The control system is the brain of the gas turbine. Its main job is to protect the machine. A turbine trip is a protective action. It is not a failure of the control system. Understanding why a turbine trips is very important for safe operation. It also helps to fix problems quickly.
The Core Philosophy of Mark V Protection
This section explains the basic safety ideas of the control system. It shows how the system is designed to be very reliable. It also helps operators trust that a protective shutdown is a real and necessary event.
Triple-Modular Redundancy (TMR) Explained
The control system uses a design called Triple-Modular Redundancy, or TMR. This design is the key to its reliability. The system has three separate control computers. These computers are commonly called Channel A, Channel B, and Channel C. In GE documentation, they are also often referred to as <R>, <S>, and <T>. Each computer runs the same control program. They each receive information from the turbine's sensors. Then, they perform all the control calculations independently.
Besides the three main computers, there is a separate protection module. It is often called the Independent Protection Module (IPM), or sometimes the Emergency Shutdown Module (ESD) in turbine applications. The protection module takes care of the most critical safety functions. These include overspeed detection and flame monitoring. The IPM is fully independent of the main processors and connects directly into the trip oil system, providing a final, hardware-based layer of safety.
How Voting Logic Prevents Nuisance Trips
The system uses both software voting and hardware voting to decide what action to take. For very important measurements, it applies a two-out-of-three voting rule. This voting method is a real-world application of the TMR concept. It works like a filter to block bad information from a single sensor.
Here is an example of how it works: An important pressure might be measured by three separate sensors. All three control computers (<R>, <S>, and <T>) read the signals from all three sensors. Then, the computers communicate with each other and share the numbers they have read. Each computer then looks at the three pressure values on its own. It sorts them and selects the median (middle) value, not the average, to avoid one faulty extreme value affecting the calculation. That middle value is then used for all control and safety logic.
This method is called Software-Implemented Fault Tolerance, or SIFT. On the output side, the same voting logic applies to actuator commands. For example, two-out-of-three output drivers must agree before a fuel valve is moved. This dual input/output voting approach prevents a single bad sensor or a single bad driver from causing a nuisance trip.
The Difference Between a Trip and a Shutdown
People often say "trip" and "shutdown," but they mean very different things for a turbine. Operators must understand the difference.
A shutdown is a planned and controlled process. An operator starts a shutdown. The control system then follows a set of programmed steps. It slowly lowers the turbine's power output. Then it opens a switch to disconnect the generator from the power grid. Finally, it slowly reduces the fuel until the turbine stops spinning. A shutdown is a normal part of how the plant works.
A trip is different. It is a fast, protective action. An operator does not start a trip. Instead, the control system's safety logic starts a trip on its own. It happens when the system finds a dangerous condition. The system reacts by immediately stopping all fuel to the turbine. This action protects the expensive machine from serious damage.
A special set of steps happens with the generator switch after a trip. The switch does not open at the same time the fuel is cut off. Instead, the system waits to find a small amount of reverse power. Reverse power means the generator is acting like a motor. It is pulling power from the grid. This shows that the turbine is not making power anymore. Opening the switch at that moment lets the grid act like a brake. It helps to safely slow the turbine. It also gets rid of the huge amount of spinning energy left in the machine. This is a planned safety feature. It is designed to help stop the turbine from spinning too fast.
In addition to automatic trips and operator-initiated shutdowns, the system also supports operator-initiated trips through emergency stop (E-stop) pushbuttons. These buttons bypass normal control logic and directly dump the trip oil pressure. They are a last-resort safety action available to plant personnel.
Common Causes of Turbine Trips
Many different conditions can cause a protective trip. These events are not by chance. Each trip has a specific cause. The cause is related to the turbine's mechanical, electrical, or control health. Understanding these causes is the first step to finding the problem.
Overspeed Protection Trips
Stopping a turbine from spinning too fast is one of the most important safety jobs. A very bad failure could happen from an overspeed event. For that reason, the control system has several separate layers of overspeed protection.
The main layer is the electronic overspeed protection system. The Mark V has two separate electronic trip circuits. These circuits watch the turbine speed. They use several magnetic pickups on the turbine shaft. If the speed goes above a set limit, usually 110% of the normal speed, the electronic circuits will start a trip. The trip happens when the logic cuts power to the main hydraulic trip circuit. This immediately cuts fuel to the turbine.
As a final, completely separate backup, the turbine has a mechanical overspeed device. This device is often called the overspeed bolt. It is in the accessory gear housing. The bolt is a carefully weighted part held in place by a spring. If the turbine speed reaches about 112% of its normal speed, the spinning force will be stronger than the spring. The bolt will move out and hit a lever. That lever releases a hydraulic valve. This dumps the trip oil pressure and shuts off the fuel. A trip from the mechanical overspeed bolt needs a person to go to the accessory gear. They must manually reset the device before the turbine can be restarted. This layered protection, with backup electronic systems and a final mechanical safety, provides very high reliability for overspeed protection.
High Vibration Trips
Vibration levels are a direct sign of the mechanical health of a spinning machine. The control system always watches vibration with sensors on the turbine and generator bearings. If the vibration level goes above a high limit, the system will start a trip. This is to prevent serious mechanical damage. The trip limit is usually around 1.0 inch per second. A high vibration trip is almost always a sign of a serious mechanical problem.
Several common mechanical issues can cause high vibration. One of the most common causes at startup is a rotor bow. If a turbine is shut down and cools without being slowly turned, the hot rotor can bend a little under its own weight. This creates a temporary bow. When the turbine is started again, that bow will cause a large imbalance. This leads to very high vibration as the speed goes up.
Another serious cause is blade damage. If a compressor or turbine blade breaks off during operation, it will create a sudden and bad rotor imbalance. This condition will cause a very fast increase in vibration and then a trip. A third common cause is alignment issues. After maintenance work, bad alignment between the turbine, the gearbox, and the generator can lead to ongoing high vibration problems.
While the main cause is usually mechanical, sensor system problems can also happen. A loose vibration sensor, a broken cable, or wrong settings programmed into the control system could possibly lead to a false trip. To protect against this, the trip logic often needs two or more vibration sensors to show a high reading before a trip is started. The timing of the vibration trip gives a big clue for finding the problem. Vibration that is high during startup often points to a rotor bow. Vibration that shows up suddenly at full power points to possible blade damage.
Loss of Flame Trips
The control system must check that the fuel going into the combustors is really burning. It does this using flame detectors, also called flame scanners. These devices are usually made to see the ultraviolet (UV) light that a flame gives off. If the system sees that the flame has gone out, it will immediately trip the turbine. This action is very important. It stops large amounts of unburned fuel from building up in the hot exhaust system. That could lead to a dangerous explosion.
To stop a trip from a single bad or dirty scanner, the system uses voting logic. A turbine may have four or more flame scanners. The control logic is often set up to need a certain number of scanners to see a flame. For example, during speed-up, the logic might be set to "3 of 4." This means at least three of the four scanners must see a flame. A common trip logic is that if more than two scanners report a loss of flame at the same time, the unit will trip.
False trips for loss of flame can happen for several reasons. The most common is a dirty scanner lens. Carbon and other dirt can build up on the lens and block its view of the flame. Many older scanner models are also cooled with water. A failure of the cooling water system can cause the scanner's electronics to get too hot and fail. In wet weather, water can form on a cold scanner lens during startup. This also blocks its view.
It is important to know that a "Loss of Flame" trip does not always point to a problem with the flame scanners or the burning process. It can be a result of another failure. For example, a problem in the hydraulic trip oil system could cause the main fuel stop valve to shut quickly. When the fuel is cut off, the flame will go out. The flame scanners will then correctly report a loss of flame. That will be the official reason for the trip in the alarm log. So, the process of finding the problem must look past the flame scanners to find the original cause.
High Exhaust Temperature Trips
The parts in the hot gas path of the turbine, like the turbine blades and nozzles, are made to work within very specific temperature limits. Going over these limits, even for a short time, can shorten their life or cause damage right away. The control system protects these parts with a strong temperature-watching system. It uses a set of thermocouples in the turbine exhaust to measure the temperature at different spots.
The system figures out an average exhaust temperature, often called Txa. It also watches the "spread," which is the difference between the highest and lowest thermocouple readings. The control system has a programmed maximum allowed temperature limit, often called TTRX. If the average exhaust temperature (Txa) goes over the maximum limit (TTRX) by a certain amount, for example by 40°F, the system will trip the turbine.
High exhaust temperature trips happen most often during the startup and speed-up parts of operation. At low speeds, the turbine's air compressor is not very efficient. It moves less air than it does at full speed. If the control system puts in too much fuel during this time, there may not be enough airflow to keep the burning temperatures within limits. Another factor can be a weak starting device. If the starting motor is not giving enough power to help speed up the turbine, the control system will try to make up for it. It will automatically increase the fuel flow to reach its target speed-up rate. That extra fuel can easily lead to a high-temperature condition and a trip. These trips are often a sign of a problem between fuel flow, airflow, and the mechanical work being done by the turbine.
Lube Oil and Hydraulic System Trips
The lubrication oil system is like the blood of the turbine. It gives a constant flow of cool, clean oil to all the high-speed bearings of the turbine and generator. A loss of lubrication, even for a few seconds, can cause very bad damage. The control system protects against this by watching the pressure. Pressure switches are put in the main lube oil pipe. If the pressure drops below a key limit, these switches will signal an immediate trip.
Closely related to the lube oil system is the hydraulic trip system. This circuit is a basic, failsafe safety layer. It uses pressurized oil to hold the main fuel stop valves open against the force of strong springs. This pressurized oil is called "trip oil." As long as the trip oil pressure is there, the fuel valves can work. If the trip oil pressure is lost, the springs will immediately shut the fuel valves. This cuts off all fuel and trips the turbine.
Many different protective devices are connected to this circuit. The mechanical overspeed bolt, manual emergency stop buttons, and various trip solenoids controlled by the electronic protection system all work the same way. When they are activated, they open a valve that "dumps" the trip oil pressure. Because of this, a very common trip alarm is "GAS FUEL HYDRAULIC TRIP PRESSURE LOW". This alarm shows that the trip circuit has been activated. The cause could be a real protective action, or it could be a problem within the trip circuit itself. Common problems include failing pressure switches, a bad trip solenoid (a common one is called 20FG-1), loose electrical wiring to these parts, or even air trapped in the hydraulic tubes. The trip oil system is the final path for most protective actions. It is a simple, strong, and failsafe hydraulic logic gate. Understanding this circuit is key to fixing a wide variety of trips.
Fuel System and Control Valve Trips
The control system manages the turbine's speed and power by carefully controlling the amount of fuel going to the combustors. The final control parts in the fuel system are the gas control valve (GCV) and the stop/ratio valve (SRV). The position of these valves is controlled by electro-hydraulic servo valves, often called Moog valves. The control system sends a small electrical current to the servo valve. The servo valve then uses high-pressure hydraulic oil to move the large fuel valve to the right position.
These servo valves are very exact, but they are also very sensitive to dirt in the hydraulic oil. Over time, high temperatures can cause the oil to break down and form dirt called varnish or "coke". This dirt can clog the small inside paths and filters inside the servo valve. A clogged or sticking servo valve cannot react quickly or correctly to the commands from the control system. This can lead to unstable turbine operation, power swings, or a trip.
Other trips can be related to the fuel supply itself. For example, if the pressure of the incoming fuel gas drops too low, pressure switches in the fuel line will see the condition and start a trip to prevent a flameout. The smart digital logic of the control system depends on the mechanical and hydraulic health of these final control parts. Keeping hydraulic and lubricating oil clean is not a small maintenance job; it is very important for the reliability of the whole turbine control system.
Generator-Related Protection Trips
The Mark V system is the main protection for the gas turbine itself. The generator and the related high-voltage electrical equipment are protected by a separate, special system of protective relays. These relays are special devices that always watch the electrical conditions of the generator.
This outside protection system looks for dangerous electrical problems. Common protective jobs include differential protection, which finds internal short circuits; reverse power protection, which finds when the generator starts acting like a motor; loss of excitation protection; and over or under frequency protection.
When one of these outside relays finds a serious problem, it does not trip the turbine directly. Instead, it works a master lockout relay. This relay is usually known by the number 86G. The 86G relay then sends a single, simple contact signal to the Mark V control system. When the Mark V gets the 86G signal, its logic knows that a serious electrical problem has happened. It then starts a turbine trip to protect the equipment. The alarm that shows up on the HMI will usually say "GENERATOR DIFFERENTIAL TRIP" or another message that points to an electrical problem.
The Mark V does not do its own check of generator electrical problems. It just acts on the command it gets from the special generator protection system. So, fixing a generator-related trip needs a different method. The check must start with the outside protection relays, not with the turbine control system. It often needs the plant's instrument and controls team and the electrical maintenance team to work together.
Loss of Control Power Trips
The Mark V system depends on a stable DC power supply for its logic and solenoids. If one of the redundant DC power feeds is lost, the system will raise an alarm. If all redundant supplies are lost, or if a power distribution failure occurs, the system will immediately trip the turbine. This prevents the unit from running uncontrolled without protection logic available.
Seal Oil and Cooling System Trips
On units with hydrogen-cooled generators or critical bearing seals, seal oil pressure is continuously monitored. A loss of seal oil pressure can allow hydrogen to leak or air to enter the casing. For that reason, the Mark V is programmed to trip if seal oil pressure falls below a set value. Similarly, failure of essential cooling systems—such as generator hydrogen cooling or turbine inlet cooling fans—can generate protective trips.Compressor Stall/Surge Trips
Compressor surge is a dangerous condition that can cause severe damage to compressor blades. Some Mark V systems are equipped with surge detection logic. If a sudden drop in compressor pressure ratio or a reversal in airflow is detected, the control system will initiate an immediate trip to protect the hardware.
The Diagnostic Process: A Step-by-Step Approach
A good diagnosis needs a step-by-step process. Rushing can lose important information. The following steps give a clear order for what to do right after a turbine trip happens.
The First Critical Step: Do Not Master Reset
The most important thing to do right after a turbine trip is to not touch the controls. Specifically, an operator must fight the strong feeling to press the "Master Reset" button.
When a protective trip happens, the condition that caused it is "latched" in the control system's logic. Latching means the alarm will stay active on the screen, even if the physical condition that caused it is gone. For example, if the turbine trips on overspeed, the speed will quickly go back to zero, but the "Overspeed Trip" alarm will stay latched and active. This is a planned design feature meant to help with finding the problem.
The Master Reset command is what unlatches these alarms. If an operator presses Master Reset too soon, it can clear the very first alarm that caused the trip. That first alarm, often called the "first-out," is the most important piece of information needed to find the root cause. Once it is cleared, it can become very hard, or even impossible, to know what first happened. The operator's first job is to be a detective and collect information. The Master Reset should only be used after that information has been collected and understood.
Using the HMI for Initial Investigation
The Human-Machine Interface, or HMI, is the main tool for checking after a trip. It is the window into the control system's brain. The HMI gives several key screens that have the information needed to solve the trip.
The first place to look is the Alarm Display. Right after the trip, an operator should go to the alarm screen. All active alarms should be carefully written down. The system often uses colors, like red for an active, new alarm, to show important information. The operator should look closely at the first alarm on the list, as it is often the root cause. If possible, it is a very good practice to take clear pictures of the alarm screen or to use the system's print function to get a paper copy.
The next important screen is the Trip History Log. At the moment a trip happens, the control system automatically saves a special data file in its memory. This file, called the Trip Log or Trip History, has a picture of key operating numbers and a list of alarms from the moments just before, during, and after the trip. Looking at the Trip History Log is very important because it shows the order of events. It can show, for example, that a pressure was slowly dropping for several seconds before the trip finally happened. That kind of information is very helpful for finding the problem.
Understanding the Sequence of Events (SOE) Record
For very fast or complex trips, the normal alarm list may not be enough to find the real root cause. In these cases, the Sequence of Events, or SOE, record is the most powerful tool. The SOE system gives a very detailed, time-stamped log of every change for the system's on/off inputs.
The key feature of the SOE is its detail. It can record and time-stamp events with an accuracy of one millisecond (1/1000th of a second). The alarm list might show three different trip alarms all happening in the same second. The SOE record, however, can show the exact order in which they happened. It can show that a low-pressure switch opened 50 milliseconds before a low-level switch opened, for example. That level of detail is often the only way to find the true "first-out" event in a fast chain of events that leads to a trip. The alarm list tells you what happened. The SOE record tells you the exact order in which things happened.
Distinguishing Between Alarms and Events
When looking at the HMI's main alarm screen, it is important to know that not every message shown is a true alarm. The screen is a combined log that also shows normal "events" and "SOE" messages. Knowing how to read the screen and ignore the normal operational "noise" is a key skill for finding problems.
An Alarm shows an unusual condition. It can be a Process Alarm, which is about the turbine's operation (like high temperature). Or it can be a Diagnostic Alarm, which is about the health of the control system hardware itself. Alarms are conditions that an operator needs to know about and may need to act on.
An Event or SOE message, on the other hand, is just a record of a normal change. For example, a pump starting, a valve opening, or a switch closing are all events. These are logged for history but do not show a problem. During a trip, many events will happen as equipment is turned off. A new operator might be confused by a lot of these messages. A skilled operator knows to look at the message type column on the screen to focus on the real alarms that led to the trip.
From Diagnosis to Restart
After finding and fixing the problem, the unit can be put back in service. A safe restart needs a specific set of actions in the control system to check that the machine is ready.
The Function of the Master Reset Command
The Master Reset command should only be used after the root cause of the trip has been found and the problem has been physically fixed. The Master Reset is not a tool for finding problems; it is the final step of the diagnosis and repair part.
Its job is to clear the latched trip logic inside the control system. Using a Master Reset is the operator's way of officially telling the control system, "I have checked the problem, the condition has been fixed, and it is now safe to get ready for another start."
After a good Master Reset, the control system will be able to check the turbine's status again. If all other pre-start conditions are met, a "Ready to Start" message should show up on the HMI. That message shows that the trip logic has been cleared and the system is ready to take a start command.
Verifying Pre-Start Permissives
Before the control system will let a start happen, it runs through an automatic checklist of conditions. These conditions are called "Start-Checks" or "permissives". The permissive list is a final safety check. It stops a start from happening under unsafe conditions that could cause damage or another trip right away.
Every permissive on the list must be in its correct state, or "true," for a start to be allowed. If even one permissive is not met, the system will not allow a start. It will instead show a "Not Ready to Start" message on the HMI. For every "Not Ready to Start" condition, there is a matching Process Alarm that tells the operator exactly which permissive is not met.
Examples of important start permissives include: the main lube oil pump must be running and giving normal pressure, the flame detectors must not see any flame, the main fuel stop valves must be checked to be in the closed position, the turbine shaft must be at or near zero speed, and the master protective logic circuit must be reset. An operator must clear any "Not Ready to Start" alarms before moving on.
A Post-Trip Restart Checklist
A formal checklist helps to make a safe restart process standard. It stops important steps from being missed, especially when there may be pressure to get the unit back online quickly. The following checklist gives a logical and safe process.
- Confirm Root Cause: The exact cause of the first trip has been found, and the physical or logical problem has been fixed.
- Inspect the Unit: A physical walk-around of the turbine, its accessory area, and related equipment is done. The operator has checked for leaks, damage, or any unusual conditions.
- Clear Alarms: On the HMI, all active alarms related to the trip have been acknowledged by an operator.
- Perform Master Reset: The Master Reset command has been used from the HMI. This action unlatches the trip condition in the control logic.
- Verify "Ready to Start": The operator has checked that the HMI shows a "Ready to Start" status. If it does not, the operator must fix the specific "Not Ready to Start" alarm that is there.
- Check Critical Levels and Pressures: The operator has visually checked correct levels in the lube oil and hydraulic oil tanks. The operator has also confirmed that the needed fuel supply is available.
- Initiate Start Sequence: With all permissives met, the operator can now go ahead with a normal, automatic start sequence. The operator should closely watch all key numbers on the HMI.
Turbine Trip Management for Reliability
A turbine trip is a complex event, but it is not by chance. The control system gives all the needed data to find the root cause. A step-by-step method is key. Always get data from the HMI before resetting the system. A calm, logical check will lead to a correct diagnosis, a safe restart, and better overall plant reliability.
