GE Mark VIe Instruction Manual page 14

A good redundant control system has a solution for handling faults all the way to the control valves and trip solenoids. Any
compromise in fault tolerance prior to the final output device seriously degrades the MTBFO of the entire system. Therefore,
outputs are voted in hardware and preferably as close as possible to the final output device that is being controlled.
An example of extending the voting to the field component is driving three-coil servo valve actuators. The flux from the three
coils moves the valve, and LVDTs provide position feedback to the valve regulators that are located in each I/O pack. In
normal operation, each current driver is slightly off null, and in the event of a fault, the remaining two current drivers
compensate for the loss. This is hardware voting of the current outputs at the control valves.
Standard GE triple redundant control systems are highly fault tolerant but not devoid of single point failures. As an example,
I/O packs are mounted on I/O modules with passive components and high corresponding MTBF. Some applications, such as
nuclear, require no single point failures. Requirements for no single point failures must be evaluated on a case-by-case basis
to determine the best way to approach this from the system level. The preceding figure displays a variation of outputs to three
coil servos where each coil is driven from a separate I/O module. This eliminates single point failures from this circuit and
demonstrates the flexibility of the controls to meet this objective. However, it also demonstrates the additional size and cost
that may be required to eliminate single point failures when field devices are considered, as they should be.
Similarly, a triple redundant control system uses the contacts from three relays to vote each output to each hydraulic trip
solenoid. In some high-availability applications such as nuclear, the voting is extended to dual TMR hydraulic trip manifolds
that support on-line repair.
14 GEI-100728A
DN1600N Hydraulic Trip Assembly
• (2) sets of 2-out-of-3 hydraulic trip circuits A & B
• Parallel operation with both normally operating
• Enables isolation and maintenance of 1 during normal operation
• Remote control on-line test capability: 1 of 3 elements of A & B
• A & B joined with shut-off continuous flow transfer valve assembly
• Fully instrumented with trip and reset position transducers
Public Information
Mark VIe Controls System Redundancy Options