Overspeed Prevention in Wind Turbines

1. Closed-Loop Pitch and Generator Torque Control – The First Line of Defence

Utility-scale turbines still rely on a dual-loop architecture in which collective blade pitch limits aerodynamic power while generator torque holds the desired electrical output. Conventional PI feedback can, however, lag behind fast gusts, converter trips or grid faults. Two recent concepts sharpen the primary loop without altering its basic topology.

The time-to-overspeed predictor described in the time-to-overspeed predictor fuses rotor speed, acceleration and the remaining generator counter-torque margin to estimate how many seconds remain before the hard speed limit is breached. If that look-ahead time falls below a configurable threshold, the pitch loop is temporarily biased toward feather, removing enough aerodynamic torque to stay clear of the limit without resorting to an emergency stop. A companion technique, the look-ahead overspeed estimator, tracks both the value and the rate of change of a chosen variable, then inserts a pre-calculated pitch ramp that steers clear of tower eigenfrequencies.

Generator torque can make the same trade-off. The enhanced braking mode with real-time limit tracking continuously calculates thermal, voltage and current headroom, lifting torque up to that live ceiling when a rapid deceleration is required. Torques two to three times higher than the nominal curve are achievable for several seconds, shortening stopping distance without violating component limits.

Once primary loops are in place, the controller still needs criteria for choosing among alternative actions. The load-aware strategy selector runs a reduced-order turbine model whenever rotor speed approaches a soft limit. It compares several candidate responses – continue, derate, partial shutdown, full stop – against user-defined load targets and picks the first option that preserves both structural margins and energy yield.

With these closed-loop tools anchored, the control problem shifts from pure feedback to anticipation, which is the focus of the next section.

2. Predictive and Feed-Forward Enhancements

Where high-order control is permissible, upstream information can shift corrective action earlier in time and thereby reduce the size of the pitch excursions required. Two families of solutions dominate.

1. Lidar-based feed-forward. The lidar-assisted multivariable feed-forward controller measures the incoming wind field 1–2 rotor diameters ahead. Separate low-, medium- and high-frequency channels route the previewed signal either to pitch, to generator torque or to tower damping filters. Field trials report rotor-speed deviations cut by roughly 40 % during the partial-load to full-load transition.

2. Sensorless wind estimation. When lidars are unavailable, the sensorless wind-speed-based feed-forward pitching reconstructs wind speed in real time from rotor speed, pitch angle and electrical power. The estimated wind then indexes a set of pre-tuned look-up tables for speed, power and thrust limits. Priority weights allocate scarce pitch-rate capability between rotor-speed control and structural damping.

Predictive logic does not eliminate the need for fast backup measures, so designers often integrate a passive layer behind the active one, as discussed next.

3. Passive Mechanical Governors

Passive devices react within a single rotor revolution and therefore cover the latency gap that even the fastest electronics cannot close.

• Spinner-driver ball screw. The ball-screw-based spinner driver hides a miniature governor inside the nose cone. Small vanes on the spinner generate an aerodynamic torque that turns a ball screw, translating into a 2–4 deg reduction in blade pitch when rotor speed exceeds a preset threshold. A common return spring re-engages nominal pitch once the overspeed condition clears, keeping micro-turbines online across a wide wind band without hydraulics or sensors.

• Centrifugally activated torsion stop. In the centrifugally-activated torsion-stop assembly each blade root hosts a weighted stop that pivots radially outward. Contact with a back plate winds a helical spring which feathers the blade by up to 15 deg. Disengagement is equally fast, making the mechanism well suited to stand-alone machines where grid-formers may be absent.

• Slip-enhanced gear train. The dual-speed slip-enhanced gear train keeps a secondary shaft at constant speed. Any difference between that reference and the hub is transmitted through gearing directly to the blade pitch links. Generator slip adds an electromechanical buffer, absorbing torque transients before they reach the main gearbox.

Because passive governors cannot always bring the rotor fully under control, the next layer adds redundancy and fail-safe logic to the primary actuators.

4. Redundant Actuation and Fail-Safe Architectures

Hydraulic or electric pitch drives must feather the blades after a grid loss, even if one channel has failed. Redundancy is therefore mandated by IEC 61400-1 and many grid codes.

• Dual-rate safety-stop valve train. The passive dual-rate safety-stop valve train chains normally-closed valves in parallel. Loss of the general safety signal first routes fluid through a small orifice for a gentle feather. If rotor acceleration remains positive, a separate relay opens a large-orifice path that dumps the accumulators in under 0.3 s. The arrangement reaches ISO 13849-1 PL d without electronic sensors.

• Speed-dependent pitch-rate supervision. Fixed thresholds often trigger unnecessary trips. The speed-dependent collective pitch-rate supervision builds a lookup table that raises the minimum acceptable pitch-out rate as rotor speed climbs. Sub-threshold behaviour at high rpm forces an orderly derate or stop, while low-speed service modes remain unaffected.

• Motor-level brakes. During the millisecond window between converter dropout and battery takeover, gravity can drive DC pitch motors toward power. The unidirectional armature short-circuit brake links the armature through SCRs so that braking torque builds only in the unsafe direction. For deeper faults, the emergency field-flux modulator caps pitch rate by shunting the field winding.

These measures secure the actuation chain. If a stop is still required, braking systems take command, forming the fifth layer.

5. Electrical, Hydraulic and Friction Braking Layers

Modern protection stacks leave electrical torque at the top, hydraulic or eddy-current brakes in the mid-band and friction calipers at the bottom.

5.1 Electrical and converter-based braking

The sacrificial high-torque braking strategy defines two emergency modes. Moderate events push generator torque up to but not past long-term thermal limits. Catastrophic events permit short excursions beyond those limits, accepting accelerated aging to prevent structural loss.

A dynamic envelope rather than a fixed curve improves utilisation. The dynamic capacity curve algorithm raises or lowers the allowable torque surface according to real-time temperature, voltage margin and damping demand. At 30 % rated speed the curve can open by 15 %, unlocking tower-damping authority, yet it tightens automatically at high speed.

5.2 Hydraulic and hybrid transmissions

Where electrical torque drops out, a hydraulic path can maintain control. The power-split hydraulic transmission coupling diverts surplus flow into a high-pressure accumulator when rotor speed exceeds the generator set point. Stored energy later back-feeds the shaft, reclaiming up to 7 % of what would otherwise be dumped as heat.

5.3 Friction and eddy-current calipers

Engaging a high-speed-shaft brake above 20 rpm risks disk failure. The low-speed-shaft interlock for high-speed brake uses a second tachometer and hard-wired relay logic to veto any brake-on command until rpm is safe. Once applied, torque can be modulated instead of slammed. The dual-shaft PWM torque modulation pulses both low- and high-speed brakes at duty cycles scaled with wind speed, keeping torsion peaks beneath 1.5 times rated.

Non-contact options avoid pad wear. The strain-and-wind feed-forward eddy current brake energises coils whenever blade-root strain rises faster than a threshold or nacelle anemometry registers an approaching gust. Cooling downtime can be shortened with the temperature-adaptive recovery timer for DBS, which restarts the turbine the moment resistor temperature falls within margin.

These brake layers assure a safe stop, but many events can be managed earlier by supervisory logic that trims operating points before a hard limit is reached.

6. Supervisory Speed Avoidance, Derating and Yaw Relief

6.1 Dynamic overspeed thresholds and resonance gaps

A fixed flutter limit often forces unnecessary shutdowns. The pitch-aware flutter-limit overspeed threshold updates the maximum allowed rpm continuously from blade pitch and wind speed. By raising the threshold up to 8 % in benign conditions, annual energy production climbs while safety margins remain intact.

Critical-speed avoidance during partial-load operation requires discrete safe islands in speed-torque space. The predefined safe-speed subset stores these islands and moves between them with coordinated pitch and torque commands.

6.2 High-wind and damage-rate derating

Emergency stops in heavy weather invite large thrust reversals. The minimum-load high-wind mode keeps the rotor spinning slowly, just enough to power auxiliary systems, and eliminates restart hysteresis. When gusts peak above 25 m s-1, the safe idling control holds a controlled sub-rated speed so that active damping remains effective.

Component-level fatigue feedback refines how much over-rating is allowed. The Lifetime Usage Estimator framework translates load and thermal histories into consumed life per minute. If the instantaneous rate crosses a threshold, the controller trims over-rating within seconds. A simpler proportional loop in the feedback-based over-rating control maps each alarm variable to an over-rating margin, avoiding on-off cycling.

6.3 Yaw-based relief

When pitch authority is lost on a single blade, fast yaw can still unload the rotor. The cross-wind emergency yaw turns the nacelle out of the wind once generator overspeed coincides with a non-responsive blade, provided an envelope check shows the maneuver is safe. For multi-blade faults the passive yaw-under-pressure shutdown releases the yaw brake, letting aerodynamic torque slew the nacelle up to 120 deg in under 10 s.

Yaw drives themselves must survive higher duty cycles under derating. The mean-speed coordinated yaw-motor control throttles the fastest motor and boosts the slowest, equalising torque and preventing gear teeth from overloading. The tooth-load equalisation concept varies pinion position subtly so that averaged load across the ring gear remains balanced.

These supervisory measures depend on accurate state awareness, which leads to the next layer: condition monitoring as a trigger for protection.

7. Condition Monitoring as a Trigger

The implausible-torque estimation algorithm compares electrical torque inferred from current sensors with mechanical acceleration of the rotor. A divergence beyond a physically plausible window signals gear damage or main-shaft cracking, prompting an immediate safe shutdown 10–20 s earlier than dual-speed monitors.

Gust-initiated overspeed often presents first as a spike in axial thrust. The real-time thrust-sensing safeguard embeds a load pin in the main shaft and triggers pre-emptive pitch or torque actions when thrust rises faster than a preset rate.

Grid-side instabilities can feed back into rotor speed. The energy-compensation damping logic monitors transient energy in a direct-drive generator and inserts supplementary current commands if negative damping is detected.

If the primary chain fails, a staged fallback remains. The auxiliary multi-path overspeed control sequences pitch feathering, converter braking and cross-wind yaw in that order, using whatever power supply is still live.

Although most of these techniques were developed for three-bladed horizontal-axis machines, overspeed must also be managed on alternative platforms, which closes the survey.

8. Platforms with Unique Requirements

8.1 Vertical-axis turbines

The self-powered eddy-current brake attaches a non-ferromagnetic disk to the shaft and energises stationary coils only when rectified DC voltage – hence rotor speed – exceeds a set point. Drag torque builds in milliseconds without mechanical wear.

The swing-wing blade articulation lets each airfoil pivot outward under centrifugal and aerodynamic load, reducing angle of attack and rotor torque before generator or mechanical limits are hit.

8.2 Micro-turbines and off-grid systems

Small machines often omit active pitch, relying instead on the passive devices of Section 3 paired with simple friction brakes. The layered philosophy still applies: primary governors, passive overspeed devices, fail-safe brakes and finally yaw furling if applicable.