Abstract-This paper presents a digital control architecture that demonstrates operating standby redundancy for a voltage-source inverter (VSI) controller. The reliability analysis shows the increased lifetime of the VSI using a standby redundant controller. The VSI control system is designed to switch from the primary to the secondary controller when a fault to the primary controller occurs. Simulated and experimental results validate that the redundant controller design switches between field-programmable gate-array-based redundant controllers with no measurable disturbance to the output voltage.
system [7] . In order to increase the expected lifetime of the converter, controller redundancy can be used, making a choice among the many methods of redundancy. MIL-HDBK-338B identifies active redundancy, where "external components are not required to perform the function of detection, decision, and switching when an element or path in the structure fails," and standby redundancy, where "external elements are required to detect, make a decision, and switch to another element or path as a replacement for a failed element or path. Standby units can be operating (e.g., a redundant radar transmitter feeding a dummy load is switched into the antenna when the main transmitter fails) or inactive (e.g., a spare radio is turned on when the primary radio fails)" [9] . This paper presents the reliability analysis, design, and successful hardware implementation of an operating standby redundant controller for a three-phase VSI. This differs from voting redundancy strategies in that when the first controller is operating and if a fault is detected, the second controller is activated. More than two redundant controllers can be used with operating standby redundancy, but since no voting takes place, three (or more) controllers are not required. The proposed inverter control system is able to switch with negligible outputvoltage disturbance from the primary controller to the secondary one after a fault has occurred on the primary controller in the example shown. The disturbance will depend on the fault and the detection method. This paper is organized as follows. In Section II, the reliability analysis of a three-phase VSI is presented for the case with a single controller and the case where two redundant controllers are used, showing the advantage of the last. Section III presents the laboratory prototype of the doubly redundant control system. In Section IV, the controller operation is first implemented and evaluated using computer simulations and then validated by experimental measurements on a laboratory prototype using field-programmable gate-array (FPGA)-based redundant controllers. Section V presents a discussion of the fault detection mechanism, and Section VI concludes this paper.
II. INCREASED RELIABILITY OF A VSI USING STANDBY REDUNDANT CONTROLLER
When designing power electronic systems for military applications, such as shipboard electrical power, the first step is often to estimate the reliability of the systems using the MIL-HDBK-217F parts count method. MIL-HDBK-217F is used for the reliability analysis because it "establishes a common basis for comparing and evaluating reliability predictions of related or competitive designs" [8] . Using the parts count method, the 0093-9994/$26.00 © 2010 IEEE [7] reliability analysis of a typical three-phase three-pole VSI in Fig. 1 points out that the controller has the highest failure rate in the system, as shown in Table I . The mean time between failure (MTBF) for each component or subsystem was estimated using MIL-STD-217F, in "naval sheltered" application environment [8] . The detailed analysis, including the data used to derive the MTBF numbers in Table I , can be found in [7] . Failure rates from MIL-STD-217F and component ratings for a typical 230-VAC VSI are used to compute the MTBF numbers in Table I . The insulated gate bipolar transistor (IGBT) MTBF includes the IGBT itself, together with its gate drive circuitry.
Equation (1) defines the relationship between the reliability function [R i (t)] and the constant failure rate (λ i ) for the component "i," using the exponential distribution
The reliability function R i (t) is "the probability that the ith element of the system will not fail before time t," as defined in [9, Sec. 6.4.5.2 (MIL-HDBK-338B)].
The MTBF is the reciprocal of the failure rate
Table I shows that the controller has the lowest MTBF, and thus the highest failure rate, with respect to the other components of a VSI. The MTBF was computed for a simple inverter control subsystem made of ten components: one FPGA, one A/D converter, four capacitors, and four connectors. For a system (or subsystem) made of n components, such as the VSI controller, the MTBF is computed using the expression [7] where λ i is the failure rate of the ith component and n = 10 for the controller subsystem. When operating standby redundancy is used, two controllers, operational at all times, are used, as shown in Fig. 2 Table II presents the reliability analysis for two redundant standby controllers with a switch [7] . The symbol p indicates probability of success, while q = 1 − p indicates probability of failure. The index terms 1, 2, and sw indicate the controller #1, controller #2, and logic switch, respectively.
The controller reliability function can be derived by summing the terms in the last column of Table II and substituting 
Using the numbers in Table I for the two identical controllers and for the logic switch yields the following failure rates for the three components: The failure rates in (5) and (6) are used to plot the reliability function R(t) of (4), with III. REDUNDANT CONTROL SYSTEM DESIGN AND LABORATORY PROTOTYPE Fig. 2 shows the VSI control system architecture implemented to achieve the following objectives.
1) Controllers #1 (primary) and #2 (secondary) must communicate with each other and with the switch. 2) The primary and secondary controllers must be synchronized to prevent a random phase shift in the inverter output voltage. This is the case when a fault occurs and the system switches from the primary to the secondary controller.
3) The secondary controller integrators must be initialized to begin running with the same values as that of the primary controller when the fault occurs. This minimizes any disturbance in the VSI output-voltage amplitude. The two controllers are implemented in the laboratory on two separate FPGA-based boards, as shown in Fig. 4 . Three physical connections go from the primary (controller #1) to the secondary (controller #2) controller, as shown in Fig. 2 . The first connection passes the fault signal, which loads the integrators of the secondary controller when the primary controller fails. The fault signal is also sent from the primary controller to the logic switch in order to switch the output gate signals from the primary to the secondary controller. The second connection, "Theta Synch," sends a pulse signal once every 360
• to keep the phase angle of the two controllers synchronized. Controller #2 will treat the loss of "Theta Synch" as a fault for controller #1. The third connection passes the state variables of the primary controller's integrators in order to provide a starting value for the secondary controller's integrators. This third connection from the primary to the secondary controller achieves the third objective by enabling the secondary controller to start with the same internal values that the primary controller has when the fault is detected.
The control system will switch from controller #1 to controller #2 when either the "Fault" logic signal goes high or the "Theta Synch" signal ( Fig. 2) disappears. The "Theta Synch" signal shown in Fig. 2 functions like a "heartbeat" for the controller #1, so if it is not delivered regularly, then the VSI control will switch to the secondary control board. This is accomplished by the "TTL logic OR" block in Fig. 2 , which triggers the logic switch when it receives either a fault signal from controller #1 or a loss of "synch" from controller #2. Other possible fault mechanisms are discussed in Section V. Fig. 5 shows the VSI controller implemented into each FPGA control board including space vector modulation, outer voltage PI (proportional and integral gain) control loop, and inner current PI control loop. As in typical VSI controllers, the current and voltage control loops are implemented in the synchronous reference frame. Thus, the superscript "e" is used in Fig. 5 for variables in the synchronous reference frame, while the superscript "s" is used for the qd axis reference voltages in the stationary frame. The angle θ e in Fig. 5 is the angle of the output reference voltage and is used to transform the abc frame variables into qd variables in the synchronous reference frame (indicated as qd e ). The hardware for the controller includes two physically independent Xilinx Virtex II FPGA boards connected to customized interface cards, as shown in the laboratory photograph of Fig. 4 . The VHDL code used to program the FPGAs is generated by the Xilinx System Generator software [12] . The two FPGAs produce the six gate signals for the three-phase VSI. Measurements of the line-to-line voltages v ab and v bc and the currents i a and i b are then fed back into each FPGA through the interface PCB, as shown in Fig. 5 . The inverter output is connected to a three-phase LC filter, with the capacitors being in a delta configuration and a load of three resistors being in a delta configuration, as shown in Fig. 6 . 
IV. CONTROL SYSTEM IMPLEMENTATION
In this section, the process that leads to the design of the final operating standby redundant controller is reported. The following three subsections present the implementation of the three objectives listed in Section III, together with simulated and experimental measurements of the VSI output line-to-line voltages.
A. First Objective: Implementing Independent Redundant Controllers
The ability of the primary controller to communicate with the secondary controller and the switching unit is the first objective that is achieved. The logic switch should be implemented on a separate component, but for this laboratory experiment, it is included in one of the FPGAs since the goal of the experiment is to demonstrate the functionality, not the reliability of the control system. The fault detection was simulated in the experiment with a logical signal. Fig. 7 shows the three simulation plots of the same output line-to-line voltage when the VSI switches between two independently operating controllers with no synchronization or initial conditions between controllers #1 and #2. Fig. 8 shows the experimental validation in perfect agreement with the simulations. Both figures show a period of about 0.08 s between the switching event and the secondary controller achieving steady-state operation. It should be noted that this disturbance time could be longer or shorter, depending on the gain values chosen for the system.
The disturbance in the VSI output line-to-line voltage indicates that the two main sources of disturbance are due to the phase shift of the internal angle theta (θ e in Fig. 5 ) values in each controller. An additional source of disturbance is also the time required for the secondary controller to achieve steady state after the switching event occurred. Figs. 7 and 8 show three separate simulations and measurements of the inverter line-to-line voltage v bc on top of each other, which exhibit three separate random phase shifts in the output voltage of the VSI. Both the simulated and experimental results show a significant disturbance in the amplitude and phase of the output during the switching event. These results point out the need to synchronize the two controllers in order to produce an output voltage that meets military standards [13] .
B. Second Objective: Implementing Phase-Synchronized Redundant Controllers
Theta synchronization must be implemented in order to control the output of the secondary controller when a fault is detected. Since the controllers are digitally implemented on separate boards, the θ e in Fig. 5 of each controller would slowly drift apart over time without some mechanism to keep them aligned. This difference in θ e of the two controllers causes the output of the VSI to have a random phase shift when the system switches from the primary to the secondary controller, as shown in Figs. 7 and 8 . The simulated result of what the VSI output should look like without any phase shift during the switching event is shown in Fig. 9 .
The experimental measurements shown in Fig. 10 confirm that the θ e synchronization software eliminates the phase shift of the VSI output voltage when the controller switches from the primary to the secondary one. Three separate failures of the primary controller were used to create the three plots in Fig. 10 , which are on top of each other, thus showing that there is no phase shift in the output line-to-line voltage when controller #2 takes over.
Although the random phase shift element of disturbance is no longer present, the VSI output voltage still does not meet the military standards for voltage disturbance in a power system. The plots in Fig. 10 clearly show that the disturbance in the voltage amplitude is still present during the switching event.
C. Third Objective: Implementing Fully Synchronized Redundant Controllers
The final goal is to design the redundant controller architecture so that the secondary controller comes online at the same place where the primary controller failed. Until this point in the design, the secondary controller's integrator values have been set to zero. The four integrators are in the two PI controllers shown in Fig. 5 , where each PI controller block represents a q-and d-axis PI controller. Keeping the integrator state variables at zero prior to sensing a fault in the system means that the VSI output starts at zero and works its way to steady state. Although the loss of power is brief, it is not an acceptable design to meet military standards [13] . This problem is solved by sending the four integrator values from the primary controller to the corresponding integrators in the secondary controller to be used as a starting point when the secondary controller comes online. The four 12-b words are sent serially from one controller to the other. Fig. 11 shows the simulated VSI line-to-line output voltages when θ e is synchronized and the serialized integrator values of the primary controller are passed to the secondary controller. The fault detection is simulated at 0.05 s, and the simulated voltages clearly show no disturbance when controller #2 takes over the inverter control. This presumes a fault that does not cause distortion prior to fault detection. Fig. 12 shows three different experimental measurements of the line-to-line voltage (v bc ), when the fully synchronized controller is used. Fig. 13 shows the three different VSI output line-to-line voltages. The switching from controller #1 to controller #2 occurs at 0.05 s for all experiments. Despite the fact that the measurements show significant distortion in the voltage output, the inverter output voltages show no disturbance due to the switching from the primary to the secondary controller. Both simulated and experimental output measurements provide a high level of confidence in the ability of this design to switch from the primary to the secondary controller when a fault occurs with virtually no disturbance to the output of the VSI.
V. FAULT MECHANISM AND DETECTION
Fault detection is critical to the successful operation of the standby redundant controller presented in this paper. Most faults will create glitches in the output voltage before the redundant control system can switch from the primary to the secondary control board. For those cases, the resulting outputvoltage waveforms will not look as perfect during the transition as those shown in Figs. 11-13 . In this section, the following different types of faults are discussed, and the consequences of each fault mechanism are assessed. 1) Loss of synch signal from the first controller.
2) Loss of 5-V power to a controller.
3) Current error exceeds some margin. 4) Voltage error exceeds some margin. The first type of fault is addressed by the "TTL logic OR" in Fig. 2 . If controller #2 does not receive the "Theta Synch" signal, then it takes over the control of the VSI and sends a fault signal to the logic switch through the OR block. Since the phase error between the two controllers will drift very slowly, this will cause little output distortion when converter #2 takes over.
The second type of fault includes loss of 5-V power to one of the controllers. If controller #2 loses power while controller #1 is operating, then the controller redundancy is lost for the case with only two redundant controllers. The addition of a third control board would further increase the reliability of the system, although it would also increase cost. The operation of the standby redundant control system with multiple controllers is similar to the operation of the doubly redundant system presented in this paper. If controller #1 loses power, controller #2 would take over if the logic includes undervoltage detection. It is also important that each controller has its own source.
The first two types of faults will not create additional disturbance in the output voltage compared to the experimental results presented in this paper, but currents and voltages exceeding a preset band will cause measurable disturbance in the output voltage. The disturbance is clearly proportional to the margin set for each signal. A current can go out of control due to a current sensor failure or a gate drive signal failure. In either case, controller #1 will detect an abnormal current and will send a fault signal so that controller #2 can take over the control of the VSI. Similarly, to address the fourth type of fault, the voltage is monitored, and if it exceeds a preset band, an error signal is generated.
Future work will quantify the output-voltage distortion caused by abnormal currents or voltages that result in faults.
VI. CONCLUSION
This paper has presented the successful implementation of a standby redundant control system for a VSI. The controller has been implemented in two separate FPGA-based control boards. The secondary controller is designed to operate physically independent of the primary controller to reduce the risk of damage when a fault occurs, thereby providing true redundancy. Noiseless switching from controller #1 to controller #2 is achieved by the following ways: 1) θ e synchronization and 2) passing the integrator values from the primary to the secondary controller through the serialization software and latching the values in the secondary controller when a fault is detected.
The proposed control architecture has been demonstrated by computer simulations and experimental measurements on a laboratory prototype with a VSI driving a delta-connected load. Although the proposed control system has been demonstrated with two redundant controllers, the techniques presented in this paper can also be applied to designs with a larger number of redundant components.
