2.2.3.1 General safety concept
A single failure of any component which is relevant for wind turbine safety, e.g. a sensor or braking sys- tem, shall not lead to loss of the safety function. The simultaneous failure of two independent components is classed as an unlikely event, and it is therefore not necessary to consider this. Where components depend on one another, their simultaneous failure shall be classed as a single failure.
Note 1:
By independence is meant that “faults with a common cause” shall rigorously be avoided in the system- engineering design stage. Accordingly, the failure of a single component shall not result in the failure of more than one braking system and thus the loss of the entire safety function.
Note 2:
The procedure given in Section 2.1.4 states how an appropriate level of independency and measures against common-cause failure effects can be achieved.
2.2.3.2 Control system
The control system shall be so designed that it keeps the wind turbine within the normal operating limits under all the external conditions specified in Section 4.2, or returns it to operation within these limits. Mal- functions (such as over-power, overspeed and over- heating) shall be detected by the control system and followed by appropriate measures. The control system shall obtain its information from the sensors provided for the wind turbine and shall be able to actuate at least two braking systems. Upon activation of the
braking systems by the safety system, the control sys- tem shall subordinate itself.
2.2.3.3 Safety system
(1) The safety system shall be operational or in activated mode (triggered) in all modes of the wind turbine, e.g. power production, parked, grid loss or maintenance.
(2) Any function of the safety system shall have a higher priority than the function of the control system. (3) The safety system shall have access to at least two mutually independent braking systems, inde- pendently of any function of the control system. (4) In addition, the safety system shall have access to equipment for grid disconnection of the generator, independently of any function of the control system
Note:
The separation from the grid need not be carried out at the instant of activation of the safety system. Exces- sive speeding-up of the wind turbine or operation of the generator as a motor shall be avoided in any case.
(5) The limiting values triggering the safety sys- tem shall be defined so that the limit values of the de- sign basis are not exceeded and the wind turbine is not endangered, but also so that the control system is not disturbed unnecessarily by the safety system. (6) Once triggered by the limiting values, the safety system shall carry out its task without delay, keep the wind turbine in a safe condition and in gen- eral initiate deceleration of the rotor with the aid of at least two braking systems.
(7) Once triggered by the limiting values, a clear- ance of the safety system according to Section 2.2.2.5 is required in any case. If the safety system was trig- gered before grid loss, then clearance shall not be ac- tivated automatically after the return of the grid. (8) If devices with a programmable controller are used within the safety system, the documentation for the software shall be submitted. The logic of these devices will be assessed by software documentation review and by additional functional testing during the witnessing of commissioning as per Section 10.8.
Note:
Requirements for safety-related software can be found in ISO 13849-1:2006-11, Section 4.6.
IV – Part 1 2.2 Control and Safety System Chapter 2
GL 2010 Page 2-7
2.2.3.4 Braking systems
2.2.3.4.1 Braking system requirements
(1) There shall be at least two mutually independ- ent braking systems by means of which the rotor can be decelerated or brought to a standstill at any time. (2) In the case of load shedding (e.g. grid loss) and simultaneous failure of one of the braking systems, the remaining braking system(s) must be able to keep the rotor below the maximum overspeed nmax (Section
2.2.2.6, para 6) (see also Section 4.3.3.2).
(3) It shall be possible to bring the rotor to a stand- still (see Section 2.3.2.15 and Sections 4.3.3.5 and 4.3.3.8).
2.2.3.4.2 Wind turbine with mechanical brake and non-independent blade pitching system
(1) This section applies to wind turbines in which one braking system is a mechanical rotor brake and the other braking system is a blade pitching system, insofar as the blade pitching system is so constructed that a malfunction in a single component can prevent the pitching of all rotor blades (non-independent blade pitching system).
Note:
It is recommended that this Section 2.2.3.4.2 not be applied to new turbine designs. It is intended mainly for the re-certification of existing designs.
(2) If it can be assured that
– the blade pitching system is constantly monitored by a suitable control device which shuts down the wind turbine if the pitching has ceased to func- tion properly, and
– the rotor blades and the pitch system are so de- signed that, in the event of a breakdown in the mechanism or leaks in the pitch hydraulics, the blades are unable to generate a torque which would accelerate the rotor beyond the maximum overspeed nmax (Section 2.2.2.6, para 6) (see Sec-
tion 4.3.3.2),
it may be assumed that the failure of this braking sys- tem (DLC 2.2, Section 4.3.3.2) will occur only at wind speeds up to Vr (Section 2.2.2.8, para 2). Here
the fluctuations (gusts) of the wind need to be consid- ered. The magnitude of the gust during operation VB
= 2 * σ1 shall be considered, where:
VB = magnitude of the gust
σ1 = standard deviation according to Section 4.2.3.1.3
(3) The gust shape shall be assumed according to Section 4.2.3.2.4. Here Vcg shall be replaced by VB
and the rise time is T = 2.5 s.
Note:
It shall be observed that the rotor blades may be in a pitch position in which, due to an unfavourable angle of attack, they may generate a torque in excess of the maximum braking moment of the mechanical brake. In this case, the brake shall not become a fire hazard for the wind turbine.
2.2.3.4.3 Selection of the braking principle
At least one of the braking systems should operate on an aerodynamic principle, and as such act directly on the rotor. If this requirement is not met, at least one of the braking systems provided shall act on the parts (hub, shaft) of the wind turbine that rotate at rotor speed.
2.2.3.4.4 Power supply for braking systems
The braking systems shall be so designed that they remain operable if the external power supply (see Section 2.2.2.13) fails. If this requirement cannot be met by all braking systems within the selected system concept, then additional measures that ensure the safety level of this Guideline in an equivalent manner shall be implemented and verified.
2.2.3.4.5 Energy storage for braking systems
(1) If auxiliary power supply from accumulators (e.g. from the hydraulic unit or from batteries) is nec- essary for the functioning of the brakes, it shall be automatically monitored that a sufficient amount of energy is available for at least one emergency brak- ing.
Note:
If the braking system has also control functions in case of grid disturbances, then the dimensioning of the energy storage shall consider possible grid dis- turbance events followed by one emergency braking.
(2) Furthermore, Section 2.3.2.11, Section 7.9 and Section 8.6 “Back-up Power Supply System” shall be taken into account.
(3) If the function of the accumulator depends on its temperature, then the accumulator temperature shall be monitored.
Chapter 2 2.2 Control and Safety System IV – Part 1
Page 2-8 GL 2010
(4) If the automatic monitoring of the energy stor- age cannot be carried out continuously, then auto- matic tests shall be performed at least weekly to show that a sufficient amount of energy is available. The wind turbine shall be shut down immediately if the automatic monitoring or test yields a negative result.
2.2.3.5 Torque-limiting components
If components are provided to limit torque, any me- chanical brake fitted shall be located between the torque-limiting device and the rotor hub.
IV – Part 1 2.3 Protective and Monitoring Devices Chapter 2
GL 2010 Page 2-9