Redundancy for security?

[angeraer 1]

Hello, As you may already know because i've asked a lot of questions in the Omron forum, We've built a wind turbine controlled by a PLC. Since it is my first and only PLC experience I've already learned a lot. Now that the windturbine has been running for a year already I've started to take a deeper look at safety. I've added all kind of safety measures : if the power grid fails, emergency stop. If the rotor speed is too high, emergency stop. if the windspeed is too high, emergency stop. too many vibrations, emergency stop. one electrical phase down, emergency stop. ... But now I've been thinking about the sensor that measures the rotorspeed. If that one for example fails, then the rotorspeed will increase a lot and it will not get connected to the grid so there is no resistance to keep it in a steady speed. We've tried to mechanically prevent high speed by using the centrifugal force etc but still... How is something like this checked. Adding a second sensor? If the sensor would fail it could get realy dangerous since the rotor is almost 10 meter diameter and normally does 80 rpm. What if the single input on the input module of the PLC would fail etc? Thanks for the ideas, Andy. www.windmolensite.be Edited 9 Oct 2008 by angeraer

[pandersen 0]

This may not apply to your situation exactly, but if I am expecting an input to change (like an analog input or something similar) but it stays the same for an extended period of time, then I can assume that something isn't working right. Either the sensor or what was supposed to cause the change that is being sensed. I'm not familiar with wind turbines, but I assume the RPM of the rotor changes frequently. If it doesn't change for a long time, you can assume something is wrong (or no wind is blowing ) On the machines we build any output is verified by an input, so if we turn on that output and the input doesn't come on in a decent amount of time we throw a fault and then it is up to the operator or maintenance people to find out what is wrong.

[BobLfoot 301]

Let me state my answer as an old fashioned geometry proof. 1. Given - You are measuring Voltage and Amperage produced by your Wind Turbine. 2. Given - You have a small wind speed sensor somewhere in the vicinity of your main rotor. 3. Given - the wind speed to RPM curve is a know function. 4. Given - The RPM to Power Output is a know function. 5. Therefore - IF the Voltage or Amperage are too high stop. 6. Therefore - if the sensed wind spped is to high - turn prop out of wind and emergency stop. 7. Therfore - Using the measured wind speed calculate an anticipated Voltage and Amperage response. If actual response is off by a chosen percentage (5%) then emergency stop.

[milldrone 0]

Andy, Perhaps you would be interested in how someone else is doing what you are doing. http://forum.automationdirect.com/showthread.php?t=5457 Almost all of his posts are concerning windmills so you may want to read them all

[angeraer 1]

Well to be honest, none of the above is 100% true Thats the behavior of nature.. The only thing that is true is that the speed of the rotor is almost constant, 75 rpm +2/-2 when it's grid connected. The Amperage goes up/down from 0A to 16A depending on the force of the wind, the voltage stays always the same at 230v. As one of you replied, 'an output is verified by an input' sounds like a good aproach for outputs. To verify an input is more difficult but as BobLfoot suggests by using some logic I indeed can see when things are going wrong. And as an alternative I could always place a second sensor to verify the first sensor. Thanks for the replies! Andy.

[Mike Dyble 0]

I work in the process chemical industry and we have a lot of SIL rated control systems. So I would look at the problem by considering what will happen if the rotor over speeds, and then determining the best protection, effectively you will do a full safety assesment. Once you have completed this you then have engineer your protection systems. In the case of rotor overspeed if it is critical the you may want to consider 'diverse technologies'. This may be as simple as two sensors, using different sensing technologies, and not sharing for example a common cable, right though to two or three independent systems, if the application were to demand it (which I doubt in this case) Main thing is that the system is only as good as the weakest link, so if you have two sensors feeding a small PLC and the PLC fails, you are no better off.

[Clay B. 1]

Maybe I am over simplifiing this... If you want to check the RPM sensor (I assume it is a prox reading a flag of some sort) Then it is going to fail 3 possible ways. Fail where the sensor stays on the when it should cut off Fail where the sensor stays off when it should turn on. Those 2 senerios are easy to monitor if you are monitoring the power output of the system. If you have power you should see a change in state on the sensor. A simple timer would work here. The 3rd possible failure is missing or extra pulses. That one can get a bit tricky to check but is possible if you look at what Bob said.. Do a comparison of what your reading on RPM and Power and what you expect to read. Oen thing I do not see that you mentioned. What do you do if the PLC itself fails? You should lose all outputs when a PLC failure happens. Can your system handle that? Edited 16 Oct 2008 by Clay B.