Three-Level NPC Dual-Buck Inverter Designed to Safety-Critical Applications

Armando Cordeiro
ADEEEA, LCEC
ISEL, Instituto Politécnico de Lisboa
Lisboa, Portugal
INESC-ID Lisboa, SustainRD Setúbal
armando.cordeiro@isel.pt

V. Fernão Pires
DEE-Department of Electrical Engineering
ESTSetúbal, Instituto Politécnico Setúbal
Setúbal, Portugal
INESC-ID Lisboa, SustainRD Setúbal
vitor.pires@estsetubal.ips.pt

Daniel Foito
DEE-Department of Electrical Engineering
ESTSetúbal, Instituto Politécnico Setúbal
Setúbal, Portugal
CTS/UNINOVA, SustainRD Setúbal
daniel.foito@estsetubal.ips.pt

Abstract—This paper presents a three-phase three-level NPC (neutral point-clamped) Dual-Buck inverter topology suitable to increase fault-tolerant capability to safety-critical applications. Using the proposed topology, it is possible to achieve energy processing capability in case of several failure modes. The fault-tolerant enhancements are a consequence of appropriate modifications in the control strategy and from redundancy of power devices to maintain the correct operation of the converter. The proposed control strategy adopted in the presented solution can also equalize the capacitor voltages automatically. Some simulation results are included in this study to confirm the validity of the theoretical study.

Keywords—Multilevel Neutral-Point-Clamped, Dual-Buck inverter, reliability, redundancy, fault-tolerant, inverter failure.

I. INTRODUCTION

In many modern industrial, commercial, and domestic applications, it is increasingly common to find power electronic converters (PECs). The aim of PECs is to process and control energy conversion by supplying currents and voltages according to certain required functionalities and optimally suited to consumer loads. Today, modern PECs are involved in a very wide range of applications from switched mode power supplies to led lighting, battery charging or electric vehicles, extended to renewable energy conversion systems, distributed power generation, flexible AC transmission systems, and many other applications [1]-[4]. Each PEC must be developed to satisfy specific requirements and must accomplish specific performance aspects, such as power density, efficiency, reliability, cost, and manufacturability [5]. In many sensitive or safety-critical applications the reliability of PECs is extremely important especially due to substantial risks to human life, high costs because of additional downtime or even environmental problems. Despite the technical advances made by engineers and scientists in the design of reliability strategies and tools for PECs [6]-[7], the reliability issue will be always a challenge due to increasing complexity of applications, high-level integration and the performance of new power devices (e.g., SiC and GaN devices). The improvements in reliability can be achieved using different strategies, namely: using more reliable components, using over-rated components or improving converter thermal management (to achieve lower device temperatures), design the circuit very conservatively or even reducing the operation voltage whenever possible.

Despite similar objectives, reliability and fault tolerance have different meanings. Reliability is a metric used to quantify the system probability of failure within a given period [0, t], and is a function of time, R(t). Fault tolerance is usually considered the very last attempt to ensure continuity of service when it was not likely to predict or avoid the component failures [8]. Fault tolerance in PECs is a way to extend converter’s operation after failure until the next opportunity to stop and repair. The most common solutions regarding fault tolerance of PECs are based on the following aspects (which can be used either individually or in combination): using redundant designs (using online or standby devices/legs), implementing modified control strategies or even providing improved fault detection and diagnostic algorithms.

Several converter structures have been proposed in literature for fault-tolerant machine drives of two-level VSI (voltage-source inverters) with IGBT devices. Most of these two-level structures only provide reduced performance in case of a device failure and do not cover the most common failure modes [9]-[11].

Multilevel inverters were designed as an alternative to other classic topologies, especially in medium-voltage and high-power energy applications. Beyond other advantages, multilevel inverters offer the possibility to explore new switching control strategies to mitigate main failure modes of power devices [12]-[13]. Another kind of inverter, such as the case of the dual-buck, can also be used as a solution to provide higher reliability. This kind of power converters are characterized by two Buck converters. Due to this, the topology does not suffer shoot-through problems, as well as avoids the use of fast diodes in anti-parallel with the fully controlled power semiconductors. Besides that, it also allows to use power semiconductors with reduced conduction losses [14].

The proposed paper presents a new fault tolerant power circuit for a three-level NPC dual-buck inverter structure to achieve the desired fault-tolerance. In practice, the proposed solution is fault-tolerant to the most common failure modes considering that there are proper systems for fault detection and diagnostic.
Depending on the exact location of the failure, the proposed solution can operate, even if more than one fault occurs.

II. THREE-LEVEL NPC DUAL-BUCK

Now multilevel inverters play an important role in many industrial applications. However, as described in the previous section, one of the problems associated to these power converters is possibility of failure in the power semiconductors. One of the factors that could severely affect these inverters is the problem that will appear in the case of a shoot-through. One of the topologies in which this problem is practically eliminated is the dual-buck inverter. In this way, in the case of the multilevel converters the three-level NPC dual-buck topology is one that is considered as very interesting for this purpose. As shown by Fig. 1, the three-level NPC dual-buck only has switches in the upper or lower part of the legs, which practically eliminate the problem of the shoot-through, which could increase the reliability of this circuit. However, the presence of another failure in other power device could always appears (although not originated by the shoot-through).

The main failure causes of PECs are usually the over-temperature, the fault currents (earth fault current, short-circuit or overcurrent), and over-voltages [15]-[16]. Most of these causes usually lead to aging of the packaging or electrical degradation of the modules which results in accelerated degradation mechanisms and increased junction temperature. The most critical causes are the short-circuit currents and over-voltages. Despite modern IGBTs being designed to withstand between 2-10 times the nominal current, a low impedance short-circuit must be interrupted within a few micro-seconds to few milliseconds (depending on the short-circuit impedance) using a fast fault detection algorithm and soft switch turn off drive. If IGBTs do not turn off earlier the temperature may achieve critical values (250ºC 300ºC) and damage the device [17]. The most common failure mode of IGBTs after a low impedance short-circuit is an internal open circuit, although in some cases internal short-circuit is also possible due to silicon fusion or case rupture. The over-voltage is also a very destructive cause since it tends to stress the insulation of IGBTs. The most common failure mode after an excessive over-voltage is an internal short-circuit in the device(s) due to insulation failure. Other problems may arise in PECs due to failures in the driver circuit, auxiliary power supplies or EMC problems [16].

III. PROPOSED FAULT-TOLERANT INVERTER

The proposed fault-tolerant three-level NPC dual-buck topology can be seen in Fig. 2. The proposed topology is based on the classic NPC multilevel inverter by adding active power semiconductors to the inverter’s clamping diodes. This modification allows new bidirectional current routes or paths, recovering lost voltage vectors due to main failure modes of power semiconductors. Additionally, the classic IGBT modules of the main legs were replaced by dual-buck legs.

The solution presented in this paper has the advantage of discarding dead-times and therefore no shoot-through problems. Additionally, the freewheeling diodes can be selected independently and with fast reverse recovery characteristics to minimize switching losses. Moreover, the proposed solution minimizes the problems related with short-circuits in the power devices since the di/dt currents can be limited by the inductors of the fault-tolerant topology.

A bidirectional power device composed by two IGBTs (SNP) was introduced to connect or disconnect the neutral point (NP) during any failure mode, allowing to explore alternative configurations according to control strategy. An additional upgrade was made by introducing two NC (Normally Closed) solid-state relays (SSR) (e.g. S1U1, S1U2,….) in each branch or leg to isolate any short-circuit failure in power devices.

To explain the operation of the proposed solution, suppose that at certain instant, an open-circuit failure in power device S1U1 (phase U1) is detected at the same time as the inverter is supplying a three-phase inductive balanced load, as presented in Fig. 3.
The decision about the most recommended alternative path (devices that should be connected) to recover \( +U_{dc}/2 \) voltage in this phase leg will be implemented by the fault logic decision block as described in the next section. This decision block must choose one alternative path in accordance with the load requirements, faulty IGBTs, failure mode, capacitor voltage equalizing and control objective. In this situation the bidirectional SNP devices must be disconnected from the NP to allow this path. Nevertheless, if the initial open-circuit failure is in power device \( S_{011} \) the alternative paths can only be provided by Fig. 3 (Path B) and Fig. 3 (Path C). A similar strategy is used to deal with short-circuit failures although, in this case, it is necessary to isolate the faulty device through the operation of the respective SSR.

IV. FAULT-TOLERANT CONTROL STRATEGY

The fault-tolerant control strategy adopted in this paper is based on the space vector modulation (SVM) with sliding mode current control technique [18] combined with a fault logic decision block as fault-tolerant control strategy. The general diagram block of the fault-tolerant control strategy can be seen in Fig. 4. In this diagram is possible to identify a closed-loop speed controller of a three-phase induction motor (IM), with emphasis on the fault logic decision block. Because the main focus of this paper is dedicated on fault tolerance of power converters, other aspects such as capacitor voltage balancing technique or SVM current control technique are not mentioned in detail in this article and can be found in other publications such as [19].

The selection of the appropriate active power devices that ensure current tracking and capacitor voltage balancing for all the failure modes and according to chosen voltage vectors is the fault logic decision block. For the correct operation of this decision block, it is essential to have fast active detection hardware mechanisms to operate “on-line” and therefore avoid the most destructive situations.

The proposed algorithm, running in the decision block, is based on several logical equations which identify the possible paths to recover the lost voltage levels after fault detection. Before the presentation of the logical equations, it is necessary to define the following general arrays and Boolean variables:

- \( \{i_1, i_2, i_3\} \) - Leg in OCF (Open-Circuit Failure) or SCF (Short-Circuit Failure);
- \( \{\alpha, \beta\} \) - Main power semiconductors in OCF or SCF;
- \( \{\xi, \rho\} \) - Redundant power semiconductors in OCF or SCF;
- \( P_i \) - Path to recover a lost voltage level for leg \( i \) exists;
- \( S_i \) - SSR to isolate short-circuit failures;
- \( N_j \) - Neutral point connection established or not;
- \( g \) - Auxiliary variables;
- \( +, \sum \) - “Or” operator; \( \Pi \) - “And” operator.

In the previous arrays and variables, \( i \) is the inverter’s leg, \( i \in \{1,2,3\} \), \( n \) is the number of voltage levels of the inverter; \( j \) represents the absolute position of the power device inside the inverter’s leg, \( j \in \{1...n-1\} \), \( x \) represents the relative position of the power device connection point, \( x \in \{0,1\} \), 0 - above; 1 - bellow; \( R \) indicates a redundant power device (e.g. \( S_{11R} \) is the redundant device of \( S_{11} \)); \( RS \) indicates a series redundant power device (e.g. \( S_{11RS} \) is the redundant series device of...
\( S_0^{11} \); BP indicates a blocked path (or not accessible path) in the current configuration.

A group of generic auxiliary logical equations was set for each leg \( i \), for each failure mode, and for each relative position \( x \) inside of each leg (divided in two parts with respect to the load connection point, upper and lower), according to Eq.(1) and Eq.(2). Equations (1) and (2) allow to identify and separate failure modes within each leg, helping to choose alternative current paths, which SSR should switch (e.g. if \( S_0^{11} \) or \( S_0^{12} \) fail in open-circuit mode, then leg \( L_0^i \) is open-circuit faulty and cannot be used to imposed the \(+U_{dc}/2\) voltage) and if the neutral-point connection should be interrupted or not. The auxiliary logical equations are directly included in the final logical equations, but in this section, they are presented separately to allow a clearer interpretation.

\[
L_{i,ocf}^x = \sum_{j=1}^{g} S_{ij,ocf}^x 
\]

\[
L_{i,SCF}^x = S_{il,SCF}^x - R_{il,SCF} + \sum_{j=1}^{i} S_{ij,SCF}^x
\]  

Analysing the proposed fault-tolerant topology, after fault detection, there are at least three possible paths (according to Fig. 3) to recover lost voltage levels for each leg \( i \), and for each relative position \( x \). These paths are indicated in the logical equations (3), (4) and (5). Such logical paths are available or “true” if the power semiconductors of the specific path have no failure modes (e.g. \( P_{11,1}^i \) is available if \( S_{11}^{01} \) has not failed in open-circuit and \( S_{11}^{01R} \) has not failed in open-circuit, and so on...). When the first path is available this indicates that is possible to obtain the desired voltage using the same leg. The same for remaining legs. In the second and third path the desired voltage is obtained using the remaining legs of the other phases. Despite the availability of such paths, the final decision about the path to be used calculated by the final logic decision algorithm presented in Fig.6 and Fig.7.

\[
P_{1,1}^i = S_{il,ocf}^x - S_{il,i-1,ocf}^x - S_{il,i,ocf}^x - S_{il,i-1,ocf}^x - S_{il,SCF}^x - S_{il,i-1,SCF}^x - S_{il,SCF}^x - S_{il,i-1,SCF}^x
\]

\[
P_{1,2}^i = S_{il,ocf}^x - S_{il,i-1,ocf}^x - S_{il,i,ocf}^x - S_{il,i-1,ocf}^x - S_{il,SCF}^x - S_{il,i-1,SCF}^x - S_{il,SCF}^x - S_{il,i-1,SCF}^x
\]

\[
P_{1,3}^i = S_{il,ocf}^x - S_{il,i-1,ocf}^x - S_{il,i,ocf}^x - S_{il,i-1,ocf}^x - S_{il,SCF}^x - S_{il,i-1,SCF}^x - S_{il,SCF}^x - S_{il,i-1,SCF}^x
\]

The \( g \) and \( z \) variables used in all array variables obey to congruence modulus 3 arithmetic within their respective domains, i.e. after the last value comes the first one again, according to equation (6). Considering, as an example, the available paths presented in equations (3), (4) and (5), this indicates that if an open-circuit failure is detected in the leg number 3 \( (i=3) \) then one possible path can be obtained by the first leg \( (g = i+1 = 4 \Rightarrow I \text{ (4 returns to 1) }) \) and another by the second leg \( (z = i-1 = 2) \).

\[ g = (i+1); z = (i-1); \]  

The logical states of SSRs \( S_{ij}^{o1} \) for each leg \( i \), and relative position \( x \) is defined by the failures in each leg, following the same principle of equations (1) and (2). Thus, any short-circuit failure in the power devices of leg \( i \) and position \( x \) will lead to their opening, isolating the damage power device and consequently the faulty leg, according to eq. (7).

\[ S_{ij}^{o1} = L_{ij,SCF} \]  

To perform this operation is necessary to first detect the damage device which usually happens after leg/capacitor short-circuit. Suppose that at certain instant the power device \( S_{ij}^{o1} \) fails due to internal short-circuit (same action for short-circuit of \( S_{ij}^{o2} \) or \( S_{ij}^{o3} \)). Considering that the current control requires, in the same instant, the voltage \(-U_{dc}/2\) in phase \( U_{i1} \) this will result in a short-circuit in the capacitor \( C_i \) as presented in Fig. 5 a). In this situation, the inductors of the dual-buck inverter topology must ensure \( di_{ocf}/dt \) limitation according with equation (8) giving enough time to detect the presence of the failure mode and avoid destroying the DC bus capacitors and other power devices in case of short-circuit. The inductors values should be chosen carefully considering the \( U_{dc} \) voltage, the maximum current and time that power semiconductors withstand such values (this information can be found in power semiconductors datasheet). Usually, the inductors impedance is quite reduced when compared with the load impedance and in normal operation the voltage drop can be ignored.

\[
\frac{di}{dt} = \frac{U_{dc}}{2(L_p + L_n)}
\]  

Fig. 5. Fault-tolerant three-level NPC dual-buck for short-circuit in power devices: a) Example of short-circuit of power device \( S_0^{12} \), b) Isolation process using the SSR \( S_0^{12} \).
After short-circuit detection, is possible to isolate the damage device/leg using the respective SSR, in this example \( S_{011} \) (see Fig. 5 b), allowing the converter to proceed in operation after failure.

To obtain a generic group of final fault logic equations to all inverter legs and multilevel purpose, it was specified a new arithmetic variable \( s \), which is determined by the switching variables \( \gamma_i \) : and \( \gamma_s \), as described by (9).

\[
\begin{align*}
\text{if } \gamma_i = 1 & \text{ then } s = 1 - \gamma_i; \\
\text{if } \gamma_i = 0 & \text{ then } s = \gamma_i; \\
\text{if } \gamma_i = -1 & \text{ then } s = \gamma_i + 2;
\end{align*}
\]

Finally, after all the auxiliary equations, it is possible to create a generic final logical algorithm for each specific switching variable \( \gamma \) according to the space vector chosen in control law. The partial algorithm presented in Fig. 6 is valid for all \( \gamma \neq 0 \).

![Fig. 6. Final logical algorithm valid for all \( \gamma \neq 0 \).](image)

Considering \( i = 1 \) (first leg), the first statement of this algorithm identifies the value of \( \gamma \) to understand which voltage level is required. The second statement indicates that if there are no open nor short-circuit in the \( L_1 \) leg, then \( S_{011} \) and \( S_{111} \) power semiconductors must be selected to supply \( +U_{dc}/2 \) to phase U1. The third statement indicates that if the path \( P_{1i} \) is available (see equation (3)) and if semiconductors of such path have no open or short-circuit fail for \( L_1 \) leg and if no short-circuit fail exist for \( L_1 \) and also if the NP wire connections are not used due to other faults in the remaining legs, then \( S_{111} \) and \( S_{111} \) power semiconductors must be chosen to recover the \( +U_{dc}/2 \) voltage (this corresponds to path \( A \) in Fig. 3). The same principle applies to remaining conditions of this algorithm. All the equations presented in this paper are processed cyclically with small time increments and the iteration indices are not shown to simplify the analysis of the equations. The power devices not mentioned in the equations are turned off by default. The logical state of the bidirectional switch \( SNP \) is dependent on the logical result of last iteration of the algorithm presented in Fig. 6 and is described by equation (10).

\[
S_{NP} = \prod_{i=1}^{N} \text{NP}_{i NP}
\]  

The algorithm presented in Fig. 7 is the sequence of Fig. 6 and represent all the possible combinations of power semiconductors per leg to produce a zero voltage in the \( i \) phase (\( \gamma = 0 \)) (and respective path), depending on the exact fault location and respective failure mode.

![Fig. 7. Continuation of the final logical algorithm, valid for \( \gamma = 0 \).](image)
This choice is based on a new switching state \( (\delta_1 \neq \gamma_1; \delta_2 \neq \gamma_2; \delta_3 \neq \gamma_3) \) that minimizes the following arithmetic function \( \xi \).

\[
\xi = |U_{ae}(\gamma_{123}) - U_{ae}(\delta_{123})| + |U_{ep}(\gamma_{123}) - U_{ep}(\delta_{123})|
\]

(11)

V. SIMULATION RESULTS

This section presents some simulation results using the proposed multilevel fault-tolerant solution, the fault logic algorithm, the current mode (SVM) with sliding mode control and a three-phase induction motor (IM) as critical load. In this paper the simulations tests were implemented in MATLAB/Simulink. The main parameters for the simulations were \( U_{dc} = 600 \text{ V}, C_0 = C_1 = 10 \text{ mF}, L_n = L_p = 150 \text{ mH} \). Fig. 8 shows some resulting waveforms when an open-circuit failure in \( S_{12}^0 \) arises at \( t = 0.253 \text{ s} \) in the inverter operation with SVM current control applied to the IM without mechanical load. It can be seen the temporary loss of control during the detection time (in this simulation it was considered that are necessary 5 ms to detect this failure). After this period, the fault logic control algorithm maintains the torque, speed and current within the desired pattern despite the operation mode between two and three-levels as can be seen by the phase-to-phase voltage \( U_{12} \).

Fig. 8. Simulations results of the stator currents, angular speed, electromagnetic torque and output voltage considering an open-circuit failure introduced in \( S_{12}^0 \) at \( t = 0.253 \text{ s} \). The simulation results were applied to a three-phase induction motor without mechanical load using the proposed fault-tolerant topology.

Fig. 9 shows the output voltage vectors after the open-circuit failure introduced in \( S_{12}^0 \) at \( t = 0.253 \text{ s} \). Fig. 9a) represents the output vector voltages without any fault-tolerant strategy (lost vectors: 1 to 9). Fig. 9b) represent the output voltage vectors using the proposed solution (lost vectors: 1, 2, 4, 5, 6, 8), recovering three fundamental vectors due to combination of two and three-level operation mode.

Another simulation result of the proposed solution applied to a three-phase induction motor considering now multiple open-circuit failures in different inverter legs is now presented in Fig. 10. Failures happened in \( S_{11}^0, S_{21}^0, S_{31}^0 \) at \( t = 0.29 \text{ s}, t = 0.35 \text{ s} \) and \( t = 0.4 \text{ s} \), respectively. In this simulation the mechanical load was introduced at \( t = 0.25 \text{ s} \) (8Nm). In this figure is possible to see the reduction in the electromagnetic torque after the very first failure due to the time necessary to detect this failure. In the following simulation result with multiple failures, the dynamics of the electromagnetic torque is quite fast, and the ripple increases with the increasing number of failures introduced. Because of this, the inverter tends to operate in two-level since the NP connection is unavailable.

Fig. 9. Output voltage vectors: a) Vectors lost after the open-circuit failure introduced in \( S_{12}^0 \) at \( t = 0.253 \text{ s} \) without fault tolerance, b) Vectors of the proposed solution.

Fig. 10. Simulations results applied to the IM with 8 Nm mechanical load at \( t = 0.25 \text{ s} \) using the proposed fault-tolerant topology. Stator currents, angular speed, electromagnetic torque and output voltage. Multiple open-circuit failures introduced in \( S_{11}^0, S_{21}^0, S_{31}^0 \), at \( t = 0.29 \text{ s}, t = 0.35 \text{ s} \) and \( t = 0.4 \text{ s} \), respectively.

Fig. 11 presents the capacitor voltages with 8 Nm of mechanical load in the IM, considering balanced and unbalanced conditions (unbalanced was simulated considering different stator inductances per phase due to machine failure) based on space vector redundancy. This simulation was performed considering the multiple open-circuit failures presented previously and demonstrate that unbalanced load condition leads to worse capacitor voltage balance under this multiple failure scenario.

Fig. 11. Capacitor voltages with 8 Nm of mechanical load in the IM, considering balanced and unbalanced conditions.
VI. CONCLUSIONS

In this paper was proposed and analysed a new fault-tolerant topology based on the three-level three-phase NPC dual-buck inverter. In this solution, some additional redundant power semiconductors introduced in the the NPC, combined with a dual-buck inverter structure and SSR devices contributes to explore other control strategies to mitigate main failure modes of power semiconductors. Additionally, the use of SSR provides a secure solution to isolate short-circuit failures. In this paper the proposed fault logic decision block combined with a current control Space Vector Modulation technique provides fault-tolerance to several failure modes of power semiconductors in different locations of the inverter as demonstrated by several simulation tests and respective results. No auxiliary capacitor voltage balancing circuits are necessary with the space vector redundancy since this method achieve satisfactory voltage balance under different load conditions.

ACKNOWLEDGMENT

Authors would like to thank the support giving to this work by national funds through FCT – Fundação para a Ciência e a Tecnologia, under project UID/CEC/50021/2019.

REFERENCES


