fail-safe design for worst-case scenario

[ThomasS]

Question: Would you recommend a 3x50% or two x 100% dump load setup for redundancy?

That is a good question :-)

Let me take a step backward. This question touches on the whole fail-safe concept for the system.

What could be the worst-case scenario?

With many systems, this is overspeed of the generator. The windings will get loose, and will literally fly apart. The problem gets more severe with higher power (= heavier generator). The overspeed tolerance needs to be checked in the technical specifications for your specific generator.

Typical values are:

10% or 20% overspeed, permanently

100% overspeed for 2 min, or 30 seconds

Some generators custom built for hydro can stand 100% overspeed permanently. These are ideal from a worst-case point of view. Leroy-Somer and Mecc-Alte make these.

If any part in the electrical power generation chain fails, the generator will not be slowed down anymore, and will accelerate.

This could be

- fuses. The wrong fuses in the wrong place can make things worse.

- AVR automatic voltage regulator /excitation voltage. If the AVR does not excite the generator, there will be no power output. -> parallel AVR

- diodes in the generator. -> Install redundant diodes, or a diode monitor

- load controller. No power to the loads -> acceleration. -> redundant ELC, or at least redundant ELC power supply, or external overvoltage/overfrequency relay.

- overvoltage/lighting damage. This can destroy all of the above. -> appropriate lightning protection.

 Faults, which are not so likely or not so severe:

- defective generator windings. Most likely one phase will fail, before the others fail.

- defective dump loads. These will probably not fail all at once. Find a method to identify failed loads. Dump loads which are used for water heating, are more at risk.

- Wiring. dump loads which are used for water heating might develop corroded contacts.

So, to answer the original question: a high safety margin with the dump loads can only be part of the safety concept.

Possible designs:

- a second 100% dump load set, which is switched on as a whole by the overvoltage/overfrequency relay, and a high power contactor/ SSR. This protects against ELC failure, but nothing else.

- a second ELC in parallel. This adds the cost for a second ELC, but saves the cost for a second dump load set.

- adding 50% of extra dumploads will protect against gradually failing dump loads, but not against ELC failure.

Switching on the primary dump load set with one high power relay (thereby saving the cost of a second ELC AND a second set of dump loads) is not easily possible, depending on the number of dump loads.

Each dump load would need its own SSR. The installing and wiring effort for this solution nearly mounts up to a second ELC.

If the primary ELC uses SSRs anyway, once could device a system where these SSRs would be controlled by an external safety circuit. This saves the cost for a second set of SSRS, but it adds the cost of the safety circuit, and it doesn't help, if the SSRs or the power supply for the SSRs fail.

Other solutions:

Rather than making everything redundant, which adds a lot of cost and complexity, you could design the following options in case of emergency:

Add electrial water valves, which would close. These would need to be operated with 12V or 24V battery power, or a UPS. They need to close fast enough to prevent overspeed damage. This is also a good solution, if the existing water valves are already electrical.

Or spring loaded/weight loaded butterfly water valves.

Or a mechanical brake on the shaft (from a truck), which would engage.

All in all, an overspeed-tolerant generator is the safest. But this is often a question of money.