. a. Connect an oscilloscope to the speed sensor terminal board inputs to measure the pulse rates from the speed pickups Or b. Disconnect the speed sensor inputs and configure a function generator for a 9 Vpp sine wave output with zero offset to provide a reference speed signal to the pulse rate inputs. Speed Input Accuracy Note It is best to select a maximum applied test frequency that represents the overspeed signal for the unit under test. 2. Verify that the channel being stimulated reads the correct value of speed and that all inputs that are not being stimulated read 0. 3. Repeat steps 2 and 3 for each configured pulse rate input. Acceptance Criteria: • • • • The speed input function has less than a 1% deviation between the actual steady state field signal and the reported value. Each channel reads the correct value of speed when stimulated. All inputs not being stimulated read 0. There are no diagnostics. Proof Tests GEH-6723W Functional Safety Manual 175 Public Information 6.5.4 Overspeed Test Test Overview: The purpose of the overspeed test is to confirm an overspeed condition has been properly detected by both the YPRO’s firmware and hardware overspeed functionality, and to exercise the emergency trip relays (ETRs). Two Overspeed Test options are provided. Option 1 requires configuration download which will change the branding of the system. Option 1 does allow the hardware overspeed to be greater than the firmware overspeed threshold. Option 2 does not require a configuration download, and therefore the branding will not change. However, Option 2 requires the hardware overspeed threshold to be less than the firmware overspeed threshold. Only one of the options is required to satisfy the proof testing of the overspeed function for this Safety Integrated function. Test Setup: Options 1 and 2 procedures use one function generator output, FG1. For each test step calling for the function generator, connect the function generator to the inputs indicated in the following figure. Configure the function generator output for a square wave output, 9 V dc pp with 0 V dc offset. Function Generator Inputs Some function generators introduce large frequency deviations while incrementing in frequency, these deviations may cause an acceleration or deceleration trip if the I/O pack is configured for acceleration or deceleration trips. Caution Test Steps: Option 1 (Configuration Download Required) Test Steps: 1. From the Pulse Rate tab, configure the firmware overspeed setpoint, OS_Setpoint(CFG). 2. Configure the hardware overspeed setpoint, OSHW_Setpoint#(CFG) equal to 1.1 times the OS_Setpoint. 3. Download both the firmware and hardware overspeed setpoints. 4. An overspeed [ ] firmware setpoint configuration error diagnostic occurs. To clear the diagnostic, from the Vars-Speed tab, set the variable OS#_Setpoint to match the firmware configuration OS value, OS#_Setpoint(CFG) for the firmware OS (in the Pulse Rate tab). 176 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 5. An overspeed [ ] hardware setpoint configuration error diagnostic occurs. To clear the diagnostic, set the variable OSHW_Setpoint# to match the hardware configuration value of OSHW_Setpoint(CFG). 6. Connect Function Generator 1(FG1) to the first configured pulse-rate input pair. Ramp the frequency of FG1 up to approximately 105% of the firmware overspeed setpoint, OS_Setpoint, and the YSIL trips. Record the pulse rate frequency and the status of the output contacts. 7. Attempt to reset the overspeed fault by sending a MasterReset from the controller. Record the status. 8. Continue to ramp the FG1 pulse frequency from 105% of the firmware overspeed setpoint, OS_Setpoint, to 105% of the hardware overspeed setpoint, OSHW_Setpoint#(CFG). Record the pulse rate frequency and the signal-space boolean, HW_OverSpd#Trip. 9. Again, attempt to reset the overspeed fault by sending a MasterReset from the controller. Record the status. 10. Reduce the FG1 frequency to 90% of the value of the firmware overspeed setpoint, OS_Setpoint(CFG), then send a MasterReset. Record the status. 11. Repeat Steps 1 through 10 for all pulse rate inputs configured and used. 12. From the Pulse Rate tab, restore the firmware overspeed setpoint, OS_Setpoint(CFG), and the hardware overspeed setpoint, OSHW_Setpoint#(CFG) to their original values. 13. From the Vars-Speed tab, restore the signal-space firmware overspeed setpoint, OS#_Setpoint, and the signal-space hardware overspeed setpoint, OSHW_Setpoint#, to their original values. Option 1 Acceptance Criteria: • • The ETR contacts open when the frequency of FG1 reaches the value of the firmware overspeed setpoint, OS_Setpoint (CFG), a diagnostic indicates that an overspeed trip occurred, and the controller input signal ComposTrip1 becomes True. The backup hardware overspeed function detects the overspeed condition when the FG1 output frequency is greater than the hardware overspeed setpoint, OSHW_Setpoint#(CFG). Overspeed fault cannot be reset if the pulse rate signal is above the value of OS_Setpoint#(CFG). Option 2 (No Configuration Download Required) Test 1 Steps: The test objective of Option 2 Test 1 is to provide an overspeed proof test that will use the existing configuration setup for both the hardware and firmware overspeed Safety Integrated functions. For this test to successfully work, the following configuration parameter constraints apply: OSHW_Setpoint ≤ 0.9995 x OS_Setpoint 1. Connect Function Generator 1 (FG1) to the first configured pulse-rate input pair. 2. Configure FG1 to ramp the pulse rate from 90% rated speed represented in hertz to 1.05 x OSHW_Setpoint represented in hertz. 3. Set ramp rate on FG1 output for 0.5% per second. Note The ramp rate must be slow enough so the user can positively identify the hardware OS trip function activated the ETRs using the Trender output. 4. Configure the Trender to capture the following YPRO variables: • • • • • • PulseRatex where x is the input channel being tested OSxHW_Trip – Hardware overspeed trip detected for input channel x OSx_Trip – Firmware overspeed trip detected for input channel x K1_Fdbk – ETR 1 Trip relay feedback K2_Fdbk – ETR 2 Trip relay feedback K3_Fdbk – ETR 3 Trip relay feedback Proof Tests GEH-6723W Functional Safety Manual 177 Public Information • • • SOL1_Vfdbk – Trip Solenoid 1 voltage SOL2_Vfdbk – Trip Solenoid 2 voltage SOL3_Vfdbk – Trip Solenoid 3 voltage 5. Activate FG1 to start pulse rate from 90% nominal speed and ramp to 105% of firmware overspeed setting. 6. Review the captured Trender file for the Option 2 Test 1 Acceptance Criteria. Option 2 Test 1 Acceptance Criteria: • • • • OSxHW_Trip hardware overspeed trip will be True when pulse rate speed is greater than OSHW_Setpoint. K1_Fdbk, K2_Fdbk, and K3_Fdbk ETR trip relay feedback equals True, indicating the hardware overspeed function commanded the ETRs to trip. OSx_Trip software trip will transition to True after Kx_Fdbk variables transition True. If Trender shows OSx_Trip Boolean True at the same time that Kx_Fdbk variables transition to True, then lower FG1 ramp by two times. Confirm SOLx_Vfdbk trip solenoid voltages transition. SOLx_Vfdbk transition does not have to occur before the OSx_ Trip because of the slow solenoid time constant. Option 2 (No Configuration Download Required) Test 2 Steps: The test objective of Option 2 Test 2 is to perform a shutdown firmware overspeed test where turbo-machinery is running. In this test, the firmware overspeed setpoint variable, OSx_Setpoint (where x is the input channel under test) is lowered below the present turbine running speed, resulting in a Emergency Trip. 1. Configure the Trender to capture the following YPRO variables: • • • • • • • PulseRatex where x is the input channel being tested OSx_Setpoint – YPRO overspeed setpoint command variable from safety controller OSx_SP_CfgEr – YPRO overspeed channel x setpoint configuration error OSx_Trip – Firmware overspeed trip detected for input channel x SOL1_Vfdbk – Trip Solenoid 1 voltage SOL2_Vfdbk – Trip Solenoid 2 voltage SOL3_Vfdbk – Trip Solenoid 3 voltage 2. Lower the YPRO overspeed setpoint variable, OSx_Setpoint (where x represents the pulse input channel being tested) to below the present running speed of the turbine. 3. Review the captured Trender file for the Option 2 Test 2 Acceptance Criteria. Option 2 Test 2 Acceptance Criteria: • • • 178 OSx_SP_CfgEr will be True after OSx_Setpoint is changed. OSx_Trip software trip will transition to True when OSx_Setpoint is ≤ PulseRatex. Confirm SOLx_Vfdbk trip solenoid voltages transition, confirming emergency trip relays have been de-energized. GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 6.5.5 Low Source Voltage Test Overview: This is a functional test that verifies that the pack monitors its 28 V dc supply, generates diagnostics if the supply is out of limits, and performs a shutdown if power supply voltage is too low for safe operation. Test Setup: Prepare system for a fail-safe response from the I/O pack. Test Case: 1. Disconnect the 28 V dc power supply connection from the pack (for TMR disconnect two 28 V dc power supply connections). 2. Confirm that all the outputs are in their safe state and display as Unhealthy, and a diagnostic is generated. Acceptance Criteria: • • When the I/O pack is disconnected, a diagnostic is generated and all outputs go to their safe state and display as Unhealthy. Variables PS18V_YPRO_/R/S/T and PS28V_YPRO_/R/S/T display as False and Unhealthy. Proof Tests GEH-6723W Functional Safety Manual 179 Public Information 6.6 YSIL Test Procedures Items that are configurable in the YSIL I/O pack are identified in this test plan by including (CFG) at the end of the name of the item. Any configurable items that must be set for a particular test are defined in the detailed test instructions below. If a setting is not given for a configurable item, it is not relevant to that test. Unless otherwise noted in the test plan, the tester should verify that there are no diagnostics faults on the YSIL under test prior to performing each test case. Any diagnostic fault(s) expected to occur as a result of performing a test case are detailed in the acceptance criteria for the test case. If additional diagnostics faults are generated in the course of testing that are not detailed in the acceptance criteria, they must be fully explained prior to acceptance of the test. The following tests can be performed in any order. Individual steps within a test should be performed in the order presented. 6.6.1 E-Stop Test Test Overview: This test verifies the E-Stop trip logic in YSIL. Test Setup: These tests are relevant for TCSA terminal board. These tests can move valves take precautions or use bypass procedures. Warning Test Case 1: E-Stop on TCSA terminal board 1. Energize E-Stop Input and reset trip relays a. Place E-Stop button in run position. b. Clear all trip sources and reset the YSIL such that the emergency trip relays (ETR1-3) are picked up. If configured as ETR, then ETR4–6 and ETR 7–9. c. Verify that each controller (R, S, T) correctly reads the status of the E-Stop input (L5ESTOP1). Acceptance criteria: The trip relays reset to the running condition and all controllers correctly read status of contact input. 2. Initiate trip a. Press the E-Stop button. b. Verify that each controller (R, S, T) correctly reads the status of the E-Stop input (L5ESTOP1). Acceptance criteria: • • • 180 YSIL commands the trip relays to open all trip relay circuits. The controllers correctly read the status of the E-Stop input. An LED indicates that the YSIL has tripped due to an E-Stop. GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 6.6.2 Speed Inputs Accuracy Test Overview: Simultaneously check characteristics of speed inputs (range, accuracy) and verifies that YSIL/TCSA support applications by allowing speed inputs to be sent to the controllers without cross-interference. Alternative Accuracy Test: Compare YSIL speed signal at several different operating points with basic process control system (BPCS) speed signals. Test Steps: 1. Connect an oscilloscope to the speed sensor terminal board inputs to measure the pulse rates from the speed pickups Or 2. Disconnect the speed sensor inputs and configure a function generator for a 9 V dc pp sine wave output with zero offset to provide a reference speed signal to the pulse rate inputs. Speed Input Accuracy Note Perform the following on all configured pulse rate inputs. 1. For at least two speeds in the range of 2 to 20,000 Hz, apply a speed signal and record the value of speed reported by the controller. 2. Verify that the channel being stimulated reads the correct value of speed and that all inputs that are not being stimulated read zero. 3. Repeat steps 1 and 2 on all configured pulse rate inputs. Acceptance Criteria: • • • • The speed Input function has a < a 1% deviation between the actual steady state field signal and the reported value. Each channel reads the correct value of speed when stimulated. All inputs that are not being stimulated read zero. There should be no diagnostics. Proof Tests GEH-6723W Functional Safety Manual 181 Public Information 6.6.3 Overspeed Test Test Overview: The purpose of the overspeed test is to confirm an overspeed condition has been properly detected by both the YSIL’s firmware and hardware overspeed functionality, and to exercise the emergency trip relays (ETRs). Two Overspeed Test options are provided. Option 1 requires configuration download which will change the branding of the system. Option 1 does allow the hardware overspeed to be greater than the firmware overspeed threshold. Option 2 does not require a configuration download, and therefore the branding will not change. However, Option 2 requires the hardware overspeed threshold to be less than the firmware overspeed threshold. Only one of the options is required to satisfy the proof testing of the overspeed function for this Safety Integrated function. Test Setup: Options 1 and 2 procedures use one function generator output, FG1. For each test step calling for a function generator, connect the function generator to the inputs indicated in the following figure. Configure the function generator output for a square wave output, 9 V dc pp with 0 V dc offset. Function Generator Inputs Some function generators introduce large frequency deviations while incrementing in frequency, these deviations may cause an acceleration or deceleration trip if the I/O pack is configured for acceleration or deceleration trips. Caution 182 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information Test Steps: Option 1 (Configuration Download Required) Test Steps: 1. From the Pulse Rate tab, configure the firmware overspeed setpoint, OS_Setpoint(CFG). 2. Configure the hardware overspeed setpoint, OSHW_Setpoint#(CFG) equal to 1.1 times the OS_Setpoint. 3. Download both the firmware and hardware overspeed setpoints. 4. An overspeed [ ] firmware setpoint configuration error diagnostic occurs. To clear the diagnostic, from the Vars-Speed tab, set the variable OS#_Setpoint to match the firmware configuration OS value, OS#_Setpoint(CFG) for the firmware OS (in the Pulse Rate tab). 5. An overspeed [ ] hardware setpoint configuration error diagnostic occurs. To clear the diagnostic, set the variable OSHW_Setpoint# to match the hardware configuration value of OSHW_Setpoint(CFG). 6. Connect Function Generator 1(FG1) to the first configured pulse-rate input pair. Ramp the frequency of FG1 up to approximately 105% of the firmware overspeed setpoint, OS_Setpoint, and the YSIL trips. Record the pulse rate frequency and the status of the output contacts. 7. Attempt to reset the overspeed fault by sending a MasterReset from the controller. Record the status. 8. Continue to ramp the FG1 pulse frequency from 105% of the firmware overspeed setpoint, OS_Setpoint, to 105% of the hardware overspeed setpoint, OSHW_Setpoint#(CFG). Record the pulse rate frequency and the signal-space boolean, HW_OverSpd#Trip. 9. Again, attempt to reset the overspeed fault by sending a MasterReset from the controller. Record the status. 10. Reduce the FG1 frequency to 90% of the value of the firmware overspeed setpoint, OS_Setpoint(CFG), then send a MasterReset. Record the status. 11. Repeat Steps 1 through 10 for all pulse rate inputs configured and used. 12. From the Pulse Rate tab, restore the firmware overspeed setpoint, OS_Setpoint(CFG), and the hardware overspeed setpoint, OSHW_Setpoint#(CFG) to their original values. 13. From the Vars-Speed tab, restore the signal-space firmware overspeed setpoint, OS#_Setpoint, and the signal-space hardware overspeed setpoint, OSHW_Setpoint#, to their original values. Option 1 Acceptance Criteria: • • The ETR contacts open when the frequency of FG1 reaches the value of the firmware overspeed setpoint, OS_Setpoint (CFG), a diagnostic indicates that an overspeed trip occurred, and the controller input signal ComposTrip1 becomes True. The backup hardware overspeed function detects the overspeed condition when the FG1 output frequency is greater than the hardware overspeed setpoint, OSHW_Setpoint#(CFG). Overspeed fault cannot be reset if the pulse rate signal is above the value of OS_Setpoint#(CFG). Option 2 (No Configuration Download Required) Test 1 Steps: The test objective of Option 2 Test 1 is to provide an overspeed proof test that will use the existing configuration setup for both the hardware and firmware overspeed Safety Integrated functions. For this test to successfully work, the following configuration parameter constraints apply: OSHW_Setpoint ≤ 0.9995 x OS_Setpoint 1. Connect Function Generator 1 (FG1) to the first configured pulse-rate input pair. 2. Configure FG1 to ramp the pulse rate from 90% rated speed represented in hertz to 1.05 x OSHW_Setpoint represented in hertz. 3. Set ramp rate on FG1 output for 0.5% per second. Proof Tests GEH-6723W Functional Safety Manual 183 Public Information Note The ramp rate must be slow enough so the user can positively identify the hardware OS trip function activated the ETRs using the Trender output. 4. Configure the Trender to capture the following YSIL variables: • • • • • PulseRatex where x is the input channel being tested OSxHW_Trip – Hardware overspeed trip detected for input channel x OSx_Trip – Firmware overspeed trip detected for input channel x K1_Fdbk – Trip relay feedback Mechx_Fdbk where x = 1, 2, or 3 for safety-rated mechanical relay status 5. Activate FG1 to start pulse rate from 90% nominal speed and ramp to 105% of firmware overspeed setting. 6. Review the captured Trender file for the Option 2 Test 1 Acceptance Criteria. Option 2 Test 1 Acceptance Criteria: • • • • OSxHW_Trip hardware overspeed trip will be True when pulse rate speed is greater than OSHW_Setpoint. Kx_Fdbk trip relay feedback equals True, indicating the hardware overspeed function commanded the ETRs to trip. OSx_Trip software trip transitions to True after Kx_Fdbk variables transition to True. If Trender shows OSx_Trip Boolean True at the same time that Kx_Fdbk variables transition to True, then lower FG1 ramp by two times. Mechx_Fdbk mechanical safety-relay show de-energized state (refer to the following table). x Description 1 Mechanical Relay 1 will open/de-energize when Solid-state relays 1-3 de-energize or open (K1_Fdbk, K2_Fdbk, and K3_Fdbk) 2 Mechanical Relay 2 will open/de-energize when Solid-state relays 4-6 de-energize or open (K4_Fdbk, K5_Fdbk, and K6_Fdbk), if configured for Trip relays 3 Mechanical Relay 3 will open/de-energize when Solid-state relays 7-9 de-energize or open (K7_Fdbk, K8_Fdbk, and K9_Fdbk), if configured for Trip relays Option 2 (No Configuration Download Required) Test 2 Steps: The test objective of Option 2 Test 2 is to perform a shutdown firmware overspeed test where turbo-machinery is running. In this test, the firmware overspeed setpoint variable, OSx_Setpoint (where x is the input channel under test) is lowered below the present turbine running speed, resulting in a Emergency Trip. 1. Configure the Trender to capture the following YSIL variables: • • • • • • • PulseRatex where x is the input channel being tested OverSpdx_Setpt where x is the input channel under test OSx_Setpoint_Fbk where x is the input channel under test OverSpdx_Trip – Firmware overspeed trip detected for input channel x OverSpdx_Setpt_CfgEr – overspeed x setpoint configuration error for input channel x Kx_Fdbk – Trip relay x feedback Mechx_Fdbk where x = 1,2 or 3 for safety-rated mechanical relay status 2. Lower the YSIL overspeed setpoint variable, OSx_Setpoint (where x represents the pulse input channel being tested) to below the present running speed of the turbine. 3. Review the captured Trender file for the Option 2 Test 2 Acceptance Criteria. 184 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information Option 2 Test 2 Acceptance Criteria: • • • • OSx_Setpoint_Fbk is equal to OverSpdx_Setpt within one frame. OverSpdx_Setpt_CfgEr transitions to True one frame later than when OverSpdx_Setpt is changed. OverSpdx_Trip transitions to True when OSx_Setpoint_Fbk is ≤ PulseRatex. Confirm Kx_Fdbk trip relay feedback transitions, confirming emergency trip relays have been de-energized. 6.6.4 Low Source Voltage Test Overview: This is a functional test that verifies that the pack monitors its 28 V dc supply, generates diagnostics if the supply is out of limits, and performs a shutdown if power supply voltage is too low for safe operation. Test Setup: Prepare system for a fail-safe response from the I/O pack. Test Case: 1. Disconnect the 28 V dc power supply connection from the pack (for TMR disconnect two 28 V dc power supply connections). 2. Confirm that all the outputs are in their safe state and display as Unhealthy, and a diagnostic is generated. Acceptance Criteria: • • When the I/O pack is disconnected, a diagnostic is generated and all outputs go to their safe state and display as Unhealthy. Variables PS18V_YSIL_/R/S/T and PS28V_YSIL_/R/S/T display as False and Unhealthy. 6.6.5 Flame Detection Inputs – Loss of Flame Detection Test Overview: This test checks for the YSIL to detect loss of flame and also verifies that no flame is the fail-safe state. Test Setup: For each configured (Geiger-Muller) flame detector input, connect a function generator as indicated in the following figure: WCSA Flame 5 V dc pp V dc pp 5 V5 dc offset 5 500 V dcHz offset 500 Hz Flame Detector Simulation Proof Tests GEH-6723W Functional Safety Manual 185 Public Information Test Steps: Perform the following steps five times on each of the flame detector inputs: 1. Set the function generator to 500 Hz, 5 V dc pp saw tooth with a 5 V dc offset. 2. Verify that FDn_Flame = True. 3. Remove the function generator signal from the flame detector input. 4. Verify that FDn_Flame transitions to False. Acceptance Criteria: • • FDn_Flame transitions to False when the function generator signal is disconnected. No diagnostics are generated during this test. 6.6.6 TCSA Analog Input Accuracy Test Overview: This test verifies the accuracy of the YSIL I/O pack analog inputs for the configured I/O pack. Test Setup: 1. Obtain a multi-meter and a signal source capable of generating current and voltages within the ranges of the configured YSIL I/O pack. 2. Confirm configured limits for 4-20 mA input types. A set of test values are provided in the following table. Use only those test values associated with the configured I/O point. Configuration changes are not required. Test Steps: • • • For the configured I/O, select the appropriate test values from the following table and apply them to the input. Document the value that the YSIL reads for each test value, as seen in the Input tab in the ToolboxST application. Perform these test steps for each configured input channel. Acceptance Criteria: • • All measured values must be within 2% of the full range input values for the input accuracy test to be accepted. For out of range values using the ToolboxST application, confirm that the YSIL alerts the system that the input is out of range through the Diagnostics tab and that the channel goes Unhealthy. Test Values for Configuration Settings Configured Input Type 4-20 mA 186 GEH-6723W Test Values Expected Reading 3 mA Out of Range Diagnostic 4 mA 8 mA 12 mA 16 mA 20 mA 22 mA 4 mA ±.4 8 mA ±.4 12 mA ±.4 16 mA ±.4 20 mA ±.4 Out of Range Diagnostic GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 6.6.7 SCSA Analog Input Accuracy Test Overview: Test the accuracy of the YSIL I/O pack analog inputs for the configured I/O pack. Test Setup: 1. Obtain a multi-meter and a signal source capable of generating current and voltages within the ranges of the configured YSIL I/O pack. 2. Confirm configured limits for 4-20 mA input types. A set of test values are provided in the following table. Use only those test values associated with the configured I/O point. Configuration changes are not required. Test Steps: • • • For the configured I/O, select the appropriate test values from the following table and apply them to the input. Document the value that the YSIL reads for each test value, as seen in the Input tab in the ToolboxST application. Perform these test steps for each configured input channel. Acceptance Criteria: • • All measured values must be within 2% of the full range input values for the input accuracy test to be accepted. For out of range values using the ToolboxST application, confirm that the YSIL alerts the system that the input is out of range through the Diagnostics tab and that the channel goes Unhealthy. Test Values for Configuration Settings Configured Input Type 4-20 mA Test Values Expected Reading 3 mA Out of Range Diagnostic 4 mA 8 mA 12 mA 16 mA 20 mA 22 mA 4 mA ±.4 8 mA ±.4 12 mA ±.4 16 mA ±.4 20 mA ±.4 Out of Range Diagnostic Proof Tests GEH-6723W Functional Safety Manual 187 Public Information 6.6.8 SCSA Composite Analog Trip Test The YSIL can use any of the 4-20 mA analog inputs on the SCSA (AnalogInput01_R,S or T through AnalogInput16_R,S or T TMR input sets) in the Emergency Trip Relay (ETR) logic string. The user must configure AnalogInputx_R, S and T separately in the ToolboxST application to properly enable the analog input to function as a trip input for the ETRs. The user enables the SCSA analog input for tripping by doing the following for AnalogInputx_R, AnalogInputx_S and AnalogInputx_T: 1. Set the TripEnab(CFG) = Enable. 2. Set the TripSetPoint(CFG) = trip value (if exceeded will cause the ETRs to trip). 3. Set the TripDelay(CFG) = duration of time for analog input to exceed the TripSetPoint(CFG) before the trip request to ETRs will go True. Note If the analog input falls below the TripSetPoint(CFG) for anytime during the TripDelay(CFG) time, the trip delay counter will be reset and the delay time starts over. Test Case 1: Analog Input level below ETR Trip level Test Setup: 1. Obtain a multi-meter and a signal source capable of generating current and voltages within the ranges of the configured YSIL I/O pack. 2. Confirm configured limits for 4-20 mA input types. 3. Configure TripEnab(CFG), TripSetPoint(CFG) and TripDelay(CFG) for AnalogInputx_R, S and T to trip at a level of 10 mA after a delay of 100 ms. Test Steps: 1. Select an input value equal to 2% of full scale (0.4 mA) below the TripSetPoint(CFG) value. 2. Perform this test for each configured input channel. Acceptance Criteria: OPT LED is green, indicating an ETR trip has not occurred due to a Composite Analog Trip. 188 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information Test Case 2: Analog Input level above ETR Trip level Test Setup: 1. Obtain a multi-meter and a signal source capable of generating current and voltages within the ranges of the configured YSIL I/O pack. 2. Confirm configured limits for 4-20 mA input types. 3. Configure TripEnab(CFG), TripSetPoint(CFG) and TripDelay(CFG) for AnalogInputx_R, S and T to trip at a level of 10 mA after a delay of 100 ms. Test Steps: 1. Select an input value equal to 2% of full scale (0.4 mA) above the TripSetPoint(CFG) value. 2. After removal of signal from analog channel under test, apply a master reset to clear the YSIL’s ETR trip. 3. Perform this test for each configured input channel. Acceptance Criteria: OPT LED is red, indicating an ETR trip has occurred due to a Composite Analog Trip. 6.6.9 Thermocouple Input Accuracy When two or more thermocouples are in near proximity and are expected to measure the same ambient temperature, an alternative test is to record and compare the temperature profile as the thermocouples cool from operational temperature and converge to the same ambient temperature. This alternative test could take several hours for ambient temperature to stabilize. Test Overview: To test the accuracy of the YSIL pack for various thermocouple configurations. Test Setup: Obtain a mV signal source, capable of fractional mV signals. Alternative: Use a calibrated heat source or thermocouple test set. Test Steps: 1. For the configured thermocouple, select the applicable thermocouple type from one of the following tables: Type E Thermocouples, Type J Thermocouples, Type K Thermocouples, Type S Thermocouples, or Type T Thermocouples. 2. Read the Cold Junction temperature from the ToolboxST application Cold Junction tab. 3. Look up the equivalent mV reading for the cold junction temperature under the table heading Cold Junction Compensation. Some interpolation is required. 4. Select one of the mV values in the thermocouple table and inject a mV signal such that the sum of the cold junction mV values and the injected mV signal at the terminal board input equals one of the mV values in the mV column of the thermocouple table. The temperature reading for that thermocouple reading displayed in the ToolboxST application should be equal to the temperature in the table. 5. Repeat step 4 for a second mV value in the thermocouple table. Example Test: Proof Tests GEH-6723W Functional Safety Manual 189 Public Information As an example, the test steps for a Type E thermocouple with a cold junction reading of 76.9 °F (25 °C) would be as follows: 1. In the table Type E Thermocouples, for 76.9 °F (25 °C) the cold junction mV compensation is 1.49 mV. 2. Select 10 mV as a thermocouple test value. 3. Inject a mV signal of (10.0 – 1.5) = 8.5 mV at the terminal board screws. 4. The thermocouple should read 307 ±5 °F (152.8 ± -15 °C). Acceptance Criteria: A minimum of five mV values from the thermocouple section of the Type x table requires that the measured temperature signals be within ± -15 °C (5 °F) of the expected temperature for the input accuracy test to be accepted. Type E Thermocouples Thermocouple Cold Junction Compensation Deg F Deg C mV 10 20 30 40 50 60 70 80 90 -12.2 -6.7 -1.1 4.4 10.0 15.6 21.1 26.7 32.2 -0.7 -0.373 -0.047 0.264 0.594 0.924 1.261 1.597 1.939 mV Deg F Deg C 0 32 0.00 10 307.35 152.97 20 547.99 286.66 30 40 775.69 998.58 413.16 536.99 Type J Thermocouples Thermocouple Cold Junction Compensation Deg F Deg C mV 10 20 30 40 50 60 70 80 90 -12.2 -6.7 -1.1 4.4 10.0 15.6 21.1 26.7 32.2 -0.609 -0.332 -0.055 0.226 0.509 0.791 1.078 1.364 1.654 mV Deg F Deg C 0 32 0.00 10 366.73 185.96 20 691.7 366.50 30 1015.14 546.19 40 1317 713.89 Type K Thermocouples Thermocouple Cold Junction Compensation 190 Deg F Deg C mV 10 20 30 40 50 60 70 80 90 -12.2 -6.7 -1.1 4.4 10.0 15.6 21.1 26.7 32.2 -0.476 -0.26 -0.043 0.177 0.398 0.619 0.844 1.068 1.295 GEH-6723W mV Deg F Deg C 0 32 0.00 10 475.2 246.22 20 904.78 484.88 30 1329.48 720.83 40 1773.32 967.41 GEH-6723 Mark VIeS Control Functional Safety Manual Public Information Type S Thermocouples Thermocouple Cold Junction Compensation Deg F Deg C mV mV Deg F Deg C 10 20 30 40 50 60 70 80 90 -12.2 -6.7 -1.1 4.4 10.0 15.6 21.1 26.7 32.2 -0.063 -0.034 -0.006 0.025 0.056 0.087 0.12 0.152 0.187 0 5 10 15 32 1070 1896.5 2646 0 576.67 1035.84 1452.23 Type T Thermocouples Thermocouple Cold Junction Compensation Deg F Deg C mV 10 20 30 40 50 60 70 80 90 -12.2 -6.7 -1.1 4.4 10.0 15.6 21.1 26.7 32.2 -0.464 -0.253 -0.042 0.174 0.393 0.611 0.835 1.06 1.289 Proof Tests mV Deg F Deg C 0 5 10 15 20 32 239.45 415.92 576.28 726.55 0 115.25 213.29 302.38 385.86 GEH-6723W Functional Safety Manual 191 Public Information 6.6.10 Open Thermocouple Inputs Detection Test Overview: This test demonstrates that the YSIL can successfully recognize when a thermocouple input becomes an open circuit. Test Setup: Short each configured thermocouple input from the positive to the negative terminal. Test Steps: 1. From the ToolboxST application, confirm that each of the configured thermocouple channels temperature readings is approximately the same as the cold junction. 2. Remove the short on the first channel to create an open circuit. 3. From the Toolbox application, confirm that the pack generates a diagnostic due to the open circuit. 4. Return the channel to a shorted condition. 5. Repeat steps 2 through 4 for each configured channel. Acceptance Criteria: All channels properly generate a diagnostic when the circuit is opened. 6.6.11 Thermocouple Input Low Source Voltage Test Setup: Prepare system for a fail-safe response from the I/O pack. Test Steps: 1. Disconnect the 28 V dc power supply connection from the pack (for a TMR terminal board disconnect the power supply from two packs). 2. Confirm that all the inputs go Unhealthy. Acceptance Criteria: • • 192 When the I/O pack is disconnected, a diagnostic is generated and all inputs display as Unhealthy. Variables PS18V_YSIL and PS28V_YSIL display False and Unhealthy. GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 6.6.12 Digital Output Control Test Overview: This is a functional test that verifies that the Mark VIeS controller can control each output, that outputs are controlled through fault tolerant voting in TMR system, and that there is no cross-interference between outputs. Relay actuation can be detected several ways: 1. If the device controlled by the relay is safe to actuate it may be used to determine the relay output state. 2. With wetting voltage applied the voltage at relay terminal board may be read. 3. Remove any wetting voltage and read the relay contact path resistance. For method two and three, removing the terminal board screw blocks and replacing them with test blocks is recommended. For method three, a voltage reading prior to the resistance reading is recommended for safety purposes. Test Setup: Perform the appropriate test based on configuration of each of the outputs. Test Case 1: Test Output Used and Normal Test all outputs that are configured as follows: • RelayOutput(CFG) = Used 1. Verify that all outputs are initially be turned off. 2. Turn on the relay output. 3. Verify that only the correct relay on the terminal board is energized. 4. Repeat for all configured relay outputs. Acceptance Criteria: With the output turned on in the controller, only the correct relay on the terminal board is energized. Proof Tests GEH-6723W Functional Safety Manual 193 Public Information 6.6.13 Contact Input Low Source Voltage Test Overview: This is a functional test that verifies that the pack monitors its 28 V dc supply, generates diagnostics if the supply is out of limits, and performs an orderly shutdown if power supply voltage is too low for safe operation. Test Setup: Prepare system for a fail-safe response from the I/O pack. Test Steps: 1. Disconnect the 28 V dc power supply connection from the pack, in a TMR system disconnect the power connection from two packs. 2. Confirm that all the inputs display as Unhealthy. For loss of power on one I/O pack of TMR, look for disagreement diagnostic. Acceptance Criteria: When the I/O pack is disconnected, a diagnostic is generated and all inputs display as Unhealthy. 194 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 6.6.14 SCSA Contact Input Status Test Overview: This tests the following items that are configurable on each digital input from the ToolboxST application and verifies that the controllers can receive the input data. • • • ContactInput(CFG) (Used/Unused) SignalInvert(CFG) (Normal/Invert) DiagVoteEnab(CFG) (Enable/Disable) Test Setup: Perform the appropriate test case on each of the inputs as they are configured. Test Steps: Test Case 1: Test Input Used, Normal 1. Test all inputs that are configured as follows: • • • ContactInput(CFG) = Used SignalInvert(CFG) = Normal DiagVoteEnab(CFG) = Enable 2. Verify that with the input open, all three controllers indicate the status of the input as False. 3. Connect a jumper between Input X (Positive) and Input X (Return) and verify that each controller (R, S, T) correctly reads the status of the input as True and that there is no voting disagreement diagnostic. 4. Check that there is no cross-interference by verifying that the status of all other inputs is False. Acceptance Criteria: When the inputs are jumpered, all three controllers indicate the status as True, all inputs not jumpered have a status of False, and there are no voting diagnostics. Test Case 2: Test Input Used, Invert 1. Test all inputs that are configured as follows: • • ContactInput(CFG) = Used SignalInvert(CFG) = Invert 2. Verify that with the input open, all three controllers indicate the status of the input as True. 3. Connect a jumper between Input X (Positive) and Input X (Return). 4. Verify that each controller (R, S, T) correctly reads the status of the input as False. Acceptance Criteria: • • • When the inputs are jumpered, all three controllers indicate the status as False. All inputs not jumpered have a status of True. There are no voting diagnostics. Proof Tests GEH-6723W Functional Safety Manual 195 Public Information 6.6.15 TCSA Contact Input Status Test Overview: This tests verifies that the controllers can receive the input data and the following items are configurable on each digital input from the ToolboxST application: • • ContactInput(CFG) (Used/Unused) SignalInvert(CFG) (Normal/Invert) Test Setup: Perform the appropriate test case on each of the inputs as they are configured. Test Steps: Test Case 1: Test Input Used, Normal 1. Test all inputs that are configured as follows: • • ContactInput(CFG) = Used SignalInvert(CFG) = Normal 2. Verify that with the input open, all three controllers indicate the status of the input as False. 3. Connect a jumper between Input X (Positive) and Input X (Return) and verify that each controller (R, S, T) correctly reads the status of the input as True and that there is no voting disagreement diagnostic. 4. Check that there is no cross-interference by verifying that the status of all other inputs is False. Acceptance Criteria: • • • When the inputs are jumpered, all three controllers indicate the status as True. All inputs not jumpered have a status of False. There are no voting diagnostics. Test Case 2: Test Input Used, Invert 1. Test all inputs that are configured as follows: • • ContactInput(CFG) = Used SignalInvert(CFG) = Invert 2. Verify that with the input open, all three controllers indicate the status of the input as True. 3. Connect a jumper between Input X (Positive) and Input X (Return). 4. Verify that each controller (R, S, T) correctly reads the status of the input as False. Acceptance Criteria: • • • 196 When the inputs are jumpered, all three controllers indicate the status as False. All inputs not jumpered have a status of True. There are no voting diagnostics. GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 6.6.16 TCSA Contact Input Trip Tests Test Overview: This test verifies action of the contact input trips including trip logic in YSIL firmware. Test Setup: Select the applicable Test Case according to configuration of the Contact Inputs. Test Steps: These tests are relevant for TCSA terminal boards. Test Case 1: TripMode: Direct Trip (CFG) 1. Energize Contact Input and reset trip relays. a. Close contacts on E-Stop button or connect a jumper across E-TRP (H) and TRP (L). b. Clear all trip sources and reset the YSIL such that the emergency trip relays (ETR1-3) are picked up. If configured as ETR, then ETR4–6 and ETR7–9. c. Verify that each controller (R, S, T) correctly reads the status of the contact input. Acceptance criteria: Controllers correctly read the status of the contact input. 2. Initiate trip. a. Open the contact input to generate a trip. b. Verify that each controller (R, S, T) correctly reads the status of the contact input. Acceptance criteria: The controllers correctly read the status of the contact input and a diagnostic alarm message is generated indicating that the YSIL has tripped. 3. Confirm trip cannot be reset. Attempt to reset the trip by turning on the MasterReset output in the controller and confirm that the trip cannot be cleared with a reset as long as the contact remains open. Acceptance criteria:. The ETRs remain open and the diagnostic alarm message is generated indicating that the YSIL has tripped. Proof Tests GEH-6723W Functional Safety Manual 197 Public Information Test Case 2: TripMode: Conditional Trip (CFG) 1. Test Conditional Trip – Negative. a. Close contacts on E-Stop button or connect a jumper to energize the contact input. b. Clear all trip sources and reset the YSIL such that the emergency trip relays (ETR1-3) are picked up. c. In the controller Vars-CI tab, set the value of trip#_inhibit to True. d. Open E-Stop button or remove the jumper from the contact input and confirm that the contact input does not cause a trip. Acceptance criteria: Contact input does not cause trip when inhibit signal is True. 2. Test Conditional Trip – Positive. a. Close contacts on E-Stop button or connect a jumper to energize the contact input. b. Clear all trip sources and reset the YSIL such that the emergency trip relays (ETR1-3) are picked up. c. In the controller Vars-CI tab, set the value of trip#_inhibit to False. d. Open E-Stop button or remove the jumper from the contact input and confirm that the contact input does cause a trip. Acceptance criteria: Contact input causes trip when inhibit signal is False. 198 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 6.6.17 TCSA ETR#_Open Test Test Overview: This test verifies the Vars-Relay output Booleans, ETR1_Open through ETR9_Open control of the Emergency Trip Relays (ETRs) and checks the response of the ETRs on the TCSA terminal board. These tests can move valves. Take precautions or use bypass procedures. Warning Test Steps: Test Case 1: ETRs closed for non-trip case 1. Configure K4 – K6 and K7 – K9 in TripMode. Set TripMode to Enable for both sets of relays. 2. Enable K1_Fdbk – K9_Fdbk for Sequence of Events and Diagnostics a. Set SeqOfEvents equal to Enable. b. Set DiagVoteEnab equal to Enable. 3. Set ETRs in “non-trip” state. a. Set all ETR#_Open output Booleans to False. b. Clear all trip sources and reset the YSIL such that the emergency trip relays (ETR1-9) are picked up. 4. Verify that the relay feedbacks, K1_Fdbk thru K9_Fdbk display the ETRs energized. Acceptance Criteria: The emergency trip relays are closed and all controllers read the status correctly. Test Case 2: ETRs opened for trip case 1. Initiate ETR Trip Condition. Set ETR1_Open output Boolean to True. 2. Verify that the relay feedback, K1_Fdbk displays the ETR1 de-energized or open (Trip state). 3. Verify that the controllers read the trip state for K1. 4. Repeat steps 1 through 3 for all nine relays. Acceptance Criteria: The emergency trip relays are open and all controllers read the status correctly. Proof Tests GEH-6723W Functional Safety Manual 199 Public Information 6.7 YTCC Test Procedures For TBTC-mounted YTCCs, a terminal board test terminal block facilitates maintaining the field wiring while performing thermocouple tests. If a test terminal block cannot be used, remove each Thermocouple (TC) connection for each TC test. Reconnect when finished. 6.7.1 Thermocouple Input Accuracy When two or more thermocouples are in near proximity and are expected to measure the same ambient temperature, an alternative test is to record and compare the temperature profile as the thermocouples cool from operational temperature and converge to the same ambient temperature. This alternative test could take several hours for ambient temperature to stabilize. Test Overview: This test verifies the accuracy of the YTCC I/O pack for various thermocouple configurations. Test Setup: Obtain a mV signal source, capable of fractional mV signals. Alternative: Use a calibrated heat source or thermocouple test set. Test Steps: 1. For the configured thermocouple, select the applicable thermocouple type from one of the following tables: Type E Thermocouples, Type J Thermocouples, Type K Thermocouples, Type S Thermocouples, or Type T Thermocouples. 2. Read the Cold Junction temperature from the ToolboxST application Cold Junction tab. 3. Look up the equivalent mV reading for the cold junction temperature under the table heading Cold Junction Compensation. Some interpolation is required. 4. Select one of the mV values in the thermocouple table and inject a mV signal such that the sum of the cold junction mV values and the injected mV signal at the terminal board input equals one of the mV values in the mV column of the thermocouple table. The temperature reading for that thermocouple reading displayed in the ToolboxST application should be equal to the temperature in the table. 5. Repeat step 4 for a second mV value in the thermocouple table. For example, for a type E thermocouple with a cold junction reading of 76.9 °F (25 °C), the test steps would be as follows: 1. In the table Type E Thermocouples, for 76.9 °F (25 °C) the cold junction mV compensation is 1.49 mV. 2. Select 10 mV as a thermocouple test value. 3. Inject a mV signal of (10.0 – 1.5) = 8.5 mV at the terminal board screws. 4. The thermocouple should read 152.9 ± 2.7 °C (307 ±5 °F). Acceptance Criteria: A minimum of five mV values from the thermocouple section of the Type x table requires that the measured temperature signals be within ± 2.7 °C (5 °F) of the expected temperature for the input accuracy test to be accepted. 200 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information Type E Thermocouples Thermocouple Cold Junction Compensation Deg F Deg C mV 10 20 30 40 50 60 70 80 90 -12.2 -6.7 -1.1 4.4 10.0 15.6 21.1 26.7 32.2 -0.7 -0.373 -0.047 0.264 0.594 0.924 1.261 1.597 1.939 mV Deg F Deg C 0 32 0.00 10 307.35 152.97 20 547.99 286.66 30 40 775.69 998.58 413.16 536.99 Type J Thermocouples Thermocouple Cold Junction Compensation Deg F Deg C mV 10 20 30 40 50 60 70 80 90 -12.2 -6.7 -1.1 4.4 10.0 15.6 21.1 26.7 32.2 -0.609 -0.332 -0.055 0.226 0.509 0.791 1.078 1.364 1.654 mV Deg F Deg C 0 32 0.00 10 366.73 185.96 20 691.7 366.50 30 1015.14 546.19 40 1317 713.89 Type K Thermocouples Thermocouple Cold Junction Compensation Deg F Deg C mV 10 20 30 40 50 60 70 80 90 -12.2 -6.7 -1.1 4.4 10.0 15.6 21.1 26.7 32.2 -0.476 -0.26 -0.043 0.177 0.398 0.619 0.844 1.068 1.295 mV Deg F Deg C 0 32 0.00 10 475.2 246.22 20 904.78 484.88 30 1329.48 720.83 40 1773.32 967.41 Type S Thermocouples Thermocouple Cold Junction Compensation Deg F Deg C mV mV Deg F Deg C 10 20 30 40 50 60 70 80 90 -12.2 -6.7 -1.1 4.4 10.0 15.6 21.1 26.7 32.2 -0.063 -0.034 -0.006 0.025 0.056 0.087 0.12 0.152 0.187 0 5 10 15 32 1070 1896.5 2646 0 576.67 1035.84 1452.23 Proof Tests GEH-6723W Functional Safety Manual 201 Public Information Type T Thermocouples Thermocouple Cold Junction Compensation Deg F Deg C mV 10 20 30 40 50 60 70 80 90 -12.2 -6.7 -1.1 4.4 10.0 15.6 21.1 26.7 32.2 -0.464 -0.253 -0.042 0.174 0.393 0.611 0.835 1.06 1.289 mV Deg F Deg C 0 5 10 15 20 32 239.45 415.92 576.28 726.55 0 115.25 213.29 302.38 385.86 6.7.2 Open Thermocouple Inputs Detection Test Overview: This test demonstrates that the YTCC can successfully recognize when a thermocouple input becomes an open circuit. Test Setup: • • To preserve the field wiring, remove and replace the thermocouple wired terminal block with a test terminal block. Short each configured thermocouple input from the positive to the negative terminal. Test Steps: 1. From the ToolboxST application, confirm that each of the configured thermocouple channels temperature readings is approximately the same as the cold junction. 2. Remove the short on the first channel to create an open circuit. 3. From the Toolbox application, confirm that the pack generates a diagnostic due to the open circuit. 4. Return the channel to a shorted condition. 5. Repeat steps 2 through 4 for each configured channel. Acceptance Criteria: When the circuit is opened, all channels properly generate a diagnostic. 202 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 6.7.3 Thermocouple Input Low Source Voltage Test Setup: Prepare system for a fail-safe response from the I/O pack. Test Steps: 1. Disconnect the 28 V dc power supply connection from the I/O pack. For a TMR terminal board, disconnect the power supply from two I/O packs. 2. Confirm that all the inputs go unhealthy. Acceptance Criteria: • • With the I/O pack’s power removed, all inputs are displayed as Unhealthy and a diagnostic is generated. Variables PS18V_YTCC and PS28V_YTCC display False and Unhealthy. Proof Tests GEH-6723W Functional Safety Manual 203 Public Information 6.8 YTUR Test Procedures Configurable items in the YTUR pack are identified in this test plan by including (CFG) at the end of the name of the item. Any configurable items that must be set for a particular test are defined in the detailed test instructions below. If a setting is not given for a configurable item, it is not relevant to that test. • • • Unless otherwise noted, verify that there are no diagnostics faults on the YTUR pack under test prior to performing each test case. Any diagnostic fault(s) that are expected to occur as a result of performing a test case are detailed in the acceptance criteria for the test case. If additional diagnostics faults are generated that are not detailed in the acceptance criteria, they must be fully explained prior to acceptance of the test. Note The following tests can be performed in any order. Individual steps within a test should be performed in the order presented. 6.8.1 Speed Inputs Accuracy Test Overview: This test checks the characteristics of speed inputs (range and accuracy). It verifies that the YTUR supports applications by allowing speed inputs to be sent to the controllers without cross-interference. Alternative Accuracy Test: Compare YTUR speed signal at several different operating points with BPCS speed signals. Test Steps: 1. a. Connect an oscilloscope to the speed sensor terminal board inputs to measure the pulse rates from the speed pickups Or b. 204 Disconnect the speed sensor inputs and configure a function generator for a 9 Vpp sine wave output with zero offset to provide a reference speed signal to the pulse rate inputs. GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information Speed Input Accuracy 2. For at least two speeds in the range of 2 to 20,000 Hz, apply a speed signal and record the value of speed reported by the controller. Note It is best to select a maximum applied test frequency that represents the overspeed signal for the unit under test. 3. Verify that the channel being stimulated reads the correct value of speed and that all inputs that are not being stimulated read zero. 4. Repeat steps 2 and 3 on all configured pulse rate inputs. Acceptance Criteria: • • • • The speed input function has less than a 1% deviation between the actual steady state field signal and the reported value. Each channel reads the correct value of speed when stimulated. All inputs that are not being stimulated read zero. There are no diagnostics. Proof Tests GEH-6723W Functional Safety Manual 205 Public Information 6.8.2 TRPA E-Stop Input Test Overview: This test verifies that the E-Stop input on the TRPA: • • Can drive the trip relay outputs Can cross-trip the YPRO trip logic Test Setup: Note This test assumes that the trip solenoids are isolated from the circuit. For each trip relay output, connect dummy loads to simulate trip solenoids as follows: 1. Connect one side of an appropriately sized resistor (10 kΩ 2 W) to the positive side of the trip relay output. 2. Connect the other side of the resistor to the positive side of a power supply (output voltage of power supply should be set to the nominal trip circuit voltage). 3. Connect the negative side of the power supply to the negative side of the trip relay output. Test Steps: 1. Energize the E-Stop input and reset the trip relays (clear all trip sources and reset the YTUR such that the trip relays (PTR1-2) are picked up). 2. Verify that each controller (R, S, and T) correctly reads the status of the E-Stop input (KESTOP1_Fdbk). 3. Initiate an E-Stop Trip. 4. Verify the PTR’s are de-energized (dropped out and that each controller (R, S, and T) correctly reads the status of the E-Stop input (KESTOP1_Fdbk). Acceptance Criteria: • • 206 E-Stop is energized (closed), the Primary Trip Relays (PTR) are energized (picked up) E-Stop is open, the PTRs are de-energized (dropped out) GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 6.8.3 Flame Detection Inputs – Loss of Flame Detection Test Overview: This test checks for the YTUR to detect loss of flame and also verifies that no flame is the fail-safe state. Test Setup: For each configured (Geiger-Muller) flame detector input, connect a function generator as indicated in the following figure: Flame Detector Simulation Test Steps: Perform the following steps five times on each of the flame detector inputs: 1. Set the function generator to 500 Hz, 5 V dc pp saw tooth with a 5 V dc offset. 2. Verify that FDn_Flame = True. 3. Remove the function generator signal from the flame detector input. 4. Verify that FDn_Flame transitions to False. Acceptance Criteria: • • The function generator signal is disconnected and FDn_Flame transitions to False. There are no diagnostics generated during this test. Proof Tests GEH-6723W Functional Safety Manual 207 Public Information 6.8.4 Low Source Voltage Test Overview: This test verifies that the I/O pack: • • • Monitors its 28 V dc supply Generates diagnostics, if the supply is out of limits Performs an orderly shutdown, if the power supply voltage is too low for safe operation Test Setup: Prepare system for a fail-safe response from the I/O pack. Test Steps: 1. Disconnect the 28 V dc power supply connection from the I/O pack. For TMR, disconnect two 28 V power supply connections. 2. Confirm that all the outputs are in their safe state and display as Unhealthy, and a diagnostic is generated. Acceptance Criteria: The supply voltage is less than 16 ± 1 V dc and: • • • 208 All outputs go their fail-safe state and displays as Unhealthy. A diagnostic is generated. Variables PS18V_YTUR and PS28V_YTUR display False and Unhealthy. GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 6.9 YUAA Test Procedures 6.9.1 mA / Voltage Input Accuracy Test Overview: • • Test the accuracy of the YUAA mA / voltage-configured inputs of the I/O pack Test out of range detection for the configured I/O pack ToolboxST Parameters: • • • • • • • • • • • • • Configuration Tab: Mode(CFG) (Unused, CurrentInput, VoltageInput, RTD, CurrentOutput, Thermocouple, PulseAccum, DigitalInput) Current Inputs Tab: Low_Input(CFG) (<value>) Current Inputs Tab: High_Input(CFG) (<value>) Current Inputs Tab: Low_Value(CFG) (<value>) Current Inputs Tab: High_Value(CFG) (<value>) Current Inputs Tab: Min_MA_Input(CFG) (<value>) Current Inputs Tab: Max_MA_Input(CFG) (<value>) Configuration Tab: Mode(CFG) (Unused, CurrentInput, VoltageInput, RTD, CurrentOutput, Thermocouple, PulseAccum, DigitalInput) Voltage Inputs Tab: Input Type(CFG) (±5 V, =/-10 V) Voltage Inputs Tab: Low_Input(CFG) (<value>) Voltage Inputs Tab: High_Input(CFG) (<value>) Voltage Inputs Tab: Low_Value(CFG) (<value>) Voltage Inputs Tab: High_Value(CFG) (<value>) Test Setup: 1. Obtain a multi-meter and a signal source capable of generating current and voltages within the ranges of the configured YUAA I/O pack. 2. Refer to the table Test Values for Configuration Settings for a set of test values. Use only the test values associated with the configured I/O point. Configuration changes are not required. Test Steps: • • • For the configured I/O, select the appropriate test values from the table Test Values for Configuration Settings and apply them to the input. Document the value that the YUAA reads for each test value, as displayed in the Current Inputs or Voltage Inputs tab in the ToolboxST application. The following acceptance criteria provides the calculations needed to assess accepted results. Perform these test steps for each configured input channel. Proof Tests GEH-6723W Functional Safety Manual 209 Public Information Acceptance Criteria: • All measured values must be within 0.2% of the full range input values for the input accuracy test to be accepted. Perform the following steps to make this determination: 1. Capture the configured scaling parameter values Low_Input, High_Input, Low_Value, High_Value for the I/O point to be tested. Use the following calculations to compute the Expected Value in Engineering Units, based upon the applied Test_ Input in mA or V: 2. Use the following calculation to determine the deviation range: 3. Acceptable measured values for each Test Input must fall within the range Expected_Value ± Deviation, per the formulas above. • For out of range values, use the ToolboxST application to confirm that the YUAA alerts the system that the input is out of range through the Diagnostics tab, and that the channel goes Unhealthy. Test Values for Configuration Settings Configured Input Type 4-20 mA 5V Test Inputs Expected Reading 3 mA Out of Range Diagnostic 8 mA Expected_Value ± Deviation 12 mA Expected_Value ± Deviation 16 mA Expected_Value ± Deviation 22 mA Out of Range Diagnostic ↓ ↓ -6 V Out of Range Diagnostic -2.5 V Expected_Value ± Deviation 0V Expected_Value ± Deviation 2.5 V Expected_Value ± Deviation 6V Out of Range Diagnostic ↓ ↓ -12 V 10 V 210 GEH-6723W Out of Range Diagnostic -6 V Expected_Value ± Deviation 0V Expected_Value ± Deviation 6V Expected_Value ± Deviation 12 V Out of Range Diagnostic GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 6.9.2 mA Output Accuracy Test Overview: Test the accuracy of the YUAA analog outputs for the configured I/O packs. ToolboxST Parameters: • • • • • Configuration Tab: Mode(CFG) (Unused, CurrentInput, VoltageInput, RTD, CurrentOutput, Thermocouple, PulseAccum, DigitalInput) Current Outputs Tab: Low_MA(CFG) (<value>) Current Outputs Tab: High_MA(CFG) (<value>) Current Outputs Tab: Low_Value(CFG) (<value>) Current Outputs Tab: High_Value(CFG) (<value>) Test Setup: 1. Connect a multi-meter to the configured mA outputs. 2. Add a load to the output of approximately 800 Ω or meter in line with the actual load device. Test Steps: 1. Connect the output of the YUAA to a multi-meter that is capable of measuring voltage and current. 2. Set the output of the I/O pack to the first value in the table Output Ranges to Test. To set the output, from the ToolboxST Current Output tab, change the value of IOPointxx. 3. Record the measured output current (mA) reading for this channel and output level. 4. Repeat steps 2 and 3 for each value in the table Output Ranges to Test. 5. Repeat steps 1 through 4 for all channels configured for mA outputs. Acceptance Criteria: All measured values must be within 1.0% of the expected output values for the accuracy test to be accepted. Output Ranges to Test Output Value Expected Value 0 mA 4 mA 8 mA 12 mA 16 mA 20 mA 0 mA ± 0.2 4 mA ± 0.2 8 mA ± 0.2 12 mA ± 0.2 16 mA ± 0.2 20 mA ± 0.2 Proof Tests GEH-6723W Functional Safety Manual 211 Public Information 6.9.3 Thermocouple Input Accuracy When two or more thermocouples are in near proximity to each other and are expected to measure the same ambient temperature, an alternative test can be performed to record and compare the temperature profile as the thermocouples cool from operational temperature and converge to the same ambient temperature. This alternative test may take several hours for ambient temperature to stabilize. Test Overview: Test the accuracy of the YUAA I/O pack for various thermocouple configurations. ToolboxST Parameters: • • • Configuration Tab: Mode(CFG) (Unused, CurrentInput, VoltageInput, RTD, CurrentOutput, Thermocouple, PulseAccum, DigitalInput) Thermocouples Tab: ThermCplType(CFG) (mV, B, E, J, K, N, R, S, T) Thermocouples Tab: ReportOpenTC(CFG) (Fail_Cold, Fail_Hot) Test Setup: Obtain a mV signal source that is capable of fractional mV signals. Alternative: Use a calibrated heat source or thermocouple test set. Test Steps: 1. For the configured thermocouple, select the applicable thermocouple type from one of the following tables: Type B Thermocouples, Type E Thermocouples, Type J Thermocouples, Type K Thermocouples, Type N Thermocouples, Type R Thermocouples, Type S Thermocouples, or Type T Thermocouples. 2. From the ToolboxST Variables tab, read the temperature for the variables ColdJunc01 and ColdJunc02 and average the readings from the two inputs. 3. Look up the equivalent mV reading for the cold junction temperature in the Cold Junction Compensation column of the applicable Thermocouples table. Some interpolation is required. 4. Select one of the mV values in the applicable Thermocouples table and inject a mV signal such that the sum of the cold junction mV values and the injected mV signal at the terminal board input equals one of the mV values in the mV column of the thermocouple table. The temperature reading displayed in ToolboxST for that thermocouple reading should be equal to the temperature in the table. 5. Repeat step 4 for a second mV value in the applicable Thermocouple table. For example, for a type E thermocouple with a cold junction reading of 25 °C (76.9 °F), the test steps would be as follows: 1. In the table Type E Thermocouples, for 25 °C (76.9 °F) the cold junction mV compensation is 1.49 mV. 2. Select 10 mV as a thermocouple test value. 3. Inject a mV signal of (10.0 – 1.5) = 8.5 mV at the terminal board screws. 4. The thermocouple should read 152.8 ± -15 °C (307 ± 5 °F). Acceptance Criteria: All measured temperature signals should be within ± -15 °C (5 °F) of the expected temperature for the input accuracy test to be accepted. 212 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information Type B Thermocouples Thermocouple Cold Junction Compensation ºF 32 60 80 100 120 mV -0.002 -0.002 -0.002 -0.001 0.002 mV 0 3 6 9 12 ºF 32.00 1435.48 2052.32 2559.03 3025.40 Type E Thermocouples Thermocouple Cold Junction Compensation ºF 20 30 40 50 60 mV -0.373 -0.047 0.264 0.594 0.924 mV 0 10 20 30 40 ºF 32 307.35 547.99 775.69 998.58 Type J Thermocouples Thermocouple Cold Junction Compensation ºF 20 30 40 50 60 mV -0.332 -0.055 0.226 0.509 0.791 mV 0 10 20 30 40 ºF 32 366.73 691.7 1015.14 1317.0 Type K Thermocouples Thermocouple Cold Junction Compensation ºF 20 30 40 50 60 mV -0.26 -0.043 0.177 0.398 0.619 mV 0 10 20 30 40 ºF 32 475.2 904.78 1329.48 1773.32 Type N Thermocouples Thermocouple Cold Junction Compensation ºF 20 30 40 50 60 mV -0.173 -0.029 0.116 0.261 0.408 mV 0 10 20 30 40 ºF 32 605.30 1083.66 1542.89 2007.87 Type R Thermocouples Thermocouple Cold Junction Compensation ºF 20 30 40 50 60 mV -0.035 -0.006 0.024 0.054 0.085 mV 0 5 10 15 20 Proof Tests ºF 32 1018.56 1762.76 2419.44 1762.76 GEH-6723W Functional Safety Manual 213 Public Information Type S Thermocouples Thermocouple Cold Junction Compensation ºF 20 30 40 50 60 mV -0.034 -0.006 0.025 0.056 0.087 mV 0 5 7 10 15 ºF 32 1070 1414.67 1896.5 2646 Type T Thermocouples Thermocouple Cold Junction Compensation ºF 20 30 40 50 60 mV -0.253 -0.042 0.174 0.393 0.611 mV -5 0 5 10 15 ºF -267.72 32 239.45 415.92 576.28 6.9.4 Open Thermocouple Inputs Detection Test Overview: This test demonstrates that the YUAA I/O pack can successfully recognize when a thermocouple input becomes an open circuit. Test Setup: Short each configured thermocouple input from the positive to the negative terminal. Test Steps: 1. From the ToolboxST application, confirm that each of the configured thermocouple channels temperature readings is approximately the same as the cold junction. 2. Remove the short on the first channel to create an open circuit. 3. From the ToolboxST application, confirm that the I/O pack generates a diagnostic as a result of the open circuit. 4. Return the channel to a shorted condition. 5. Repeat steps 2 through 4 for each configured channel. Acceptance Criteria: All channels properly generate a diagnostic when the circuit is opened. 214 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 6.9.5 RTD Input Accuracy Test Overview: This test verifies the accuracy of the YUAA I/O pack for various RTD configurations. ToolboxST Parameters: • • Configuration Tab: Mode(CFG) (Unused, CurrentInput, VoltageInput, RTD, CurrentOutput, Thermocouple, PulseAccum, DigitalInput) RTD Tab: RTDType(CFG) (MINCO_CA, MINCO_NA, MINCO_PA, MINCO_PB, MINCO_PD, MINCO_PIA, MINCO_PK, MINCO_PN, Ohms, PT100_SAMA) Test Setup: Obtain precision resistors for a source with 0.1% tolerance, and a small wire jumper. When connecting a resistor to a YUAA input channel, wire the resistor and a wire jumper as displayed in the following figure. Precision Resistor Test Wiring Configuration Test Steps: 1. For the configured RTD, select the applicable RTD type from one of the following tables. 2. Connect the appropriate precision resistor and observe the measured temperature in ToolboxST corresponding to the resistance value. 3. Repeat step 2 for a total of five different resistance values. Acceptance Criteria: All measured temperature signals should match the expected values within the accuracy specified in the applicable tables for a given RTD type as follows. RTD Type Minco NA (120 Ω Nickel) Accuracy: ± 2 ºF Ω 68.1 121 150 260 332 ºF -107.8 34.54 104.5 321.2 434.4 Proof Tests GEH-6723W Functional Safety Manual 215 Public Information RTD Type Minco PA (100 Ω Platinum) Accuracy: ± 4 ºF Ω 56.2 68.1 121 150 260 ºF -162.3 -110.3 127.6 262.2 803.5 RTD Type Minco PB (100 Ω Platinum) Accuracy: ± 4 ºF Ω 56.2 68.1 121 150 260 ºF -163.0 -110.8 128.0 263.1 806.7 RTD Type Minco PD (100 Ω Platinum) Accuracy: ± 4 ºF Ω 68.1 121 150 260 332 ºF -113.0 129.5 266.8 820.2 1216 RTD Type Minco PT100 SAMA (100 Ω Platinum) Accuracy: ± 4 ºF Ω 68.1 121 150 260 332 ºF -113.0 129.5 266.8 820.2 1216 RTD Type Minco PIA (100Ω Ω Platinum) Accuracy: ± 4 ºF Ω 68.1 121 150 260 332 ºF -110.1 127.6 262.1 803.2 1189 RTD Type Minco PK, PN 216 GEH-6723W (200Ω Ω Platinum) Accuracy: ± 2 ºF Ω 150 226 260 332 390 ºF -79.84 91.01 169.1 337.8 477.4 GEH-6723 Mark VIeS Control Functional Safety Manual Public Information RTD Type Minco CA (10Ω Ω Copper) Accuracy: ± 10 ºF Ω 7.5 10 13 15 18 ºF -39.55 76.98 216.8 310.0 448.5 6.9.6 Open RTD Inputs Detection Test Overview: This test demonstrates that the YUAA I/O pack can successfully recognize when an RTD input becomes an open circuit. Test Setup: For each appropriate channel, select a precision resistor and wire it in accordance with the figure Precision Resistor Test Wiring Configuration provided in the section RTD Input Accuracy, sub-section Test Setup. To choose a resistor value, refer to the RTD Type tables provided in the section RTD Input Accuracy and pick one of the five values pertaining to the configured RTD type. Test Steps: 1. From the ToolboxST application, confirm that each of the configured RTD channel’s temperature readings is at an approximate range for the application. 2. Disconnect the wire connections to the PWR_RET screw terminal of the configured RTD channels to create an open circuit. 3. From the ToolboxST application, confirm that the I/O pack generates a diagnostic as a result of the open circuit. 4. Return the channel to a normal condition and confirm that the diagnostic goes inactive. 5. Repeat steps 2 through 4 for each appropriate channel. Acceptance Criteria: Designated channels properly generate a diagnostic when the circuit is opened. Proof Tests GEH-6723W Functional Safety Manual 217 Public Information 6.9.7 Digital Input Status with Line Monitoring Test Overview: This test validates the specified parameters that can be configured for each YUAA input in ToolboxST and verifies that the controllers receive the input data. ToolboxST Parameters: • • • • • Configuration Tab: Mode(CFG) (Unused, CurrentInput, VoltageInput, RTD, CurrentOutput, Thermocouple, PulseAccum, DigitalInput) Digital Inputs Tab: SignalInvert(CFG) (Normal/Invert) Digital Inputs Tab: LineMonitoring(CFG) (Enable/Disable) Digital Inputs Tab: Input Mode(CFG) (External, Internal, NAMUR) Digital Inputs Tab: ExWettingVoltage(CFG) (<N/A>) Note N/A indicates Not Applicable; this parameter is not applicable for Internal Input mode. Test Setup: Perform the applicable Test Case on each of the digital inputs as they are configured. Test Steps: Test Case 1: No Signal Invert, Enable Line Monitoring, Internal Wetting 1. Verify that there is a 240 Ω resistor in parallel and a second 240 Ω resistor in series with the contact as described in Mark VIe and Mark VIeS Control Systems Volume II: System Guide for General-purpose Applications (GEH-6721_Vol_II), the chapter PUAA, YUAA Universal I/O Modules, the section Internal Wetted Contact Inputs. 2. Verify that, with the input contact open, all three controllers indicate the status of the input as False. 3. Verify that, with the input contact closed, all three controllers indicate the status of the input as True. 4. Short the contact between the two external resisters to ground and verify that the controllers (R, S, T) generate a diagnostic indicating a shorted input. 5. Open the wire between the I/O+ and the external resister and verify that the controllers (R, S, T) generate an open wire diagnostic. Acceptance Criteria: • • • • • External 240 Ω resisters are in place. Digital input reads False when the contact is open. Digital input reads True when the contact is closed. Shorting contact circuit to ground will generate a shorted input diagnostic. Opening the contact circuit will generate an open input diagnostic. Test Case 2: Signal Invert, Enable Line Monitoring, Internal Wetting 1. Verify that there is a 240 Ω resistor in parallel and a second 240 Ω resistor in series with the contact as described in Mark VIe and Mark VIeS Control Systems Volume II: System Guide for General-purpose Applications (GEH-6721_Vol_II), the chapter PUAA, YUAA Universal I/O Modules, the section Internal Wetted Contact Inputs. 2. Verify that, with the input contact open, all three controllers indicate the status of the input as True. 218 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 3. Verify that, with the input contact closed, all three controllers indicate the status of the input as False. 4. Short the contact between the two external resisters to ground and verify that the controllers (R, S, T) generate a diagnostic indicating a shorted input. 5. Open the wire between the I/O+ and the external resister and verify that the controllers (R, S, T) generate an open wire diagnostic. Acceptance Criteria: • • • • • External 240 Ω resisters are in place. Digital input reads False when the contact is closed. Digital input reads True when the contact is open. Shorting contact circuit to ground will generate a shorted input diagnostic. Opening the contact circuit will generate an open input diagnostic. 6.9.8 Pulse Accumulators Input Status Test Overview: This test validates the specified parameters that can be configured for each YUAA input in ToolboxST and verifies that the controllers receive the input data. ToolboxST Parameters: • • Configuration Tab: Mode(CFG) (Unused, CurrentInput, VoltageInput, RTD, CurrentOutput, Thermocouple, PulseAccum, DigitalInput) Pulse Accumulators Tab: PAThreshold(CFG) (<value>) Test Setup: Perform the following test steps on each of the Pulse Accumulator inputs as they are configured. Test Steps: 1. Obtain a signal source capable of generating voltages 2 V above and below the user-specific PAThreshold. 2. Connect the signal source to the input channel. Make note of the input channel’s current counts value. 3. Set the signal source to PAThreshold – 2 V. 4. Set the signal source to PAThreshold + 2 V. Observe the measured counts value for the channel. 5. Set the signal source to PAThreshold – 2 V. 6. Set the signal source to PAThreshold + 2 V. Observe the measured counts value for the channel. Acceptance Criteria: After step 4 and step 6 are performed, the input channel’s counts value should have increased by 1, for a total increase of 2 counts through the entire test procedure. Proof Tests GEH-6723W Functional Safety Manual 219 Public Information 6.9.9 Low Source Voltage Test Overview: This test is used to monitor the common source voltage for the YUAA to detect a power interruption and provide fault tolerance for the I/O functions. Test Setup: Prepare the system for a fail-safe response from the I/O pack. Test Steps: 1. Disconnect the 28 V dc power supply connection from the I/O pack. 2. Confirm that all the inputs go Unhealthy. Acceptance Criteria: • • 220 With the I/O pack’s power removed, all inputs are displayed as Unhealthy. Variable PS28V_YUAA is set to False or Unhealthy. GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 6.10 YVIB Test Procedures This test plan is designed for a generic configuration as described in each Test Steps section. Due to the large number of possible configurations for each signal type, some adjustment is necessary in the expected results if the configuration is different from the generic type. Refer to Mark VIe and Mark VIeS Control Systems Volume II: System Guide for General-purpose Applications (GEH-6721_Vol_II) for functional differences based on configuration parameters. It is not necessary to alter the configuration to conduct this test plan but results may vary based on configuration. 6.10.1 Vibration (VibProx, VibProx-KPH) Input Accuracy Test Overview: This test verifies the accuracy of the YVIB vibration configured as VibProx, VibProx-KPH. Test Setup: Obtain a function generator capable of sinusoid signals of 10 V dc pp and ±5 V dc offsets. To preserve field wiring, remove the wired terminal block and replace it with a test block for the following set of tests. Replace the field wired terminal block when testing is complete. IS200TVBAS1A/S2A Vibration Terminal Board Note Darkened box indicates proper jumper settings. For each of the configure channels 1-8 configured for vibration inputs, the following generic configuration is assumed: The columns highlighted in green in the following tables contain the configuration values to use to perform the proof test for the indicated vibration input channels. Attention The generic configuration in the following table is assumed for each of the configured channels 1-8 configured for vibration inputs. Proof Tests GEH-6723W Functional Safety Manual 221 Public Information Generic Configuration Parameters for All Channels Parameter Choices Value for Proof Test Vib_PP_Fltr 0.04 to 2.0 sec 0.1 MaxVolt_Prox -4.0 to 0.0 V dc -1.5 MinVolt_Prox -24.0 to -16.0 V dc -18.5 MaxVolt_KP -4.0 to 0.0 V dc -1.5 MinVolt_KP -24.0 to -16.0 V dc -22 MaxVolt_Seis 0.0 to 1.5 V dc 1 MinVolt_Seis -1.5 to 0.0 V dc -1 MaxVolt_Acc -12.0 to 1.5 V dc -8.5 MinVolt_Acc -24.0 to -1.0 V dc -11.5 MaxVolt_Vel -12.0 to 1.5 V dc -8.375 MinVolt_Vel -24.0 to -1.0 V dc -15.625 SystemLimits Enable, Disable Enable Gap (Gap 1-3) Configuration for GAP1_VIB1 through GAP3_VIB3 Parameter VIB_Type4 Scale Scale_Off TMR_DiffLimt GnBiasOvride Snsr_Offset Gain Choices Value for Proof Test PosProx, Unused, VibLMAccel, VibProx, VibProx-KPH, VibSeismic, VibVelomitor volts/mil or volts/ips 0.1 ±13.3 V dc 0 -1200 to +1200 Disable, Enable 2 0 to x V dc 1x, 2x, 4x, 8x 2.5 VibProx-KPH Enable 1x LMlpcutoff 1.5 Hz, 2.0 Hz, 2.5 Hz, 3.0 Hz, 3.5 Hz, 4.0 Hz, 4.5 Hz, 5.0 Hz 5 SysLim1Enabl Disable, Enable Disable SysLim1Latch Latch, NotLatch N/A SysLim1Type <=, >= N/A SysLimit1 -1200 to +1200 N/A SysLim2Enabl Disable, Enable Disable SysLim2Latch Latch, NotLatch N/A SysLim2Type <=, >= N/A SysLimit2 -1200 to +1200 N/A Gap (Gap 4-8) Configuration for GAP4_VIB4 through GAP8_VIB8 Parameter Choices Value for Proof Test VIB_Type PosProx, Unused, VibProx, VibProx-KPH, VibSeismic, VibVelomitor VibProx-KPH Scale volts/mil or volts/ips 0.1 Scale_Off ±13.3 V dc 0 TMR_DiffLimt -1200 to +1200 Disable, Enable 2 ±13.3 V dc 1x, 2x, 4x, 8x 2.5 Disable, Enable Disable Latch, NotLatch N/A GnBiasOvride Snsr_Offset Gain SysLim1Enabl SysLim1Latch 222 GEH-6723W Enable 1x GEH-6723 Mark VIeS Control Functional Safety Manual Public Information Gap (Gap 4-8) Configuration for GAP4_VIB4 through GAP8_VIB8 (continued) Parameter Choices Value for Proof Test SysLim1Type <=, >= N/A SysLimit1 -1200 to +1200 N/A SysLim2Enabl Disable, Enable Disable SysLim2Latch Latch, NotLatch N/A SysLim2Type <=, >= N/A SysLimit2 -1200 to +1200 N/A If the vibration inputs under test are configured differently from the settings listed in the previous tables, the input signal or results should be adjusted to conform to the actual configuration. For example, if a high pass filter is employed, then the test signal frequency should be within the high pass frequency filter band. In this test a 6 V dc pp with a –5 V dc offset will be read as a 60 mil vibration with a 50 mil gap. As an alternative, use a shaker table connected to vibration sensor to provide a reference input signal. Test Steps: 1. Configure the signal source to apply a 50 Hz sine wave (6 V dc pp) with a dc offset of –5 V dc. 2. Document the value that the YVIB reads for each value, as seen in I/O Live Value in the Vib 1-8 tab. The first input channel will be called VIB1. The nominal value should be 60 mils. 3. Document the value that the YVIB reads for each value, as seen in I/O Live Value in the Gap 1-3 tab. The first input channel will be called GAP1_VIB1. The nominal value should be 50. 4. Document the value that the YVIB reads for each value, as seen in I/O Live Value in the Gap 4-8 tab. The first input channel will be called GAP4_VIB4. The nominal value should be 50. 5. Increase the signal frequency to 700 Hz. 6. Repeat steps through 5 for all vibration inputs configured as VibProx or VibProx-KPH. Acceptance Criteria: • • • For Vibration signals (VIB1-8) 5-200 Hz 1% at 3 V dc pp (±0.03 V dc) or ±0.3 mils scaled to 0.1 V dc/mil. For Vibration signals (VIB1-8) 200-700 Hz 5% at 3 V dc pp (±0.15 V dc) or ±1.5 mils scaled to 0.1 V dc/mil. For Gap signal (GAP1_VIB1-GAP8_VIB8) 1% FS (±0.2 V dc) or ±2.0 mils scaled to 0.1 V dc/mil. Proof Tests GEH-6723W Functional Safety Manual 223 Public Information 6.10.2 Vibration (VibSeismic) Input Accuracy Test Overview: This test verifies the accuracy of the YVIB vibration configured as VibSeismic inputs. Test Setup: Obtain a function generator capable of sinusoid signals of 10 V dc pp. To preserve field wiring, remove the wired terminal block and replace it with a test block for the following set of tests. Replace the field wired terminal block when testing is complete. IS200TVBAS1A/S2A Vibration Terminal Board Note Darkened box indicates proper jumper settings. The column highlighted in green in the following table contains the configuration values to use to perform the proof test for vibration input channels 4–8. Attention Gap (Gap 4-8) Configuration for GAP4_VIB4 through GAP8_VIB8 Parameter Choices Value for Proof Test VIB_Type PosProx, Unused, VibProx, VibProx-KPH, VibSeismic, VibVelomitor VibSeismic Scale Scale_Off volts/mil or volts/ips 0.1 ±13.3 V dc 0 TMR_DiffLimt -1200 to +1200 Disable, Enable 1200 ±13.3 V dc 1x, 2x, 4x, 8x 0 Disable, Enable Enable Latch, NotLatch NotLatch GnBiasOvride Snsr_Offset Gain SysLim1Enabl SysLim1Latch Enable 1x SysLim1Type <=, >= <= SysLimit1 -1200 to +1200 32.5 SysLim2Enabl Disable, Enable Enable SysLim2Latch Latch, NotLatch NotLatch SysLim2Type <=, >= >= SysLimit2 -1200 to +1200 88 224 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information If the Gap inputs under test are configured differently from the settings listed in the previous table, the input signal or results should be adjusted to conform to the actual configuration. For example, if the scale were configured to 0.2 V dc, then the live value would be one half the expected value. In this test, a 1.5 V dc pp with a 0 V dc offset will be read as a 7.5 mil vibration. Test Steps: 1. Configure the signal source to apply a 50 Hz sine wave (1.5 V dc pp) with a 0 V dc offset. 2. Document the value that the YVIB reads as seen in I/O Live Value in the Vib 1-8 tab. The nominal value should be 7.5 mils. 3. Repeat step 2 for all vibration inputs configured as VibSeismic. 4. Increase the signal frequency to 330 Hz. 5. Repeat step 2 for all vibration inputs configured as VibSeismic. Acceptance Criteria: Vibration seismic readings are accurate within 0.2 mils at 50 Hz and 0.5 mils at 660 Hz. 6.10.3 Position Proximeter (PosProx) Accuracy Test Overview: This test checks the accuracy of the YVIB configured position proximeter inputs, including: • • The vibration input module provides 4 channels of signal conditioning for field wired position inputs. The analog input function can be configurable by the controller over IONet communications. Note The Open Circuit Detection test can be conducted simultaneously with this test for PosProx configured channels. Test Setup: • • Obtain a signal source capable of providing a dc signal of –1 to –9 V dc. To preserve field wiring, remove the wired terminal block and replace it with a test block for the following set of tests. Replace the field wired terminal block when testing is complete. IS200TVBAS1A/S2A Vibration Terminal Board Note Darkened box indicates proper jumper settings. Proof Tests GEH-6723W Functional Safety Manual 225 Public Information The column highlighted in green in the following table contains the configuration values to use to perform the proof test for position input channels 9–12. Attention Gap (Gap 9-12) Configuration for GAP9_POS1 through GAP12_POS4 Parameter Choices Value for Proof Test VIB_Type PosProx, Unused PosProx Scale Scale_Off volts/mil or volts/ips 0.1 ±13.3 V dc 0 TMR_DiffLimt -1200 to +1200 Disable, Enable 1200 ±13.3 V dc 1x, 4x 2.5 GnBiasOvride Snsr_Offset Gain SysLim1Enabl Enable 1x Disable, Enable Enable SysLim1Latch Latch, NotLatch NotLatch SysLim1Type <=, >= <= SysLimit1 -1200 to +1200 32.5 SysLim2Enabl Disable, Enable Enable SysLim2Latch Latch, NotLatch NotLatch SysLim2Type <=, >= >= SysLimit2 -1200 to +1200 88 If the Gap inputs under test are configured differently from the settings listed in the previous table, the input signal or results should be adjusted to conform to the actual configuration. For example, if the scale were configured to 0.2 V dc then the live value would be one half the expected value. In this test, a –1.75 V dc offset is read as a 17.5 mil gap. Test Steps: 1. For channels configured for PosProx, apply a -1.75 V dc signal to input channels 9 – 12. 2. Document the value that the YVIB reads for each channel as seen in I/O Live Value in the Gap 4-8 and Gap 9-12 tabs. Nominal value is 17.5 mils. 3. Vary the displacement (gap) signal between -0.5 and -9.0 V dc. Gap readings should vary from 5 – 90 mils. Acceptance Criteria: All measured values must be within ±2.0 mils scaled 0.1 V dc. 6.10.4 Open Circuit Detection Test Overview: This test verifies the vibration input function open circuit detection for Proximity, Accelerometer and Velomitor sensor mode of operation. Test Setup: To preserve field wiring, remove the wired terminal block and replace it with a test block for the following set of tests. Replace the field wired terminal block when testing is complete. 226 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information IS200TVBAS1A/S2A Vibration Terminal Board Note Darkened box indicates proper jumper settings. Test Steps: Test Case 1: PosProx 1. For all inputs configured as position PosProx. 2. Apply a -5.0 V dc signal to the input. 3. Verify no diagnostic alarms for connected channels. 4. Open the input connection to all configured inputs. 5. Verify Out of Limits or Saturated and/or Open Circuit diagnostic alarm for all channels. Test Case 2: VibLMAccel 1. For all inputs configured as VibLMAccel. 2. Apply a -9.0 V dc signal. 3. Verify no diagnostic alarms for connected channels. 4. Open the input connections to the VibLMAccel configured channels. 5. Verify Out of Limits or Saturated and/or Open Circuit diagnostic alarms for the channels. Test Case 3: VibVelomitor 1. For all inputs configured as VibVelomitor. 2. Do not apply a test voltage to the inputs. 3. Open the input connection to the VibVelomitor channels. 4. Verify Out of Limits or Saturated and/or Open Circuit diagnostic alarm. Acceptance Criteria: The I/O pack is able to detect open circuit conditions and generates a diagnostic. Proof Tests GEH-6723W Functional Safety Manual 227 Public Information 6.10.5 Keyphasor Transducer Accuracy Test Overview: This test verifies the accuracy of the YVIB position Keyphasor transducer input. The vibration input module provides a channel for field wired Keyphasor transducer position input. Test Setup: To preserve field wiring, remove the wired terminal block and replace it with a test block for the following set of tests. Replace the field wired terminal block when testing is complete. IS200TVBAS1A/S2A Vibration Terminal Board Note Darkened box indicates proper jumper settings. The column highlighted in green in the following table contains the configuration values to use to perform the proof test for vibration input channel 13. Attention Keyphasor (KPH) Configuration for GAP13_KPH1 Parameter Choices Value for Proof Test Scale_Off ±13.3 V dc 0 KPH_Thrshld 1 to 5 V dc 2 KPH_Type Slot, Pedestal Slot TMR_DiffLimt -1200 to +1200 Disable, Enable 1200 ±13.3 V dc 1x, 2x, 4x, 8x 5 Disable, Enable Enable SysLim1Latch Latch, NotLatch NotLatch SysLim1Type <=, >= <= SysLimit1 -1200 to +1200 20 SysLim2Enabl Disable, Enable Enable SysLim2Latch Latch, NotLatch NotLatch SysLim2Type <=, >= >= SysLimit2 -1200 to +1200 60 GnBiasOvride Snsr_Offset Gain SysLim1Enabl Enable 1x Test Steps: 228 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 1. For YVIBS1A channel 13 or YVIBS1B channels 12 and 13 configured for Keyphasor transducer input, apply a 50 Hz pulse waveform with offset -5 V dc, 4 V dc pp, and a high side duty cycle > 55% to appropriate KeyPhasor channel(s). 2. If using YVIBS1A, document the value that the YVIBS1A reads for channel 13 from variable RPM_KPH1. Nominal value is 3000 rpm. 3. If using YVIBS1B, document the revolutions per minute YVIBS1B reads for channels 12 and 13 from the variables, RPM_KPH1 and RPM_KPH2. Nominal value is 3000 rpm. Note A square wave has a 50% duty cycle and will not function. Acceptance Criteria: All measured values must be within ±20.0 rpm. 6.10.6 Low Source Voltage Test Overview: The common source voltage for the analog input loop voltages for two wire transmitters shall be monitored to detect low loop voltage and provide fault tolerance for this function when more than one I/O processor is present. Test Setup: Prepare system for a fail-safe response from the I/O pack. Test Steps: 1. Disconnect the 28 V dc power supply connection from the I/O pack. For a TMR terminal board disconnect the power supply from two I/O packs. 2. Confirm that all the inputs go unhealthy. Acceptance Criteria: • • With the I/O pack’s power removed, all inputs are displayed as Unhealthy. Variables PS28V_YVIB and PS18V_YVIB are set to False and Unhealthy. Proof Tests GEH-6723W Functional Safety Manual 229 Public Information 6.11 YDAS Test Procedures The YDAS has both online and offline proof tests. 6.11.1 User-Initiated Diagnostic Test The YDAS has a user-initiated diagnostic test that can be performed on an individual channel during online operation. A single channel is taken offline, and input values are frozen and marked unhealthy during the diagnostic test. The test takes about 45 seconds. If the diagnostic test fails, a diagnostic alarm will be generated, and the channel will remain unhealthy. The user can re-initiate the diagnostic test on a channel with an active diagnostic alarm to attempt a recovery from a test failure. The diagnostic test ensures that the internal YDAS hardware and software is working for the selected input channel. A diagnostic test can also run on an input channel that is configured as InputType = Unused. The diagnostic test performs several hardware and firmware tests on the selected channel: • • • • • • DC Null and gain calibration D/A converter calibration A/D converter calibration Differential amplifier test (only for channels with a connected sensor) Bandpass filter test Frequency domain magnitude test For exact details on how to initiate this test, refer to Mark VIe and Mark VIeS Control Systems Volume III: System Guide for GE Industrial Applications (GEH-6721_Vol_III), the chapter PDAS, YDAS Data Acquisition System, the section Diagnostic Test. It is recommended that the higher-level control system be configured to test each active channel once every 732 hours (30.5 days). 6.11.2 Open Circuit Detection Test Overview: This offline test verifies the vibration input function open circuit detection for the PCB and CCSA sensor mode of operations. Test Steps: 1. To preserve field wiring, remove the wired terminal blocks from the TCDM terminal board. 2. Verify Open Circuit Failure (or PCB Charge Amp Output Shorted), Excessive DC Bias, Input Signal Exceeds HW Limit, and/or Sensor Limit Exceeded diagnostic alarms for all channels. 3. Put the wired terminal blocks back onto the TCDM terminal board. 4. Verify no diagnostic alarms for all connected channels. Acceptance Criteria: The YDAS is able to detect open circuit conditions and generates a diagnostic. 230 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information 6.11.3 Short Circuit Detection Test Overview: This offline test verifies the CDM input short circuit detection for only channels that are jumpered (on the TCDM terminal board) to use PCB inputs. This test will not work for CCSA inputs and should be skipped for any channel jumpered to use CCSA sensor mode. Test Procedure: 1. Use a shorting jumper to short out each connected input, one at a time. 2. As each channel is shorted, verify Open Circuit Failure (or PCB Charge Amp Output Shorted), Excessive DC Bias, Input Signal Exceeds HW Limit, and/or Sensor Limit Exceeded diagnostic alarms for that channel. 3. When the test is complete, verify no diagnostic alarms for all connected channels. Acceptance Criteria: The YDAS is able to detect short circuit conditions and generates a diagnostic. Proof Tests GEH-6723W Functional Safety Manual 231 Public Information Notes 232 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information Appendix: Determine Frame Input Client Completion Time Use the following procedures to determine frame input completion time with Mark VIeS V06.00 (ControlST V07.02). Note Information about the timing of frame input times is available in the Controller Advanced Diagnostics. ➢ To view timing data 1. Unlock the controller by selecting Lock/Unlock from the ToolboxST Device menu and clicking Unlock. 2. From the View menu, select Diagnostics and Controller Advanced Diagnostics to display the Controller Advanced Diagnostics dialog box. 3. Collect the timing information by selecting Commands, Diagnostics, Sequencer, Client Data, and then press Send Command. Note Without resetting the timing data, the data will likely have overruns and invalid data as minimum and maximum times. ➢ To determine maximum completion time 1. From the Controller Advanced Diagnostics dialog box, reset the timing and overrun counters by selecting Commands, Diagnostics, Sequencer, and Client Data Reset, then press Send Command. 2. Wait for the controller to collect 100,000 samples. For example, if a 10 ms frame period is selected, wait for 100,000 / 100 samples per second / 60 seconds per minute = ~ 17 minutes. 3. View timing data. Refer to the procedure To view timing data. 4. Validate timing data. Refer to the procedure To interpret timing data. Appendix: Determine Frame Input Client Completion Time Public Information GEH-6723W Functional Safety Manual 233 ➢ To interpret timing data • The number of samples is the value in the Activation Count (ActCount) column (114206 shown in the following figure) and must be above 100,000 for a sufficiently large data set. The number of overruns (OvrCount) and re-overruns (ReOvrCount) must be 0. The maximum stop time of the three input clients, ptp WhoISDc, egd Sweeper, and the first App entry must be < 1.6 ms (1.600). These are highlighted in the following table as 1.489, 1.432 and 0.661, respectively. • • Examples of Timing Data Sequence Frame Clients († prefix indicates critical clients) Note Use the -t option for client timing information. Client ptp WhoIsDc † egd Sweeper Start-Stop FrameStates InputXfer -InputXfer InputXfer -InputXfer InputXfer † App -InputXfer † HP Blockware ptp Output App -App OutputXfer -OutputXfer OutputXfer † App -OutputXfer † App IONet OutputXfer -OutputXfer State ActCount OvrCount ReOvrCount Armed 114206 0 0 Armed 114206 0 0 Armed 114206 0 0 Armed 114206 0 0 Armed TWait 114206 0 0 Armed 114206 0 0 Armed TWait 114206 0 0 Sequence Frame Clients († prefix indicates critical clients) Note Start and End times are offsets from start of frame. Client Start Time (ms) Stop Time (ms) Delta Time(ms) Last Min Max Last Min Max Last Min Max ptp WhoIsDc 1.400 1.281 1.446 1.442 1.324 1.489 0.042 0.039 0.070 † egd Sweeper 0.644 0.587 0.673 1.386 1.265 1.432 0.742 0.657 0.786 † App 0.033 0.026 0.049 0.620 0.575 0.661 0.587 0.546 0.629 † HP Blockware 1.461 1.343 1.507 2.215 2.085 2.251 0.754 0.727 0.785 ptp Output 7.300 7.251 7.370 7.387 7.336 8.037 0.087 0.067 0.745 † App 2.235 2.103 2.272 2.316 2.176 2.354 0.081 0.071 0.102 † App IONet 7.010 6.984 7.038 7.279 7.239 7.348 0.270 0.246 0.315 The highlighted values (Stop time Max data column) are the values that must be below 1.6 ms (1.600); individually not cumulatively. 234 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information Examples of Application Timing The following table lists a set of applications, configurations, and associated maximum input frame client completion time to use to determine if a given application will be compatible with the Mark VIeS Safety control. This is for informational purposes only and is not meant to replace the user from collecting timing data from their actual physical system. Controller UCSBS1A UCSCS2A # YSIL # Generic TMR Yxxx # YHRA # Voted Booleans Largest Max Stop Time (ms) None 8 TMR (2 YAIC, 3 YDOA, 2 YDIA, 1 YTUR) 6 Simplex 924 1.22 None 15 TMR (5 YAIC, 4 YDOA, 2 YDIA, 1 YTUR, 3 YVIB) None 977 0.86 1 TMR 15 TMR (4 YAIC, 3 YDOA, 5 YDIA, 3 YVIB) 4 Simplex 4000 1.49 1 TMR 23 TMR (3 YVIB, 6 YAIC, 7 YDOA, 7 YDIA) 6 Simplex 31968 (max) 1.11 Appendix: Determine Frame Input Client Completion Time Public Information GEH-6723W Functional Safety Manual 235 Notes 236 GEH-6723W GEH-6723 Mark VIeS Control Functional Safety Manual Public Information Glossary of Terms The following terms are from IEC 61508 and IEC 61511. Some terms differ from the definitions in IEC 61508-4 and IEC 61511 to reflect differences in the process sector terminology. Application software Is specific to the user application. It contains logic sequences, permissives, limits, and expressions that control the appropriate input, output, calculations, and decisions necessary to meet the SIF requirements. Architecture The arrangement of hardware and/or software elements in a system. For example, the arrangement of subsystems; internal structure of a subsystem; arrangement of software programs. Basic Process Control System (BPCS) A system that responds to input signals from the process, its associated equipment, other programmable systems, and/or an operator and generates output signals causing the process and its associated equipment to operate in the desired manner. The system does not perform any SIF with a claimed ≥ SIL 1. Channel An element or group of elements that independently perform(s) a function. The elements within a channel could include I/O modules, logic systems sensors, and final elements. The term can describe a complete system or a portion of a system (for example, sensors, or final elements). A dual channel configuration is one with two channels that independently perform the same function. Diagnostic Coverage (DC) Ratio of the detected failure rate to the total failure rate of component or subsystem detected by diagnostic tests. DC does not include any faults detected by proof tests. • • • DC is used to compute the detected (λ detected) and undetected failure rates (λ undetected) from the total failure rate (λ total failure rate) as follows: λ detected = DC× λ total failure rate and λ undected = (1-DC) × λ total failure rate. DC is applied to components or subsystems of a SIS. For example, dc is typically determined for a sensor, final element, or logic solver. For safety applications, dc is typically applied to the safe and dangerous failures of a component or subsystem. For example, the dc for the dangerous failures of a component or subsystem is DC= λDD/λDT, where λDD is the dangerous detected failure rate and λDT is the total dangerous failure rate. Electrical/Electronic/Programmable (E/E/PE) Based on electrical (E) and/or electronic (E) and/or programmable electronic (PE) technology. E/E/PE is intended to cover any and all devices or systems operating on electrical principles, including electro-mechanical devices (electrical), solid-state non-programmable electronic devices (electronic), and electronic devices based on computer technology (programmable electronic). External risk reduction facilities Measures to reduce or mitigate risks that are separate and distinct from the Mark VIeS control. Examples include a drain system, firewall, bund (dike). Fault tolerance errors. Final element The ability of a functional unit to continue to perform a required function in the presence of faults or Part of a system that implements the physical action necessary to achieve a safe state. Frame rate The basic scheduling period of the controller encompassing one complete input compute-output cycle for the controller. It is the system-dependent scan rate. GEH-6723W Glossary of Terms Public Information 237 Functional safety Part of the overall safety relating to the process and the BPCS that depends on the correct functioning of the system and other protection layers. Logic solver That portion of either a BPCS or safety control that performs one or more logic function(s). Examples include electrical systems, electronic systems, programmable electronic systems, pneumatic systems, and hydraulic systems. Sensors and final elements are not part of the logic solver. In IEC 61511 the following terms for logic systems are used: • • • electrical logic systems for electro-mechanical technology electronic logic systems for electronic technology PE logic system for programmable electronic systems Mode of operation The way in which a SIF operates. Demand mode is where a specified action (such as the closing of a valve) is taken in response to process conditions or other demands. In the event of a dangerous failure of the SIF, a potential hazard only occurs in the event of a failure in the process or the BPCS. Continuous mode is where in the event of a dangerous failure of the safety-instrumented function a potential hazard will occur without further failure unless action is taken to prevent it. Continuous mode covers those SIFs that implement continuous control to maintain functional safety. In demand mode applications where the demand rate is more frequent than once per year, the hazard rate will not be higher than the dangerous failure rate of the SIF. In such a case, it will normally be appropriate to use the continuous mode criteria. Process risk A risk arising from the process conditions caused by abnormal events, including BPCS malfunction. The risk in this context is that associated with the specific hazardous event in which the safety control is be used to provide the necessary risk reduction (that is, the risk associated with functional safety). Process risk analysis is described in IEC 61511-3. The main purpose of determining the process risk is to establish a reference point for the risk without taking into account the protection layers. Assessment of this risk should include associated human factor issues. Note This term equates to EUC risk in IEC 61508-4. Proof test A test performed to reveal undetected faults in a safety control so that, if necessary, the system can be restored to its designed functionality. Protection layer Risk Any independent mechanism that reduces risk by control, prevention, or mitigation. Combination of the frequency of occurrence of harm and the severity of that harm. Safe state Process state when safety is achieved. In going from a potentially hazardous condition to the final safe state, the process may cross several intermediate safe-states. For some situations, a safe state exists only as long as the process is continuously controlled. Such control may be for a short or indefinite period of time. Safety function A function to be implemented by a safety controller, other technology safety-related system, or external risk reduction facilities, which is intended to achieve or maintain a safe state for the process, with respect to a specific hazardous event. 238 GEH-6723 Mark VIeS Control Functional Safety Manual Public Information Safety-instrumented Function (SIF) A safety function with a specified SIL that is necessary to achieve functional safety. This function can be either a safety-instrumented protection function or a safety-instrumented control function. Safety-instrumented System (SIS) An instrumented system used to implement one or more SIFs. A SIS is composed of any combination of sensors, logic solvers, and final elements. This can include either safety-instrumented control functions or safety-instrumented protection functions or both. A SIS may or may not include software. When human action is part of a SIS, the availability and reliability of operator action must be specified in the Safety Requirements Specification (SIS) and included in SIS performance calculations. Refer to IEC 61511-2 on how to include operator availability and reliability in SIL calculations. Safety integrity The average probability of a system satisfactorily performing the required SIF under all the stated conditions within a stated period of time. The higher the SIL, the higher the probability that the required SIF will be carried out. There are four levels of safety integrity for SIFs. In determining safety integrity, all causes of failures (random hardware and systematic failures) that lead to an unsafe state should be included, such as hardware failures, software induced failures, and failures due to electrical interference. Some failures, particularly random hardware failures, may be quantified using such measures as the failure rate in the dangerous mode of failure or the probability of a SIF failing to operate on demand. However, the safety integrity of an SIF also depends on many factors, which cannot be accurately quantified but can only be considered qualitatively. Safety integrity includes hardware and systematic integrity. Safety Integrity Level (SIL) A discrete level (one out of four) for specifying the safety integrity requirements of the SIFs to be allocated to the safety control. SIL 4 has the highest level of safety integrity while SIL 1 has the lowest. It is possible to use several lower SIL systems to satisfy the need for a higher level function (for example, using a SIL 2 and a SIL 1 system together to satisfy the need for a SIL 3 function). Target failure measure The intended probability of dangerous mode failures to be achieved in respect to the safety integrity requirements, specified in terms of either the average probability of failure to perform the design function on demand (for demand mode) or the frequency of a dangerous failure to perform the SIF per hour (for continuous mode). Validation Activity of demonstrating that the SIF(s) and safety control(s) under consideration after installation meet the SRS in all respects. GEH-6723W Glossary of Terms Public Information 239 Notes 240 GEH-6723 Mark VIeS Control Functional Safety Manual Public Information Public Information

GEH-6723 - Mark6es functional safety 2021

Related documents

Products

Support

GEH-6723 - Mark6es functional safety 2021

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib