Abstract-Fast fault detection (FD) and reconfiguration is necessary for fault tolerant power electronic converters in safety critical applications to prevent further damage and to make the continuity of service possible. The aim of this study is to minimize the number of the used additional voltage sensors in a fault tolerant three-phase converter. In this paper, first a practical implementation of a very fast FD scheme with reduced sensor number is discussed. Then, an optimization in this scheme is also presented to decrease the detection time. For FD, special time and voltage criterion are applied to observe the error in the estimated phase-to-phase voltages for a specific period of time. The proposed optimization is based on the fact that following a detectable fault, two line-to-line voltages will deviate from their respective estimated values.
I. INTRODUCTION

P
OWER electronic converters are widely used in a variety of applications, especially in three phase systems as rectifiers or inverters. However, they are very sensitive to failure in one of their semiconductor switches. A sudden failure in one switch of a power electronic converter will decrease the performance of the system and may even lead to a hard failure. For this reason, fault tolerant converters have been an interesting topic of research in recent years [1] - [6] . Using a fault tolerant converter increases the reliability and availability of the system. To reduce the failure rate and to prevent unscheduled shutdown, real-time fault detection (FD), isolation, and compensation schemes are necessary. This is especially essential for safety critical operations such as in military and aerospace applications.
In order to make suitable response to a fault in one of the semiconductor devices, the first step is to perform fast FD and to find the fault's location. Several papers have discussed FD schemes. A detection method for faults in IGBT switches based on gate signal monitoring is presented in [6] . In [7] , fault is detected in a cascaded multilevel converter by comparing the generated ac-side output voltage with its reference. Average values of three-phase currents are processed in [8] to detect an open switch fault in a doubly-fed wind power converter. Open-circuit FD in matrix converters is done in [9] by monitoring the modulated voltage errors of the bidirectional switches. Nonlinear observers are used in [10] to detect open-switch faults in induction motor drives. Another method for detection of open-switch faults in voltage source inverters feeding ac drives based on analyzing the load currents is presented in [11] . Fast detection schemes are proposed in [12] and [13] , which are based on a "time and voltage criterion" and can detect and locate a fault in a few tens of microseconds. Although fast, these methods use one voltage sensor for each leg to detect the fault. A large number of sensors may decrease reliability and add additional costs. In this paper it is shown that this number can be reduced and in fact it is effectively possible to use only two voltage sensors for fast FD in a conventional three-leg converter. Here, first an effective method is proposed for FD with only two additional voltage sensors. Although fast and simple, in some rare cases this method might be up to two times slower than the methods presented in [12] and [13] . Therefore an optimization is presented to solve this problem. The proposed method and the optimized version use two line to line voltages at the output of the three-leg converter and use specific voltage and time criterions to detect the fault location. The proposed optimization is based on the fact that following a detectable fault, two line to line voltages will deviate from their respective estimated values. In order to perform very fast FD, the algorithm must be implemented on a very fast digital target. Thanks to its parallel architecture, field-programmable gate array (FPGA) can run the tasks very quickly; as a result, it appears to be the most suitable choice for implementation of this type of FD schemes. Besides, the high performance of FPGA in many power electronic and drive applications has been proven [14] , [15] . By implementing both FD and converter control units on a single FPGA chip, cost will be decreased. Therefore, in this paper, a FPGA is used to perform both these tasks. The FPGA implementation procedure is based on a methodology for rapid prototyping, developed in our laboratory [16] . Hardware-in-the-loop (HIL) and then fully experimental tests are carried out to validate the effectiveness of this system. More, in order to achieve continuity of service after the FD, it is necessary to change the converter topology as well. Several schemes are proposed as fault tolerant topologies for power converters [1] . In this paper, a scheme with an extra leg presented in [12] is studied, mainly to verify the effectiveness of the proposed FD method. However the study of the fault tolerant topologies is out of the scope of this paper. It should be noted that the proposed FD methods are applicable to any other form of three-phase two-level fault tolerant converter as well.
In the following, first in Section II the fault tolerant topology, the proposed FD method and also its optimized scheme are presented. Then, FPGA implementation for HIL verification is explained and the HIL results are presented in Section III. The fully experimental results are provided in Section IV. The presented results show the effectiveness of the proposed FD and reconfiguration schemes. Also it is shown that the proposed optimization can make the FD process faster in some cases.
II. FAULT TOLERANT CONVERTER
A. Converter Topology
The studied fault tolerant converter is shown in Fig. 1 . It is studied in [12] for an active filter application. Before the fault occurrence in one of the semiconductor switches, all three TRIACs are turned off and the fault tolerant converter operates like a conventional one. After the FD, the commands of the switches of the faulty leg are removed and by triggering the suited TRIAC, the extra leg will replace the faulty one. The commands of the faulty leg will then be applied to this extra leg.
B. Fault Detection With Reduced Sensor Number
Very fast FD is possible using the aforementioned approach of [12] and [13] . By using this method, three extra voltage sensors are needed to measure the voltage of each phase in respect to the dc middle point " " (so called "pole voltages"), as depicted in Fig. 2(a) . In fact, this number can be reduced for FD in three leg converter. The hardware structure and the placement of the voltage sensors in this case are shown in Fig. 2(b) . Note that in Fig. 2 only the three main legs of the converter are shown. The redundant leg is not shown, because before the FD it is disconnected from the ac side and is not switched. The two measured voltages in Fig. 2(b) are named as and , and the third line to line voltage may be calculated using these two values. Fig. 3 shows the principle of the proposed detection method. A fault is detected based on the difference between measured and estimated voltages. It is worth mentioning that although only open circuit fault is discussed here, short circuit fault in IGBTs can be detected as well by using fast acting fuses in series with each IGBT. In fact, in this protection scheme, a short circuit fault will finally result in an open circuit condition, as it is explained and experimentally approved in [17] . Therefore the fault can be effectively detected [12] . On the other hand, in our detection approach the IGBT's failure is realized for the set of "
." Therefore once a fault in a driver or in a switch is occurred, the " " cannot perform the desired action, and the fault must be detected. Since the effect is the same for FD, nothing differentiates the failure in driver from that in the switch. Therefore a fault in the driver will be detected as well.
Estimated voltages are calculated based on the switch commands and the dc-link voltage as given below (1) (2) (3) while are the commands for the upper switch of each leg.
indicates that the switch is commanded to be open, whilst means that the switch is commanded to be closed. The switch commands in each leg are complementary.
As a result of nonideal behavior of power switches, delays and dead times are inevitable. Also, there will be measurement and discretizing errors. Therefore, even in normal operation of the converter, the estimated and measured voltages are not always the same. Hence two adjustments are used: a comparator is used to determine if the difference between measured and estimated voltage is large enough to be considered as an error and a time criterion is also employed to compensate for delays and dead times in the converter. In Fig. 3 , the three FD subsystems named FD12, FD23, and FD31 check the three line to line voltages. The outputs of these three FD blocks are sent to the "fault identification" block which determines the exact fault location.
The FD12 subsystem's details are shown in Fig. 4 . FD23 and FD31 operate in a similar way. Here the error signal is observed, and if it is always greater than a threshold value ( ) for a long enough time ( observation periods), then it may be concluded that there is a fault. This observation time should be longer than the overall delays caused by the sensors, drivers, controller and switches; otherwise the inherent delay of the system may be interpreted as a fault. Fig. 5 shows the state machine which is used as the "fault identification" block and finds the fault location based on the outputs from the three FD blocks. It is obvious that fault in any leg affects the two measured line to line voltages between the faulty leg and each healthy leg. Therefore, after each fault, two detection units will detect the occurrence of a fault. These two signals can be used to locate the fault. For example, a fault in the leg 2 will result in deviation of the and from their respective estimated values, therefore FD blocks FD12 and FD23 will detect this faulty condition. Using this information, it is possible to detect that the fault has been actually occurred in leg 2.
There is some particular cases compared to conventional schemes with three sensors that should be taken care of. It should be noted that in these cases, detection of a fault in one leg might be perturbed and delayed because of a changing switching command in one of the other legs. For example, let us consider that IGBT is faulty and instead of that, diode is conducting.
is also switched on. The output of the up-counter in FD12 starts to increase, but if the command of the leg 2 changes before the FD, the error between the measured and estimated values of will be momentarily almost equal to zero and a reset signal will be applied to the counter. Although the probability of this occurring is low, its effect increases the detection time to two times. It should be noted that in the mentioned cases, the fault is still detectable, only the FD is slower in comparison with the schemes with three voltage sensors [12] , [13] .
In order to preserve the desired detection speed (detection in samplings), an optimization is proposed in the following section.
C. Optimized FD With Reduced Number of Sensors
The idea behind this optimization comes from the fact that in the aforementioned situation, although the switching in another leg will reduce the error between the measured and estimated voltages of those two legs to zero, in the same time it produces an error in the voltage between the switched leg and the third leg. In other words, when there is a detectable fault in the converter, two out of three measured voltages are different from their respective estimated ones, and two counters of FD units operate.
The optimized FD scheme is shown in Fig. 6 . The two measured and the third calculated line to line voltages and also the control signals and the measured dc-link voltage are sent to the detection unit. The detection unit consists of two subsystems, for detection of the fault and its location. The principle of FD subsystem is detailed in Fig. 7 . All three corresponding estimated and measured (or calculated) voltages are compared, and if there is a large enough error in at least two of the line to line voltages, the counter operates, otherwise the counter will be reset to zero. If the counter output is larger than a constant " ," the fault is declared. Note that in this case, in contrary to the nonoptimized scheme (Figs. 3-5) , a switching in a healthy leg cannot interrupt the detection process, because the output of the summation block in Fig. 7 will remain equal to two after the switching. When the fault is detected, it is necessary to detect its location as well. After a fault, the line to line voltage of the two healthy legs has the minimum anomaly; therefore the second subsystem tries to find the line to line voltage with minimum error during the FD. This is carried out by using simple units for counting the activity over last samplings and a state machine, as shown in Fig. 8 . For example, when a fault is detected and the Error31 signal has minimum activity over the last samplings in comparison with Error12 and Error23, it can be concluded that both legs "3" and "1" are healthy, and therefore the error is in leg "2".
III. FPGA IN THE LOOP VALIDATION
Designing and testing digital control systems for power electronics applications can be expensive and time consuming. More, traditional simulations cannot exactly reproduce the real condition, because they do not take into account some limitations of real controllers, like the limited resolution of registers or saturation of values in fixed point systems during the intermediate steps of calculations. Also the fully experimental tests may not be always possible or may be potentially damaging, particularly in fault condition tests. One interesting solution to eliminate the risk of damaging the real plant while testing the digital controller in a realistic manner is Hardware-in-the-loop (HIL) analysis [12] , [16] .
In order to verify the effectiveness of the proposed detection scheme, the optimized one and also the control parts, the detection and control systems are implemented on a FPGA. The FPGA can execute its tasks quasi-instantaneously. This characteristic is very useful for FD schemes. For this experiment, a Stratix DSP S80 development board is used, which includes the Stratix EP1S80B956C6 FPGA chip. In order to carry out the FPGA implementation for HIL experiments, a top-down design flow is used, as shown in Fig. 9 . The flow consists of four parts: fundamental simulations, mixed simulation, HIL and finally fully experimental test.
A. Implementation of Control and Detection Schemes
The first step in the process of implementation of the control and detection units on a single FPGA chip is the fundamental simulation step. In this step, the studied system is modeled and simulated in the Matlab/Simulink environment, using Simulink and SimPowerSystem Toolbox. Initially continuous-time simulations are performed. Time-step in the simulations is variable and the model is in continuous time. System parameters are chosen to be equal to the parameters of the experimental setup, which is presented in the following. After validation, the control and detection blocks are discretized if necessary. In this case, the time-step is fixed and must be chosen small enough to guaranty a suitable accuracy. In this study it is chosen equal to . When the simulation results are validated, it is possible to proceed with mixed simulations.
In the mixed simulation stage, the control blocks are replaced with proper DSP Builder blocks. DSP Builder provides the possibility of visual programming of a digital system in MATLABSimulink environment. Each DSP Builder block represents a VHDL module in the Simulink environment. This set of blocks is very efficient for rapid prototyping of FPGA devices. However some of the desired functions are not available in DSP Builder library and must be constructed from basic blocks or imported as form of HDL programming. The power part (fault tolerant converter, sources and charges) is remained unchanged in this step, modeled by using SimPowerSystem blocks. Appropriate DSP Builder input and output blocks are necessary to convert the Simulink signals to fixed point signals for DSP Builder.
Then, in the third step, having validated DSP Builder modeling by simulations, the blocks are translated into VHDL. This is realized by using the signal compiler block which is available in the DSP Builder library. After this step, a single HIL block replaces all of the DSP Builder blocks. The VHDL design is compiled and downloaded to the FPGA via a Joint Test Action Group (JTAG) interface. Now, the HIL block represents the FPGA in the Simulink environment. In each step of simulation, it gathers the required inputs from system and sends them to the programmed FPGA. Using these inputs and based on the implemented control and detection schemes, the FPGA calculates the switching orders for all switches and sends them back to the Simulink environment. At this point one cycle of the "FPGA in the loop" experiment is performed. Fig. 10 shows the "FPGA in loop" prototyping principle.
B. HIL Results
For HIL experimentation, the controller and detection schemes are implemented on a single FPGA chip and the power system is modeled in MATLAB/Simulink environment using the SimPowerSystem toolbox. Here, an inverter application of the three-phase fault tolerant converter is investigated. A RL type load is placed at the ac side of the converter and the dc side is connected to a dc source with a voltage regulated at 300 V. A 2200 capacitance is used in the dc-link. Switching frequency is equal to 8 kHz. The time step and the sampling period are equal to . (see Fig. 4 ) is chosen equal to 30, to provide a fast, yet very robust FD. First, an open switch fault is applied to the upper switch of the leg 2 at . Fig. 11 shows the three-phase ac currents before and after the fault occurrence, FD and compensation. Current waveforms with or without applying the optimization in the FD are the same. Clearly, the FD is fast and effective; therefore the fault has minimum effect on the ac currents. In order to have a clear understanding of the FD process, Fig. 12 shows the detection signals in the proposed method and in the optimized one. Counter12 is the output of the counter at FD12 (Fig. 4) , counter23 and counter31 are from two other FD blocks. As expected in the nonoptimized method, counter12 and counter23 start to operate after the fault occurrence, and counter31 has limited operation, only in the switching instants, because the is not affected by the fault. After 30 time-steps (equal to 10 ), fault in leg 2 is declared. It can be seen that the performance is the same as reported in the conventional schemes with three sensors [12] , [13] .
Visibly for the fault at for the optimized scheme, the result is almost identical as of the nonoptimized one. On the other hand for an open switch fault in upper switch of leg 2 at , the switching of the healthy legs can interfere with the FD and the situation is different. The results are shown in Fig. 13 . As expected, switching in legs 1 and 3 have resulted in the reset of the counter12 and 23 respectively, therefore the FD time increases to almost 170% compared to earlier situation. The optimized scheme however is not affected by this problem and it can be verified in Fig. 13 that this scheme has remained as fast as it is designed to be (Fig. 12) . Therefore it is visible that although the nonoptimized method operates desirably, the proposed optimization can reduce the detection time. Fig. 14 shows the signals for locating the fault in the optimized scheme. Since the counter13 has the minimum activity, it may be correctly concluded that both legs 1 and 3 are healthy and therefore the fault has been in leg 2. Therefore, HIL results show that the studied method has good performance. Also it is shown that the optimized scheme is more robust and faster, and has the equal performance with the methods with three voltage sensors.
IV. EXPERIMENTAL RESULTS
The experimental setup is shown in Fig. 15 . A three-phase IGBT converter, one additional leg and additional TRIACs form Fig. 16(a) shows the detection signals. The counter of the optimized scheme and counter12 of the nonoptimized method are shown, as well as the fault and detection signals. It can be seen that the original and optimized methods offer almost similar performances. At least in this case, counter12 starts at the same time with the counter of the optimized scheme and does not reset during the detection process. Fig. 16(b) shows the current of the phase 1 of the load and the current of the corresponding TRIAC. Fault is detected very quickly and the compensation scheme is effective, therefore the fault has almost no effect on the load current. Fig. 17 shows that a switching in one of the other legs can postpone the FD if the proposed optimization is not applied. Here a switching in the leg 2 has caused the counter12 to reset; therefore in this example the FD time of the original method will be approximately 50% higher than that of the optimized scheme. It can be verified that the optimized method is robust against this problem.
The experimental results are in agreement with the theoretical analysis and the HIL results. The studied detection method with two voltage sensors is effective, but may be slower than the previously reported methods with three voltage sensors; whilst the optimized scheme is more robust and has the same performance of the schemes with three voltage sensors. Both optimized and nonoptimized schemes are easy for implementation on FPGA.
V. CONCLUSION
Using a fault tolerant converter increases the reliability and availability of system, which is especially essential for safety critical applications. Fast FD is the first step in a fault tolerant power electronic converter. In this paper, a very fast detection scheme is proposed for the conventional three-leg converters which minimizes the use of additional voltage sensors. Specific time and voltage criteria are used in order to make the detection fast and to provide the necessary characteristic of finding the fault's location. It is shown that although this method is fast and accurate, it can be slower compared to the schemes with three voltage sensors. Therefore, an optimization is presented which decreases the detection time and make possible to have an equal detection time with the scheme with three voltage sensors. This method is based on the fact that following a detectable fault two line to line voltages will deviate from their respective estimated values. Open-switch fault in one of the semiconductor switches is studied. A single FPGA is used as the digital target for implementation of both control and detection subsystems. "FPGA in the loop" experiments and fully experimental tests confirm that nonoptimized method reacts quickly to the faults, and it can be slower than the schemes with three voltage sensors. The results also show that indeed the optimized scheme has better performance and its performance is equivalent to the schemes with three voltage sensors. Using any of these methods can lead to higher reliability and lower costs.
