ELECTROMECHANICAL DRIVE SYSTEM

Abstract

The present invention provides an electromechanical drive system (1) with at least one electromechanical drive unit (2) to actuate a movable component (3). The electromechanical drive unit (2) comprises a drive unit interface 20 for receiving drive unit control signals (DA), an electromechanical motor (21) controlled by actuation signals (AS) to actuate the component (3), a safety module (4) and a position sensor (5) connected to the safety module via a first data connection (51). The position sensor is adapted to monitor (S1) component (3) and/or motor (21) position and/or speed of the actuated component (3) and/or motor (21); where the safety module (4) is connected to the drive unit interface (20) for receiving the drive unit control signal (DA), and where the safety module is connected to the motor control unit (22) via a third data connection (41) to transmit actuation signals (AS) like actuation speed and desired component position to the motor control unit (22) for actuating (A) the component (3). The safety module (4) comprises as a safety function (SF) at least the actuation (A) of the component (3) in a resting or neutral position (FP), whereby the safety module (4) is configured to decide on basis of the sensor data received from the position sensor (5) whether to continue to actuate the component (3) until it has reached its resting or neutral position (FP) or to stop the actuation of the component (3).

Claims

1. An electromechanical drive system comprising: at least one electromechanical drive unit operable to actuate a movable component, the electromechanical drive unit comprising a drive unit interface for receiving drive unit control signals, an electromechanical motor controlled by actuation signals to actuate the movable component, a measuring unit comprising a resolver for determining the electromechanical motor position and/or speed, a safety module and a safety position sensor connected to the safety module via a first data connection, the safety position sensor being adapted to monitor the movable component and/or the electromechanical motor position and/or the speed of the movable component and/or the electromechanical motor; where the safety module is connected to the drive unit interface for receiving the drive unit control signal via a second data connection, and where the safety module is connected to a motor control unit via a third data connection to transmit actuation signals like actuation speed and desired component position to the motor control unit for actuating the movable component, wherein the safety module comprises as a safety function at least the actuation of the movable component in a resting or neutral position in which the movable component will not be damaged and the environment around the movable component will not be endangered by the movable component or by malfunctions of the movable component, wherein the safety module is adapted to perform a plausibility check between data delivered by the measuring unit and the sensor data delivered by the safety position sensor; and in case the plausibility check indicates that neither the data from the measuring unit nor the data of the safety position sensor are trustworthy, the safety module stops the electromechanical motor, and in case the plausibility check indicates a malfunction of the safety position sensor to actuate the movable component by using data provided by the measuring unit until it has reached the resting or neutral position.

2. The electromechanical drive system of claim 1, wherein in case the plausibility check indicates a malfunction of the safety position sensor the safety module actuates the movable component into the resting or neutral position driving the electromechanical motor in a first mode by using the electromechanical motor position and/or the electromechanical motor speed data of the resolver.

3. The electromechanical drive system of claim 1, wherein in case the plausibility check indicates a malfunction of the resolver, the safety module actuates the movable component into the resting or neutral position by switching the electromechanical motor in a second mode wherein the measuring unit drives the electromechanical motor without using the input of the resolver.

4. (canceled)

5. The electromechanical drive system of claim 1, wherein in case of detected errors in communication and/or operation of the motor control unit, the safety module is adapted to reset the motor control unit via a direct access to a reset line of the motor control unit.

6. The electromechanical drive system of claim 1, wherein the safety module is adapted in case of actuating the movable component into the resting or neutral position to modify the speed commands for the electromechanical motor such that in a first part the speed of the electromechanical motor is increased and that in a second part the speed of the electromechanical motor is decreased.

7. The electromechanical drive system of claim 1, wherein the safety functions implemented on the safety module further comprise one or more safety functions of the following functions: a safe-limited-position-control function to ensure the position of the movable component being within an allowed position range, a safe-limited-speed control function to ensure the speed of the movable component not exceeding a maximum speed, a safe-direction-control function to ensure the movable component being actuated into the desired direction, a safe-torque-off-control function to ensure that the torque applied to the movable component is zero, a safe-brake-control function to ensure a brake of the electromechanical motor is applied, and/or a safe-stop-control function to ensure execution of a stopping procedure in accordance to other safety functions and where the safety module is suitably adapted to execute the implemented safety functions.

8. The electromechanical drive system of claim 7, wherein the safety module comprises at least one of a PWM blocker module 42 receiving a motor control signals (MCS) from the motor control unit, where execution of at least one of the safe-torque-off-control function and/or the safe-stop-control function results in blocking the motor control signal from passing the PWM blocker module towards the power control unit, preferably the output of the PWM blocker module is set to 0V; a brake blocker module receiving a brake control signal as another type of motor control signal from the motor control unit, where execution of at least one of the safe-brake-control function and/or the safe-stop-control function results in blocking the brake control signal from passing the brake blocker module towards the power control unit, preferably the output of the brake blacker module is set to 0V.

9. The electromechanical drive system of claim 1, wherein the safety module is adapted to prove an error-free communication and operation of the motor control unit by a so-called heartbeat-signal, where the motor control unit answers the heartbeat signal in a predetermined manner in case of operating properly.

10. The electromechanical drive system of claim 1, wherein the safety module is arranged as a plug-in safety card comprising a first interface as the third data connection to connect the safety card to the motor control unit, preferably comprising a FS-bus as a safety interface and/or an SSI interface as a data interface in order to at least transmit the actuation signals to the motor control unit and a second interfaces to transmit the motor control signal and/or the brake control signal to the power unit via the safety card.

11. The electromechanical drive system of claim 1, wherein the safety position sensor is a safe linear or rotary encoder providing safe absolute position and/or speed and fault status data via a FS-bus interface developed according to the IEC 61508 Standard as the first data connection to the safety module, preferably in case of a rotary encoder for rotations as actuations the safety position sensor is a SIL rated multi-turn encoder.

12. The electromechanical drive system of claim 1, wherein the electromechanical drive system comprises at least two electromechanical drive units, where the safety modules of the electromechanical drive units are connected to each other in order to at least exchange information comprising information about any applied safety function in order to trigger the other safety modules to execute corresponding safety functions in an aligned way.

13. The electromechanical drive system according to claim 12, where the connection is established via a central unit comprising a central unit safety card connected to each electromechanical drive unit via a suitable bidirectional interface, preferably a FSOE interface, to send demanded actuation and/or position data for the movable components to the safety modules of each electromechanical drive unit for generating corresponding actuation signals and also sending a first safety signal to the safety modules in an emergency situation, where the safety modules are adapted to execute the first safety function in response to the first safety signal.

14. The electromechanical drive system according to claim 13, wherein each safety module is adapted to report at least safe position and/or speed data of the movable component from the corresponding safety module to the central unit, where the central unit safety card is adapted to compare the reported safe position and/or speed data to a demanded position and/or speed of each actuator and in case of a mismatch is adapted to send the first safety signal to each safety module.

15. A pitch system suitable to rotate at least one rotor blade preferably all rotor blades, of a wind turbine comprising an electromechanical drive system according to claim 1 for rotating the at least one rotor blades, where the at least one rotor blade is the component to be actuated, where the electromechanical motor is adapted to rotate the at least one rotor blade about its longitudinal axis as the actuation and where a safe feathering run to rotate the at least one rotor blade in a feathering position is the first safety function.

16. The pitch system according to claim 15, where the electromechanical drive system comprises two or more electromechanical drive units, further comprising a central unit comprising a central unit safety card connected to each electromechanical drive unit for each rotor blade via a suitable bidirectional interface, preferably a FS-bus or a FSOE interface, to send demanded rotation and/or position data for the rotor blades to the safety modules of each electromechanical drive unit for generating rotation signals and also sending a feathering signal to the safety modules in case of an emergency situation, where the safety modules are adapted to execute the safe feathering run for each rotor blade in response to the feathering signal.

17. A wind turbine comprising two or more rotor blades, where each rotor blade is rotated by a separate electromechanical motor of the pitch system according to claim 16, the wind turbine further comprising a turbine control unit arranged in a nacelle of the wind turbine adapted to transmit position and/or speed commands for rotating each rotor blades to the central unit, where the central unit safety card is adapted to compare the transmitted position and/or speed commands as demanded position of each rotor blade to safe position and/or speed data reported to the central unit by each safety module and in case of a mismatch to send the feathering signal to each safety module in order to execute the safe feathering run.

18. A method to operate an electromechanical drive system according to claim 1 with least one electromechanical drive unit, the drive unit comprising an electromechanical motor to actuate a movable component, where reliability, integrity and diagnostics of the actuation of the component is safety-relevant for operating the component, a power unit to power the electromechanical motor, a motor control unit connected to the power unit in order to control the power unit via motor control signals, a measuring unit connected to the motor control unit, the measuring unit comprising a resolver to for determining motor position and/or motor speed data and for sending these data as motor signals to the motor control unit, a safety module connected to motor control unit and power unit, and a safety position sensor connected to the safety module, comprising the steps of receiving drive unit control signal via a second data connection from a drive unit interface; monitoring the movable component and/or the electromechanical motor position and/or speed of the movable component and/or the electromechanical motor with a sufficient degree of reliability and integrity to fulfill safety requirements for the safety-relevant actuations by the safety position sensor, preferably a position encoder; sending corresponding sensor signals comprising position and/or speed data to the safety module via a first data connection by the safety position sensor; transmitting actuation signals like actuation speed and desired component position from the safety module to the motor control unit via a third data connection; transmitting the motor control signals via the safety module to the power unit in order to enable execution of safety functions by the safety module; actuating the movable component by the electromechanical motor based on the motor control signals resulting from the actuation signals in accordance to one or more safety functions at least implemented on the safety module to ensure safe actuation of the movable component; as a plausibility check comparing the monitored position and speed of the movable component with an expected behavior from the actuation signals by the safety module; in case the plausibility check indicates that neither data from the measuring unit nor the data of the safety position sensor are trustworthy stopping the actuation of the movable component; in case the plausibility check indicates a malfunction of the safety position sensor actuating of the movable component by using data provided by the measuring unit in a resting or neutral position in which the movable component will not be damaged and the environment around the movable component will not be endangered by the movable component or by malfunctions of the movable component as a first safety function executed by safety module at least in an emergency situation.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0056] The aforementioned and other aspects of the invention will also be apparent from and elucidated with reference to the embodiments of the invention described herein after making reference to the drawings.

[0057] FIG. 1: shows an embodiment of the electromechanical drive system according to the present invention;

[0058] FIG. 2: shows another embodiment of the electromechanical drive system (or pitch system) according to the present invention comprising a central unit;

[0059] FIG. 3: shows another embodiment of the electromechanical drive system related to fault reaction;

[0060] FIG. 4: shows an embodiment of the wind turbine according to the present invention;

[0061] FIG. 5: shows a method to operate the electromechanical drive system according to the present invention.

DETAILED DESCRIPTION OF EMBODIMENTS

[0062] FIG. 1 shows an embodiment of the electromechanical drive system 1 according to the present invention established by one electromechanical drive unit 2 actuating the movable safety-relevant component 3 comprising a drive unit interface 20 for receiving drive unit control signals DA, an electromechanical motor 21, where a conventional power unit 23 powers the electromechanical motor 21, a conventional motor control unit 22 is connected to the conventional power unit 23 and controls the conventional power unit 23 via motor control signals MCS and a conventional measuring unit 24, which is connected to the conventional motor control unit 22 to determine motor position and/or motor speed data and to send these data as motor signals MS to the conventional motor control unit 22. For this purpose the measuring unit 24 comprises a resolver 25 that is attached to the motor shaft for determining motor position and motor angle. In this embodiment the chosen resolver 25 provides a high resolution of 16 bit for one complete turn of the motor shaft. Thus the electrical motor 21 can be controlled precisely in a first mode, which is called herein normal mode. Alternatively the conventional measuring unit 24 is configured to determine motor position and/or speed in a second mode, which is herein called sensorless mode. In sensorless mode the position of the motor shaft is estimated without using the resolver 25. Instead, an angle-dependant trait in the motors physical construction, which could be either inherent, or deliberately added, is used to estimate the shaft angle by a selfsensing realtime algorithm, e.g. a Kalman Filter, which uses the actual motor current as an input to determine the position and/or speed of the motor. The results are not as precise as with the use of a high resolution resolver 25, but sufficient to operate the motor. The mode of operation can be demanded by the safety module 4.

[0063] The reliability, integrity and diagnostics to provide safe actuation A of the component 3 is achieved by a safety module 4, arranged as a plug-in safety card in this embodiment, and an safety position sensor 5, where the safety position sensor 5 monitors S1 component position and/or speed of the actuated component 3 with a sufficient degree of reliability, integrity and diagnostics to fulfill safety requirements for the safety-relevant actuations and is connected to the safety module 4 via a first data connection 51 sending corresponding sensor signals SS comprising position and/or speed data to the safety module 4. The safety position sensor 5 might be a safe linear or rotary encoder providing safe absolute position, speed and fault status data via a FS-bus interface 51 developed according to the IEC 61508 Standard as the first data connection 51 to the safety module 4. In case of a rotary encoder for rotations as the actuations the safety position sensor 5 might be a SIL rated multi-turn encoder. In an alternative embodiment the sensor signals SS transmitted from the safety position sensor 5 may be based on measured motor position and/or speed of the motor 21 as long as the data measured from the motor 21 provide a sufficient degree of reliability and integrity to fulfill safety requirements. The measurement of the motor position and/or speed data is indicated by the dashed arrow S1 directing from the motor 21 to the safety position sensor 5. The safety position sensor 5 might be attached to a motor shaft (not shown in detail here), where a direct correlation between shaft position and speed and component position and speed exists. The safety position sensor 5 may be alternatively attached to the output of a gearbox (not shown), where an indirect correlation between motor shaft coupled to the input of the gear box and the output shaft of the gearbox exists. A gearbox pinion may drive a crown wheel or annular gear (not shown) for rotating the blade of a wind turbine. The attachment of the position sensor 5 to the output of a gearbox, the pinion of a gearbox, a crown wheel or annular gear has the advantage that the safety position sensor 5 allows to supervise the proper function of the gearbox or the rotation of the rotor blade. However, the correlation of motor speed and rotation speed of the rotor blade could be blurred by play/backlash of the gears in the gearbox and other components of the transmission.

[0064] The sensor signals SS are further processed by the safety module 4 in order to calculate component position and/or speed from the motor position and/or speed. Via a second data connection 40 the safety module 4 is connected to the data drive unit interface 20. The safety module 4 is further connected to the conventional motor control unit 22 via a third data connection 41 to transmit actuation signals AS like actuation speed and desired component position to the conventional motor control unit 22 for actuating A the component 3 in accordance to one or more safety functions SF at least implemented on the safety module 4 to ensure safe actuation of the component 3, where the third data connection 41 comprises a first interface 41, preferably comprising a FS-bus as safety interface 41s and/or an SSI interface as a conventional data interface 41c. In order to ensure that the conventional motor control unit 22 indeed receives the actuation signals AS, the safety module 4 is adapted to prove an error-free communication and operation of the conventional motor control unit 22 by a so-called heartbeat-signal HS, where the conventional motor control unit 22 answers the heartbeat signal HS in a predetermined manner in case of operating properly. In case of detected errors in communication to and/or operation of the conventional motor control unit 22, the safety module 4 resets R the conventional motor control unit 22 via a direct access 44 to a reset line of the conventional motor control unit 22. A performed reset R may cause instant execution of the first safety function SFR. Alternatively, the safety module 4 may be configured to cause the first safety function SFR only if the reset fails or after a predetermined number of failed resets.

[0065] The safety module 4 compares the monitored position and/or speed of the component 3 with an expected behavior from the actuation signals AS and controls the motor control signals MCS transmitted to the conventional power unit 23 via the safety module 4. Therefore the safety module 4 comprises a PWM blocker module 42 receiving the motor control signals MCS from the conventional motor control unit 22, where execution of at least one of the safe-torque-off-control function STO and/or safe-stop-control function SS1 results in blocking the motor control signal MCS from passing the PWM blocker module 42 towards the conventional power control unit 23, preferably the output of the PWM blocker module 42 is set to 0V. The safety module 4 further comprises a brake blocker module 43 receiving a brake control signal BCS as another type of the motor control signal MCS from the conventional motor control unit 22, where execution of at least one of the safe-brake-control function SBC and/or safe-stop-control function SS1 results in blocking the brake control signal BCS from passing the brake blocker module 43 towards the conventional power control unit 23, preferably the output of the brake blocker module 43 is set to 0V.

[0066] The safety functions SF comprise the actuation A of the component 3 in a resting or neutral position FP as a first safety function SFR executed by safety module 4 at least in an emergency situation and a safe-limited-position-control function SLP to ensure the position of the component 3 being within a certain range of allowed positions, a safe-limited-speed-control function SLS to ensure the speed of the actuated component 3 not exceeding a maximum speed, a safe-direction-control SDI function to ensure the component 3 being actuated into the desired direction, a safe-torque-off-control STO function to ensure that the torque applied to the component 3 is zero, a safe-brake-control function SBC to ensure the brake is applied and a safe-stop-control function SS1 to ensure execution of a stopping procedure in accordance to other safety functions SF. Therefore in this embodiment the safe-stop-control function SS1 is also connected to the first interface 41 in order to advise the conventional motor control unit 22 via the first interface 41 to decelerate the motor 21, e.g. as a part of the first safety function SFR. In this embodiment the safety module 4 acts as a man-in-the-middle device between the conventional motor control unit 22 and an external data source EDS providing demanded input data to execute a component actuation to a certain position in a certain way in accordance to one or more safety functions SF, where in response actuation signals AS like actuation speed and desired component position are transmitted from the safety module 4 to the conventional motor control unit 22. As an example the data source might be a central unit 6 as shown in FIG. 2. The safety module 4 is adapted to execute these implemented safety functions FS, therefore comprising one or more processors or computer chips able to execute a programmed procedure and/or to control semiconductor components installed on the safety module 4 in order to execute the programmed procedures. The required components of the safety module 4 are connected directly or indirectly via interfaces of the safety module 4 to the other components of the electromechanical drive unit 2 in order to execute the programmed procedures. These details are not shown explicitly in FIG. 1.

[0067] The safety module 4 is adapted to perform plausibility checks of the data delivered by the measuring unit 24 and the sensor data delivered by the safety position sensor 5. In case the plausibility check indicates that neither the data from the measuring unit nor the data of the position sensor are trustworthy, for example that the reported speed of the measuring unit is significantly lower or higher than the speed detected by the safety position sensor 5, taking into account a margin for the imperfect correlation of the speed directly measured at the motor shaft and indirectly calculated from the safety position sensor at the output of the gearbox, the safety module 4 has to decide which of the two sensors, either the resolver 25 or the safety position sensor 5 it trusts more.

[0068] In case the chosen safety position sensor 5 is one that provides an error signal that is emitted when the permanent self-test of the safety position sensor 5 detects a mal function then in case no such error code is received by the safety module 4, the safety module would give preference to the speed information derived from the safety position sensor 5 over the speed information derived from the resolver 26. The person skilled in the art will appreciate that additional plausibility test may be applied, such as taking into account the amount of speed reported. If the derived speed from the safety position sensor 5 is much higher than a speed that is technically possible, then the safety module 4 may decide to trust the speed information provided from the resolver 25 or to not trust both speed informations.

[0069] In case the plausibility check indicates a malfunction of the safety position sensor 5 the safety module will initiate the first SFR, which causes the rotor blade to be actuated by the electrical motor 21 into the feathering position by using the position data/speed data provided by the resolver 25. In this case the safety module 4 uses the data provided by the measuring unit 24 instead of the data provided by the position sensor that cannot be longer trusted, for monitoring and estimating, respectively the rotor blade position. With the estimated rotor blade position correct speed commands can be issued to the motor control unit 21 to continue operating the electrical motor 21 until the rotor blades have reached the feathering position and to stop the motor in this position. Although the data from the measuring unit does not allow to check if the gearbox between the motor and the rotor blade is working properly, this is considered as a lower risk than to leave the rotor blade fully exposed to the wind.

[0070] In the event that the plausibility check indicates a malfunction of the resolver 25 the safety module actuates the component into the feathering position by switching the motor from normal operation mode into sensorless operation mode wherein the measuring unit drives the motor without using the input of the resolver 25. In case the plausibility check indicates that neither the data from the measuring unit nor the data of the position sensor are trustworthy, the safety module stops the motor immediately. In order to ensure that stopping the motor is inhibited by a malfunction the safety module 4 in addition to modifying the speed indicated to the motor unit 21 to zero the safety module 4 may also invoke the PWM blocker to ensure that the electrical motor 21 is stopped reliably.

[0071] As explained before, the safety module 4 may modify the speed commands received as demanded actuation commands DA received at the drive unit interface 20, before it forwards the commands as actuation signal AS to the conventional motor control unit 22. In case of executing the first safety function, e.g. actuating the rotor blades into a feathering position, the safety module 4 will modify the command so that in a first part the speed of the electromechanical motor 21 is increased, in second part the demanded speed is uphold and in a third part, when the rotor blade approaches the final position, the speed of the motor is decreased. Specific information of the duration, the actual speed increase and decrease depend on the dimension of the wind turbine and the electromechanical characteristics of the electromechanical motor 21, to name two of the various factors. The person skilled in the art will also appreciate that these modifications may be applied in only two steps, or in even more than three steps.

[0072] FIG. 2 shows another embodiment of the electromechanical drive system 1 (or pitch system 71) according to the present invention comprising a central unit 6 comprising a central unit safety card 62, where one or more safety functions SF are implemented. The details of the electromechanical drive unit 2, 2 and 2 are shown in FIG. 1. The electromechanical drive system 1 (or pitch system 71) of FIG. 2 comprises three electromechanical drive units 2, 2, 2, where the safety modules 4, 4, 4 of the electromechanical drive units 2, 2, 2 are connected to the central unit safety card 62 of the central unit 6 via a suitable bidirectional interface 61, preferably a FSOE interface, to send demanded actuation and/or position data DA for the components to the safety modules 4, 4, 4 of each electromechanical drive unit 2, 2, 2 for generating corresponding actuation signals AS. Also a first safety signal FS might be sent to the safety modules 4, 4, 4 in an emergency situation. The safety modules 4, 4, 4 will execute the first safety function SFR in response to the received first safety signal FS. The central unit 6 enables the execution of safety functions SF for all electromechanical drive units 2, 2, 2 in an aligned way. Furthermore each safety module 4, 4, 4 reports at least the safe position and/or speed data PD of the component 3 to the central unit safety card 62, which compares the reported position and/or speed data PD to a demanded position and/or speed of each actuator A and in case of a mismatch will send the first safety signal FS to each safety module 4, 4, 4.

[0073] FIG. 3 shows another embodiment of the electromechanical drive system related to fault reaction for an electromechanical drive system as shown in FIGS. 1 and 2. The safety functions safe-limited-position-control function SLP, safe-limited-speed-control function SLS and safe-direction-control function SDI comprise defined fault reactions FR in order to guarantee reliability, integrity and diagnostics of the actuation A of the component 3 depending on the operation mode of the electromechanical drive system. The fault reaction FR of the safe-limited-position-control function SLP, safe-limited-speed-control function SLS and/or the safe-direction-control function SDI may demand execution of the first safety function SFR during normal operation of the electromechanical drive system or may demand the safe-stop-control function SS1 e.g. in case of manual operation of the electromechanical drive system, indicated by arrows indicated by FR directing either to SFR or SS1. The safety module 4 is further adapted to prove an error-free communication and operation of the conventional motor control unit 22 by a so-called heartbeat-signal HS, where a fault reaction FR scheme is initiated in response of a failed prove of a proper connection. The fault reaction FR might be the execution of the first safety function SFR. The correctly working communication between safety module 4 and the conventional motor control unit 22 ensures control commands transmitted from the safety module 4 can be executed by the conventional motor control unit 22, which as a diagnostic procedure increases the degree of reliability and integrity of the electromechanical drive system 1. In case of detected errors in communication and/or operation of the conventional motor control unit 22, the safety module 4 may reset the conventional motor control unit 22 via a direct access to a reset line of the conventional motor control unit 22. In case of an execution of a fault reaction FR by an electromechanical drive unit 2 the fault is reported to the central unit 6 by the corresponding safety module 4 of the electromechanical drive unit 2 (not shown here in details). The safe-limited-position-control function SLP monitors the component position such that the components 3 stay within a defined position range. The safe-limited-speed-control function SLS continuously monitors the speed of the actuation of the component during all modes actuating the component such that the speed stays below a maximum value. The safe-direction-control function SDI monitors the moving direction of the component, e.g. direction forth or back in case of linear movements or right of left in case of rotations. The safe-stop-control function SS1 initiates in response a deceleration of the electromechanical motor 21 and subsequently, after a specific time delay, commanding application of the safe-torque-off-control function STO and the safe-brake-control function SBC to achieve a safe state of the component. SS1, SBC and STO are also part of the first safety function SFR.

[0074] FIG. 4 shows an embodiment of a wind turbine 7 according to the present invention in a schematic view. In this embodiment the wind turbine 7 comprises three rotor blades 3 as the actuated components 3. The pitch system suitable 71 comprising the electromechanical drive system with one electromechanical drive unit 2, 2, 2 provided for each rotor blade 3, where the electromechanical motor 21 of each electromechanical drive unit 2 is adapted to rotate the rotor blade 3 about its longitudinal axis as the actuation A. In case of an emergency situation or as a fault reaction, a safe feathering run SFR as the first safety function rotates the rotor blade 3 in a feathering position FP. The pitch system 71 further comprises central unit 6 connected to each electromechanical drive unit 2, 2, 2 for each rotor blade 3 via an suitable bidirectional interface 61 to send demanded rotation and/or position data for the rotor blades 3 to the safety modules 4, 4, 4 of each electromechanical drive unit 2, 2, 2 (not shown here in details) for generating rotation signals AS and also sending a feathering signal FS to the safety modules 4, 4, 4 in case of an emergency situation, where the safety modules 4, 4, 4 are adapted to execute the safe feathering run SFR for each rotor blade 3 in response to the feathering signal FS. The wind turbine further comprising a turbine control unit 72 arranged in a nacelle 73 of the wind turbine 7 adapted to transmit position and/or speed commands TCS for rotating each rotor blades 3 to the central unit 6 (here only the pitch system 71 is shown for ease of understanding), where the central unit safety card 62 in the central unit 6 is adapted to compare the transmitted position and/or speed commands TCS as demanded position of each rotor blade 3 to position data PD reported to the central unit 6 by each safety module 4, 4, 4 and in case of a mismatch to send the feathering signal FS to each safety module 4, 4, 4 in order to execute the safe feathering run SFR. In an embodiment, the safe feathering run SFR is divided in two different parts dependent on the current position of the rotor blades 3. The first part denotes the angle region of the rotor blade 3, where positive torque is applied to the rotor blade (accelerating wind load to rotor blade). The second part denotes the angle region of the rotor blade 3, where negative torque is applied to the rotor blade (decelerating wind load to the rotor blade 3). The angle, where a transition between first and second part occurs depends on the configuration of rotor blade 3 and wind turbine 7 setup. Typically this transition angle is in the range of 30. Since wind force induced on the wind turbine 7 is at highest in the first part it is beneficial to get the rotor blades 3 out of this blade angle region as fast as possible. For this reason, SLS might be muted during SFR until the rotor blades 3 passing the transition angle. In some embodiments the safety module 4 may modify the received drive unit control signals DA to increase the motor speed indicated in these signals before these modified signals are passed as actuation signals to the motor control unit, in order to speed up the rotation speed of the blades in the first part. After having passed the transition angle, the speed of the rotation A of rotor blades 3 around its longitudinal axis is decelerated. This may be also achieved by modifying the received drive control signals. The rotation speed further decreases when the rotor blade 3 approaches the feathering position FP. The speed might be decreased stepwise. When the rotor blades 3 have reached the feathering position FP, the safe-stop-control function is executed to finish the safe feathering run SFR. In another embodiment the central unit 6 is adapted to compare the differences between the current axis of the rotor blades 3 and in case of detecting a deviation between the present axis of two or more rotor blades 3 (relative to the wind), the central unit 6 issues the feathering signal FS to execute a safe feathering run SFR in case of the differences exceeding a certain predetermined limit.

[0075] FIG. 5 shows a method to operate the electromechanical drive system according to the present invention. The method comprises the steps of monitoring S1 component position and/or speed of the actuated component 3 with a sufficient degree of reliability, integrity and diagnostics to fulfill safety requirements for the safety-relevant actuations A by the safety position sensor 5, sending S2 corresponding sensor signals SS comprising position and/or speed data to the safety module 4 via a first data connection 51 by the safety position sensor 5, transmitting S3 actuation signals AS like actuation speed and desired component position from the safety module 4 to the conventional motor control unit 22 via a third data connection 41, transmitting S4 the motor control signals MCS via the safety module 4 to the conventional power unit 23 in order to enable execution of safety functions by the safety module, actuating S5 the component 3 by the electromechanical motor 21 based on the motor control signals MCS resulting from the actuation signals AS in accordance to one or more safety functions SF at least implemented on the safety module 4 to ensure safe actuation A of the component 3, comparing S6 the monitored S1 position and speed of the component with an expected behavior from the actuation signals AS by the safety module 4, and actuating S7 of the component 3 in a resting or neutral position FP as a first safety function SFR executed by safety module 4 at least in an emergency situation.

[0076] In another embodiment, the actuated component may comprise two or more subcomponents to be actuated together or separate from each other. As an example the actuated component might by a rotor and the subcomponents might be the rotor blades. In this case the safety module relates to an electromechanical drive unit driving all subcomponents e.g. with a conventional motor control unit sending motor control signals to a motor denoting here a motor system comprising two or more sub-motors each actuating one of the subcomponents. Accordingly the safety position sensor denotes a safety position sensor system with sub-sensors measuring safe position and/or speed data related to each subcomponent.

[0077] While the invention has been illustrated and described in detail in the drawings and foregoing description, such illustration and description are to be considered illustrative or exemplary and not restrictive; the invention is not limited to the disclosed embodiments. Other variations to the disclosed embodiments can be understood and effected by those skilled in the art in practicing the claimed invention, from a study of the drawings, the disclosure, and the appended claims. Whilst the invention has been depicted to be advantageous for implementing a safety module and a safety position sensor in a conventional motor, it is clear that the invention may be also used for electrical motors designed from scratch as failsafe motors.

[0078] In the claims, the word comprising does not exclude other elements or steps, and the indefinite article a or an does not exclude a plurality. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage. Any reference signs in the claims should not be construed as limiting the scope.

LIST OF REFERENCE NUMERALS

[0079] 1 electromechanical drive system [0080] 2, 2, 2 electromechanical drive unit [0081] 20 drive unit interface [0082] 21 electromechanical motor [0083] 22 conventional motor control unit [0084] 23 conventional power unit [0085] 24 conventional measuring unit [0086] 25 resolver [0087] 3 actuated component [0088] 4, 4, 4 safety module [0089] 40 second data connection to drive unit interface [0090] 41 third data connection to conventional motor control unit/first interface [0091] 41s safety interface as part of the first interface [0092] 41c conventional data interface as part of the first interface [0093] 42 PWM blocker module [0094] 43 brake blocker module [0095] 44 direct access of safety module to reset line of motor control unit 22 [0096] 45 second interface [0097] 5 safety position sensor, encoder [0098] 51 first data connection [0099] 6 central unit [0100] 61 bidirectional interface between central unit and electromechanical drive unit(s) [0101] 62 central unit safety card [0102] 7 wind turbine [0103] 71 pitch system [0104] 72 turbine control unit [0105] 73 nacelle [0106] A actuation/actuating of the component [0107] AS actuation signal [0108] BCS brake control signal as one of the motor control signals [0109] DA demanded actuation and/or position data send to safety module 4 [0110] EDS external data source (e.g. the central unit 6) [0111] FP neutral or resting (feathering) position [0112] FR fault reaction of a safety function [0113] FS first safety signal, feathering signal [0114] HS heartbeat signal [0115] MCS motor control signal [0116] MS motor signals [0117] PD position data [0118] R reset (command) [0119] monitoring actuation and position of the component and/or the motor [0120] S2 sending sensor signals to the safety module [0121] S3 transmitting actuation signals from the safety module to the conventional motor control unit [0122] S4 transmitting the motor control signals by the safety module [0123] S5 actuating the component in accordance to one or more safety functions [0124] S6 comparing monitored position/speed of the component with an expected behavior [0125] S7 actuating the component in a resting or neutral position in an emergency situation [0126] SF safety function [0127] SBC safe-brake-control function [0128] SDI safe-direction-control function [0129] SFR first safety function/safety feathering run [0130] SLP safe-limited-position-control function [0131] SLS safe-limited-speed-control function [0132] SS1 safe-stop-control function [0133] STO safe-torque-off-control function [0134] SS sensor signals [0135] TCS turbine control signal

ELECTROMECHANICAL DRIVE SYSTEM

Inventors

Cpc classification

Classification Explorer

G05B9/02

PHYSICS

Classification Explorer

F05B2270/107

MECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING

Classification Explorer

F05B2270/602

MECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING

Classification Explorer

F03D7/024

MECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING

Classification Explorer

G05B2219/2619

PHYSICS

Classification Explorer

G05B19/4063

PHYSICS

Classification Explorer

F03D7/0224

MECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING

Classification Explorer

F03D7/0276

MECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING

Classification Explorer

F05B2260/76

MECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING

Classification Explorer

F05B2270/327

MECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING

Classification Explorer

Y02E10/72

GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS

Classification Explorer

G05B19/048

PHYSICS

International classification

Classification Explorer

F03D7/02

MECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING

Classification Explorer

G05B19/048

PHYSICS

Abstract

Claims

Description