Abstract-This paper presents an investigation and a comprehensive analysis on fault operations in a conventional three-phase voltage source inverter. After an introductory section dealing with power converter reliability and fault analysis issues in power electronics, a generalized switching function accounting for both healthy and faulty conditions and an easy and feasible method to embed fault diagnosis and reconfiguration within the control algorithm are introduced. The proposed system has simple and compact implementation. Experimental results operating both at open-and closed-loop current control, obtained using a test bench realized using a dSPACE system and the fault-tolerant inverter prototype demonstrate that the proposed solution is effective and feasible and makes all faults easily managed by the controller itself.
Index Terms-Control, fault diagnosis, fault tolerance, inverters, power converters, pulsewidth modulation. 
NOMENCLATURE

I. INTRODUCTION
T HE ultimate goal of fault-tolerant inverters is either to ensure continuous operations, if ever at reduced performance, or to quickly stop operations in case of failures, thus preserving overall safety. This feature is particular relevant not only in hazardous environments or mission-critical applications such as underwater or submarine [1] and aerospace applications [2] , [3] but also in numerous situations of practical interest in industry, transportation, etc.
The reliability of power converters depends on many factors, including operating conditions, adopted components and hardware design, and control software conception, as for the way it is developed and tested. However, it has been estimated that at least 80% of faults are due to semiconductor failures, as a consequence of short circuits, interruptions, open circuits, driver misfiring, etc. [4] - [7] ; on the contrary, nonredundant topologies, assuming temporary performance degradation, on the basis of some modified control strategies exploit the possibility of minimum additional components for reconfiguration and operation [4] , [8] , [9] .
Other interesting technical papers concerning the application of fault-tolerant inverters investigate around the limits of performance or control issues, taking into account the specific application field, i.e., industrial drives, automotive, distributed generation systems, etc. [7] , [10] - [15] . Control algorithms and fault diagnosis systems, more or less integrated within the operational range of the system, are addressed in [16] - [19] .
By developing relationships between prefault and postfault equations, an easy and effective integration between the fault diagnosis/reconfiguration algorithm and the controller becomes possible.
In this paper, a nonredundant fault-tolerant inverter has been considered, and a fault-tolerant approach has been introduced, which is characterized by the high level of integration among analysis, modeling, control, and monitoring issues [19] - [24] . The fault tolerance algorithm can be easily embedded within the control system and implemented using the same microcontroller. It is based on the normalized Park's current vector [25] - [29] , the general inverter mathematical model, and some relationships between pre-and postfault conditions. The resulting faulty-mode mathematical model allows a prediction of the effects on both the internal (dc link) and the external behavior (i.e., load voltages and currents) and returns voltages and current waveforms in good accordance with the experimental results.
The hereafter presented mathematical model is based on the definition of some appropriate variables: HDBVs and HLBVs, which rescue the information about the healthy or the faulty inverter state. These variables also suggests a fault-tolerant reconfiguration control strategy for the inverter and, at the same time, a way for the fault diagnosis.
In the following, Section II summarizes the problem formulation, introducing the generalized approach with state variables and the functions HDBV and HLBV. Section III deals the faulttolerant mode. Fault-tolerant control is designed to be fully integrated within the controller. Section IV shows some results obtained using a laboratory setup.
Finally, Section V summarizes some conclusions and remarks, making some analysis results. 
II. INVERTER MODEL DURING HEALTHY AND FAULTY MODE
The topology of a nonredundant fault-tolerant inverter is shown in Fig. 1 . The primary switches are insulated-gate bipolar transistors (IGBTs) with antiparallel freewheeling diodes. Additional bidirectional switches S BIDj (see Fig. 1 ) add faulttolerant operations by the connection of the load poles with the dc-link midpoint. They could be TRIACs, but since they exhibit high susceptibility to fast changing and pulsating voltages, IGBTs with single-phase rectifier bridges are often preferred, thus allowing unidirectional currents with alternating load currents.
As discussed in [30] , in order to take into account potential faults, conduction across freewheeling diodes should be taken into account; hence, the following switching functionsŜ j+/− have to be introduced:
where S j+ and S j− (S j− = S j+ ) are complementary switching functions (S j+ = 1/0) for the upper/lower device of the jth phase and ∨, ∧ represent "OR" the "AND" logical operators, respectively.
In (1), the term at the left hand of the OR operator represents the condition for which the controllable devices are turned on, while the right one is that relative to diode conduction.
To fix the ideas, let the upper freewheeling diode conduct if the load current is negative and, at the same time, if the lower IGBT is switched off; otherwise, it will carry on the current. A similar consideration applies to other conditions.
If a fault occurs to the upper IGBT, then S j+ vanishes and the negative current is conducted by the freewheeling diode or by the lower IGBT, so the generalized switching function for the upper switch reduces to the term
To depict the general case, it is sufficient to introduce an HDBV defined as follows:
The introduction of such variables makes the definition of the generalized switching function very simple
In fact, it is sufficient to multiply each S j± by the corresponding variable h j± . The same principle holds in case both the transistor and diode are broken. However, in this case, the signal coming from the expression [S j− ∧ (i j < 0)], or similar, is used to reset the integrators used in the load simulation. The load equation in the integral form is, in fact,
Notice that, in order to correctly model the converter behavior, in case of simultaneous fault to one IGBT and its freewheeling diode, (4) has to be reset. In this way, the load current is forced to zero every time the bottom device is turned off. Finally, the proposed HDBV approach holds even if an entire inverter leg becomes faulty.
By introducing the HLBVs,
a general inverter model including both faults and postfault reconfiguration can be obtained through the following matrix equations [24] , [31] :
It should be observed that, if the inverter is healthy, H k is a diagonal unitary matrix and previous equations reduce to the well-known model of a three-phase inverter. Equations (6) and (7) are arranged in equivalent form, thus resulting to be more understandable than those in [32] . The proposed model is capable to simulate failures or breakages of a single IGBT and/or its freewheeling diode and can be easily implemented using either an equation-oriented simulation tool (e.g., Matlab/Simulink, Octave, Scilab, etc.) or a circuit-oriented simulator (e.g., Sim Power System or PSIM). The first solution has been preferred here due to its higher simulation speed and the absence of convergence problems with integration algorithms.
III. FAULT DETECTION AND RECONFIGURATION ALGORITHM
The proposed fault detection algorithm is based on the analysis of the normalized Park's current space vector. It is important to distinguish between three distinct cases.
1) An open-circuit fault affects only one controllable device:
The current flowing across the faulted phase can circulate only during half wave, closing its pattern through the freewheeling diode and/or the other device of the leg. The fault condition could persist long enough, causing deterioration in performance [see also Fig. 2(a) ].
2) An open-circuit fault affects an IGBT and its companion freewheeling diode: In this case, the current on the faulted phase vanishes, unless it is conducted by the remaining IGBT [see Fig. 2(b) ]. The load current conducted by the healthy IGBT is highly pulsating. 3) An entire leg of the inverter is disconnected due to the fault: This may happen if the fault occurring to one device is propagated to the second device of the same leg. This case is typical of packaged modules or due to the intervention of fast fuses or another protection. For the damage to an entire leg, the current flowing across the faulted phase becomes zero [see also Fig. 2(c) ]. It is worth to notice that, in all cases, the average trajectory of the current space vector changes. In particular, in case 1, the space vector trajectory consists of two distinct parts: 1) a half circle, if all phase currents circulate, and 2) a segment, if the current through the faulty phase is null [see, e.g., Fig. 3(a) ].
In case 2, an IGBT failure and a diode break occur simultaneously. The trajectory becomes a segment [see Fig. 3(b) ]. Previous considerations can be extended to case 3.
If the average vector trajectory becomes a segment, the following relations for the α − β components of the measured currents hold:
i.e., during a phase fault, the knowledge of the faulted phase follows the slope of the trajectory. In order to increase reliability and robustness, particularly at very low load current, the normalized current space vector components are considered, and (10) is modified as follows:
where ε is a coefficient accounting for noisy measurements and current ripple. A full exploitation of filtered current samples helps to strengthen the diagnosis algorithm. Assuming N sampled currents per period and considering a healthy inverter, each relationship in (11) is satisfied within (2N/π)ε samples at most. Therefore, the diagnosis process can use a pulse counter operating with the same clock frequency used for current sampling. Such a counter is reset every time (11) is no longer verified. A fault index Γ much higher than (2N/π)ε is introduced. Fig. 4 shows the simulation of the diagnosis based on the sample counting principle. When (11) becomes true for each phase, counters start working until conditions hold; hence, they stop and reset. Counter outputs are always compared with Γ. Clearly, for healthy legs, counters stop within (2N/π)ε. For the faulted phase, instead, the counter operates for longer time and certainly overcomes Γ, highlighting fault occurrence and triggering inverter reconfiguration. After reconfiguration, the counter is reset, and the counting process restarts. Fig. 4 shows a simulation of a faulty inverter at 3-kHz sampling frequency and Γ * = 24. The diagnosis system counts three samples at most for the healthy legs, while in the faulty leg, the counter goes beyond the Γ * threshold. In practical cases, current ripple has to be taken into account; therefore, Γ * should be high enough to avoid the risk of false positive tests. A simple calibration, performed according to the highest expected current ripple, should be sufficient to eliminate the problem. It is worth to notice that any new incoming fault will be detected, but the system cannot be further reconfigured; hence, the inverter must be shut down. Laboratory tests presented in Section IV suggest that a good tradeoff is to choose a threshold Γ * between N/4 and N/2 at the highest output frequency. If the counter output is (2N/π)ε ≤ N ≤ Γ * , this may indicate a prefault condition due to a possible gate drive failure. This abnormal condition could be reported as a prefault signal, which is useful to schedule a check and/or a maintenance procedure.
It is worth to notice that, whatever the fault and its occurrence, the time needed for its diagnosis is bounded within a half period. Hence, while operating at 50 Hz, any incoming fault will be diagnosed in 10 ms at most.
In fault-tolerant mode, after disabling the faulted phase, the inverter control uses only two reference voltages with a displacement angle of π/3 to achieve a null inverse component in the output voltages.
This can be easily demonstrated by calculating the inverse component module of a pair of reference voltages u * ref1 = √ 2U RMS sin(ωt) and u * ref2 = √ 2U RMS sin(ωt − ϕ). The phasor expressions of the reference voltages are
The inverse components, in the three possible fault cases, are
so the inverse component magnitudes are
in which the sign "+" applies for phase "1" or "3," while the sign "−" applies for phase "2." In both cases, if ϕ ± (2π/3) = π, i.e., for ϕ = ±(π/3), it results in |U inv | = 0. Hence, in a faulted inverter, if the load is symmetrical and if the reference voltages for healthy legs consist of a couple of sinusoidal signals with a π/3 phase displacement, the inverter output voltages and currents are both symmetrical.
By using the HLV Bs, it is possible to synthesize a general control law for the fault-tolerant inverter including both faulted and healthy conditions. The modified reference voltages u * ref1 , u * ref2 , and u * ref3 , after the inverter reconfiguration, are
These equations are general. In fact, for the three fault different cases, it results in
For the healthy case, instead, u *
t . Equation (15) can be expressed in vectorial form as
where
A direct application of (17) guarantees inverter reconfiguration but introduces a sudden π/2 phase displacement in the reference voltage space vector with respect to the nonreconfigured reference voltages. This undesired displacement leads to additional current transients and, in case of grid-connected inverters, may lead to loss of synchronization.
In order to avoid abrupt changes of current displacement after the reconfiguration, (17) can be modified as follows: /2) , i.e., the phase displacement correction is active only during fault-tolerant operations.
IV. EXPERIMENTAL RESULTS
A test bench consisting of a dSPACE control board and an INFRANOR BF70/4.22 converter has been set up to verify the effectiveness of the proposed fault-tolerant control strategy. The overcurrent and undervoltage converter protections were not disabled in order to demonstrate the fast and affordable operation of the fault-tolerant algorithm. As a matter of fact, during almost all tests, the proposed algorithm has performed faster than factory protections. Only in few cases (approximately 5%) and due to unpredictable supply network disturbances uncorrelated with the emulated fault did the inverter protections disconnect the system from the network earlier than the faulttolerant algorithm.
Fault emulation has been realized by introducing normally closed relays operated by a dSPACE board between the inverter and load. Antiparallel thyristors reconnect the faulted phase pole with the dc-link midpoint. An induction motor, whose rated values are summarized in Table I , and an electromagnetic brake have been used as a load.
Test results have been recorded by a Yokogawa PZ4000 power analyzer. A scheme and a picture of the test bench are shown in Figs. 5 and 6 , respectively. The experimental tests have been realized both in open-and closed-loop current control, thus verifying the different behavior of the fault-tolerant inverter in these different situations.
A. Open-Loop Tests
During open-loop tests, the converter fed the motor without speed and current control loops. Hence, a fault was emulated on phase 3 ("W " in Fig. 5 ) of the converter. Tests were realized at different values of output voltages and currents and at different switching frequencies. In the absence of disturbance in the main supply, all tests were successful, i.e., the system performed proper diagnosis and prompt inverter reconfiguration as well. Fig. 7 depicts typical voltage patterns before and after fault and reconfiguration on the faulty and healthy phases, respectively. Tests were performed at 50 Hz, reference voltage equal to 150 V, 10-kHz switching frequency, and V DC = 340 V. Fault detection and reconfiguration were achieved within less than a half period. A similar test was also made choosing a 230-V reference voltage to test the overmodulation range (see Fig. 8 ). Figs. 9 and 10 show the induction motor stator currents at no load and with load. After fault detection and reconfiguration, current ripple has increased, but it is still acceptable. Currents are affected by light unbalance due to the fluctuation of the dclink voltage after reconfiguration, caused by the circulation of the faulted phase current across dc-link capacitors (see Fig. 11 ).
There are several strategies for dc-link voltage unbalance compensation, such as that proposed in [33] . As discussed in Section IV-B, the closed-loop current controller can implement a self-compensating action, just with a proper generation of the reference voltages by the current controllers.
B. Closed-Loop Tests
Motor speed and current closed-loop operations have also been performed. An electromagnetic brake impose different loads, monitored by the power analyzer. Owing to current regulation, the system has better behavior than during open-loop operations, with special regards to current patterns. Since no blatant difference can be observed in output voltages with respect to open-loop operations, only stator currents during no-load and load conditions are hereafter reported.
During no-load operations (see Fig. 12 ), motor current ripple is still higher than before the fault, but with smaller amount with respect to the open-loop tests. As shown in Fig. 13 , load currents are very satisfactory; also, current unbalance is smaller than during open-loop tests. Fig. 14 shows the estimated motor torque in case of the closed-loop test at 10 A and 50 Hz. The same figure shows that a deterioration of the torque after a fault and the corresponding reconfiguration is not significant and confirms the relevance of the introduction of fault-tolerant operations. Motor torque has been estimated with a postprocessing of the measured voltages and currents, using the motor model in the DQ synchronous reference frame
Fig . 15 shows the reference voltages at the output of the reconfiguration algorithm block, generated by current regulators, as before faults, and rearranged according to (18) after fault. The reference voltages of the current regulator remain almost unchanged. It is worthwhile to note that, in the closed-loop test, the π/3 phase displacement between the reference voltages remains unchanged, but a slight difference in their peaks is evident.
This difference compensates the dc-link voltage unbalance and improves the load current symmetry. This test confirms what has been demonstrated in [33] and [34] , i.e., introducing 
V. CONCLUSION
This paper has presented a comprehensive theoretical analysis and an experimental testing of a nonredundant faulttolerant inverter. After introducing the generalized switching functions HDBVs and HLBVs, a dynamic model suitable for the simulation of the voltage source inverter both in healthy and faulty conditions has been introduced. In particular, HDBVs and HLBVs allow the modeling of healthy, faulted, and reconfigured mode operations through a very simple and practical formulation of a fault diagnosis algorithm based on the recognition of Park's normalized current space vector trajectory. At the same time, it enables the setting of a reconfiguration system in which the new voltage references are computed from those previously used before the inverter failure. The strong conceptual bound between HDBVs, HLBVs, inverter model, and postfault reconfiguration algorithm allows the realization of systems with embedded fault-tolerant control, thus allowing fault-tolerant operations in several cases of practical interest.
System reconfiguration converts prefault reference voltages into a two-phase reference system with π/3 phase displacement, capable of ensuring load current balance. However, in practical cases, load current is slightly unbalanced due to dclink voltage fluctuations. A simple compensating open-loop strategy or proportional-integral (PI) regulators in closed-loop current controls are able to correct the unbalance effects by introducing a slight difference in the amplitude of the postfault reference voltages.
Experimental results confirm the validity of the HDBV and HLBV definitions and show how these variables greatly simplify the implementation and setup of the fault-tolerant control strategy. In this way, traditional control systems could be used even with fault-tolerant inverter topologies, without the need to significantly upset the control system itself.
