*3.3. Supervisory Control*

The supervisory control of TUBCon has two main functions. The first one is to detect whenever some security limit (e.g., generator over-speed) has been tripped and enforce an appropriate maneuver (e.g., normal stop). The second function is to trigger specific events. These can be controller fault events (as required by current industry standards) or stop maneuvers (if a specific alarm has been triggered).

The control signals from the supervisory control will always override the signals from the pitch and torque controllers. This is shown in Figure 2 with the switch for each controller. In this figure, *θSC* represents the pitch signal from the supervisory control that overrides the signal from the pitch controller. In the same manner, *Qgen*−*SC* overrides the generator torque from the torque controller. In addition, the supervisory controller can activate the brake and the yaw actuator of the turbine.

The internal logic of the supervisory control is based on [37] and shown here in Figure 5. It features three control blocks. The first one checks if any turbine sensor is outside its allowable range and triggers an alarm should this happen (Figure 5(a)). The turbine sensors are bundled into the vector - *SSC* in Figure 5 for the sake of clarity (see Section 3.3.1 for a full description of the considered sensors). Depending on the situation, the alarm can have several levels. An example of this could be the tripping of the first over-speed limit and the tripping of the second over-speed limit, both alarms depending on the sensor Ω.

The second block manages the alarms that the first block triggered and sets an appropriate reaction maneuver (Figure 5(b)). Keeping the example above, if the alarm block detected a first over-speed trigger, the managing block would request a normal stop of the turbine. If a second over-speed trigger is detected, then the manager block would request

an emergency stop procedure. The latter clearly has a higher priority than the former. Both stop procedures have a higher priority than the normal control action of the controller.

**Figure 5.** Overview of the supervisory control. It comprises an alarm block, a managing block and an event block. The latter can be used to trigger specific events such as controller faults that are required for a full load calculation.

The third block is the event generator block (Figure 5(c)). This block creates the necessary controller signals to simulate any given event. These signals could be a controller fault required by a specific design load case or the normal stop maneuver requested from the manager block. The input signals for this block are the current pitch angle of each blade *θi*, the rotor speed Ω and torque *Qgen* and the current time *t*. The last sensor is needed if an event is to occur at a specific simulation time. The output of the event block are the overridden controller signals. Note that depending on the specific event, not all control signals are necessarily overridden.
