This paper addresses problems related to the design and implementation of a fault detection and protection system for high-voltage (HV) NPT IGBT-based converters. An isolated half-bridge power converter topology is investigated, which seems to be very attractive for the high-power electronic converters due to its overall simplicity, small component count and low realization costs. This converter is to be applied in rolling stock with its demanding reliability and safety requirements. Clearly, the robust control and protection system is essential.
Introduction
The IGBT transistors with the blocking voltages of 4.5 kV and 6.5 kV are becoming increasingly popular in the medium-to high-power applications, especially in railway transport. These transistors open up a whole new prospective area in power electronics, aimed at more simple and, consequently, reliable power circuit topologies to be implemented. For instance, in the present paper the half-bridge DC/DC topology ( Fig. 1) will be examined as a candidate topology for an auxiliary power supply (APS) to be used in 3.0 kV DC commuter trains.
The APS is responsible for the conversion of high DC voltage from the catenary (3.0 kV) to some intermediate DC voltage level (350 V) to supply secondary systems of a rail vehicle, such as lighting, braking, passenger announcement system, etc. The half-bridge DC/DC topology was implemented because of its simple construction and high overall reliability. With the new state-of-the-art high-voltage NPT IGBTs (Eupec/Infineon 200 A/6.5 kV FZ200R65KF1 IGBT modules with integrated freewheeling diode, see Table I ) the APS could be realized just by using only two switches, as shown in Fig. 1 and Fig. 2 . The intermediate DC-bus voltage is selected upon the end-user aspirations, as a rule, being 300...350 V DC. It is obvious that a failure within this system would render the whole vehicle nonoperational, resulting in a financial loss, operational problems to the commuter train system and discomfort to passengers. The fault detection and protection system (Fig. 3 ) should minimize the risk of serious failures.
Conditions on railways and railway applications are rugged:
widely changing operating voltages, temperatures, vibration, electromagnetic interference, etc. In this highly unfriendly environment a variety of failures can occur. To guarantee smooth and proper operation of electrical devices, an effective failure detection and protection system is needed. 
Protection System
In principle, the control and protection system is divided into two parts: hardware and software. The software part includes the control algorithm with PWM generation and all the protection algorithms. The hardware part consists of some additional protections, like cross conduction protection and dead time generation, fiber optical links to separate power part from the control part. In general, hardware serves as a second level protection against software errors. All software errors and some of the hardware errors will be saved in the error log and also displayed on the screen of the user personal computer (PC). The APS has a built-in user interface to connect the user PC with the power supply.
A. Software-based protections
The input side of the converter is assumed to be connected directly to the traction supply grid with the voltage tolerances from 2.2 kV DC up to 4.0 kV DC. The most demanding operation point is at the minimum input voltage (2.2 kV) and at the rated load conditions (i.e., maximum duty cycle operation). It is essential to prevent even short-time simultaneous conduction of IGBT transistors ( Fig. 1 ) in these demanding conditions -it leads to the short circuit across the supply voltage and to the destruction of the converter. Accordingly, the maximum on-state time t on(max) of each switch in the halfbridge must be set at 80 % of a half-period. If the input voltage at the rated load conditions starts to increase, then the duty cycle will decrease. Thus, maximal input voltage means minimum duty cycle (t on(min) ) and it can be calculated as follows:
(1) where t on(min) is the minimum pulse width (220 µs), U in(min) is the minimum input voltage, U in(max) is the maximum input voltage, t on(max) is the maximum pulse width (400 µs), and T is the PWM period (1 ms). Operation voltage ranges and inverter switch on-state times of the half-bridge topology in this application are presented in Table II . Simulated primary voltage waveforms of the isolation transformer with different input voltages (and the corresponding t on ) and at the rated load are presented in Fig. 4 . The transistors are working in the hard switching mode.
To ensure proper work of the inverter and to prevent cross conduction, the control signals of IGBTs must be shifted at 180°, as shown in Fig. 5 . This is realized using two different PWM timers T p1 and T p2 that are working synchronously, but phase shifted at 180°. In other words, T p2 is started automatically if T p1 reaches its half period. 
B. Hardware-based protections
Simultaneous conduction of transistors in a half-bridge configuration creates a short circuit ( Fig. 1) . Clearly, the transistors would not normally be driven such that they both are on at the same time. The cause of cross conduction lies usually in the excessive switch-off time of the switching transistors, which is especially dominant in the case of high-voltage IGBTs. Switch-off time is the time that the transistor needs to completely block the current. In bipolar transistors the turn-on delay is typically less than the storage time. Hence, if the top transistor turns off and at the same time the bottom transistor turns on, there will be a short period when both devices will be conducting [2] , [3] . One solution to the problem is to provide a dead time (both transistors off) between the switch-on of Top and Bottom transistors. Dead time must be of sufficient duration to ensure that the on-state of both power transistors will not overlap under any conditions. The minimum dead time required can be calculated as follows:
where t d min is the minimum dead time requirement, t off is the turn-off time of the transistor, and t on is the turn-on delay of the transistor. Thus, the dead time must be chosen longer than t d min . The 6.5 kV IGBTs used in the current project have the minimum dead time requirement On the one hand, the dead time is created by the software by limiting the maximum on state time t on(max) , as mentioned before, on the other hand, software can be erroneous and then an additional hardware dead time circuit is needed. For that purpose, a simple RC circuit was used, as shown in Fig. 7 . The dead time is approximately equal to the time constant, which may be determined as:
where τ is the time constant, R1 and R2 are the resistances of the resistors, C is the capacitance of the capacitor. The logical "AND" IC (integrated circuit) has two functions: current amplification of the PWM signal and dead time generation. The advantage of such kind of a circuit is in its simplicity and low realization cost. The voltage curve of a charging capacitor is shown in Fig. 8 .
If the voltage reaches the undefined area of the "AND" IC, then also the output level of the logical IC is unknown and may fluctuate. It is obvious that the larger the time constant, the stronger the distortion will be [4] . The only disadvantage of the method is the impulse distortion. Fig. 9 shows the distortion on the positive front of the PWM signal but it also occurs on the negative front. However, the distortion on the falling front can be somewhat reduced by reducing the capacitance C and choosing a fast acting diode D. If the PWM signal in Fig. 7 drops to zero, the capacitor C starts to discharge over the diode D. The quicker the discharge, the smaller the distortion of the output is. Fortunately, such a distortion was not a problem in the current case, because the high voltage IGBT (HVI) driver was capable of filtering it out (see Fig. 9 ). The control algorithm generates 180° phase shifted PWM signals. Even a small change in the phase shift can cause a short circuit. Therefore again, an additional hardware protection is needed. In the current project a simple logical circuit was used (Fig. 10) . By replacing four logic ICs with one "XOR" (exclusive OR) element, the presented circuit can be further simplified. The "pull down" resistors R3 and R4 make sure that the PWM outputs are "pulled down" during microcontroller reset or a failure. The demonstration of simultaneous switching is presented in Fig. 11 . Microcontroller generates two PWM signals presented in Fig. 11 (a) . In the output only the PWM2 will occur, since the PWM1 is blocked completely. Also, the cross conduction part will be blocked ( Fig. 11, b) . The practical realization of output logics and optical fiber links (FOL) in the developed FOL interface card is presenten in Fig. 12 . 
Fault Detection and Actions
In general, any failure or inadmissible operation conditions always create a warning and/or alarm message, which will be displayed in the user PC. The APS is provided with various sensors: three voltage and two current transducers (see Fig. 1 ) and four temperature sensors. The errors that can be detected are listed in Table III . Errors are divided into two groups. The faults in the first group terminate the control program. For recovery, manual reset of the controller is needed. The second group errors do not terminate the program and automatic recovery is possible after the error has been eliminated. The output (load) current is measured to determine the overload situation. In the case of overload the system will be switched off and manual reset is required for recovery. The temperature is constantly observed in the transistors, rectifier and transformer. An overheated system will be automatically switched off and also needs manual reset. The input and output voltage is sensed to discover over-or under-voltages. In the case of over-or under-voltage in the input, the system will be switched off and automatically restored after the voltage has returned in the nominal area. Similarly, the output voltage is regulated but once the output is switched off, no automatic recovery is possible. One serious problem can be the saturation of the transformer core. Therefore, the middle point voltage is constantly observed. The middle point voltage shift greater than 5 % results in an immediate blocking of IGBTs. The recovery is only possible after manual reset of the control system. A driver of a HV IGBT has to fulfill high requirements, which can be summarized as follows:
• galvanic isolation between IGBT and control electronics, • isolated power supply, • short-circuit detection and protection, • over-voltage protection, • self-security (status and diagnosis functions), • status-acknowledgement.
The special HVI drivers used in this project (Fig. 2) are equipped with the following protection functions: collector-emitter voltage monitoring for the short-circuit detection, supply under-voltage shutdown and the status feedback. The status feedback and control signals are applied via external fiber optic cables. In addition to electrical insulation, this has also good noise immunity.
The gate is driven with a bipolar control voltage ± 15 V which gives high interference immunity [5] , [6] , [7] .
The status feedback signals enable the host controller to monitor both the gate driver and the IGBT. During normal operation (i.e., no fault) the status feedback is "light on" at the optical link. A malfunction is signaled by "light off". Each edge of the control signal is acknowledged by the driver via a short pulse. The light remains off for about 900 ns. Fig. 13 shows the control and response signals of a gate driver in normal operation conditions [6] . The status signals are checked via the microcontroller.
Both the rising and the falling edge will create an external interrupt. The interrupt on the rising edge starts a timer and that on the falling edge stops it. Thus, the length of the feedback impulse can be measured. Table IV shows possible errors that can be detected according to the feedback impulse length [8] .
A feedback impulse greater than 2 s indicates to an interruption in the optical link or improper work of the driver. The inverter and the control system will be switched off by the host controller.
The short circuit detection is realized by monitoring the gate-emitter voltage. The circuit checks if during the first 10 μs after turn on the collector-emitter voltage has dropped below some pre-defined level that depends on the IGBT type. If the collector-emitter voltage does not go below that level, the short-circuit condition is assumed and the IGBT will be switched off immediately. After that a feedback impulse approximately of 1 s is sent to the host controller that will then switch off the rest of the control system [7] .
In general, all driver errors are classified as the first group errors. Thus, no automatic restart will be possible. The host controller needs to be reset manually before the inverter can be started again. 
Fault Observation and Logger Systems
Although the APS is able to work completely autonomously, it still has a built-in user interface, which can be connected to a PC. Data exchange between the PC and the test bench is realized via serial communication interface (RS232). With the standard Windows communication program HyperTerminal, the entire information from the APS can be observed and also changed to some degree. The user interface will be displayed in the HyperTerminal window, as shown in Fig. 14. It is based on a menu system. The sub menus can be entered just by pushing the corresponding number on the keyboard. There are seven choices in the menu (Fig. 15 ): current sensors, voltage sensors, temperature, error code, manual pulse width adjustment, regulator parameters adjustment, and a logger. The current, voltage and temperature sub-menus display the sensor values.
Error code gives information about the faults that may occur. The fifth menu allows manual change of the pulse width of IGBTs. PI regulator was used in the current project. To make regulator adjustment easier, the parameters (K p is the proportional and K i is the integral gain) can be changed via the user interface. In the latter, sub-menu logger can be started. The logger stores readouts of all sensors in 5-minute intervals. Recording of electrical and physical parameters during test-operation allows the analysis of faults and malfunctioning modes of converter operation. For that purpose the data logger function was developed. Data is recorded to the PC hard disk in the tabular form, an example shown in Fig. 16 . Suitable output interval can be set for data output [9] . All the variables that are viewable in the diagnostic menu can also be recorded on the hard disk. Fig. 16 . Printout of recorded variables in the tabular form.
The recorded values can be viewed and processed in spreadsheet programs, such as Microsoft Excel, Calc, etc. Spreadsheet software allows values to be converted to a suitable form and printed out as tables or charts (see Fig. 17 ). These systems include all the necessary tools for converting charts to the printable form. 
Conclusions
A half-bridge converter seems to be very attractive for power electronic converters due to its overall simplicity and low realization costs. However, there are many technical details to be considered during the development routine, especially in the case of high voltage applications. A half-bridge HV inverter must be developed with supreme accuracy and can be characterized by a high level of redundancy, especially in the hardware control and protection circuits. The keyword here is a multilevel protection system. The most vital protections in the HV converter should be doubled.
The performance of such HV IGBT inverters can be increased substantially by using modern HVI drivers. As explained in this paper, modern HVI drivers incorporate various built-in protection and diagnosis functions. Using these functions will increase the reliability of the control system and reduce the load of the main control unit.
