Simple and Robust Current Sensor Fault Detection and Compensation Method for 3-Phase Inverters

The present paper proposes a genuine, simple to implement, robust and reliable method for current sensors fault detection and compensation used for 3-phase inverters. Its functionality is based on an algorithm programed into a Field Programmable Gate Array (FPGA) as general controller. Usually, 3-phase inverters are controlled using field oriented control (FOC) which is generally triggered to sample the measured currents on the established switching frequency. As the latter is much smaller than the base clock of the FPGA, this allows hundreds of free time samples to perform other calculations in-between two FOC samplings. In this paper, a method that uses these free and unused time samples is presented. This method performs calculations for fault detection and compensation ensuring that at each new FOC sampling, this will receive the correct current data to reach continuous operation despite faults. The interleaving principle of the FOC with the fault detection method, as it will be proven in the paper, ensures high reliability of the complete controller diminishing the possibility of undesired or faulted readings to disturb the FOC’s calculations. The fault detection philosophy is based on continuous comparison of the instantaneous measured currents (sensor’s response) against reference values. The experimental results presented in the paper prove reliable operational performances of the method in both steady state and transient conditions. The added value of the paper consists in its genuine approach to handle the fault detection and compensation in-between two PWM ticks, ensuring that no faulted measurements can reach the control unit. This added value is based on functionality divided on several functions triggered by an internal generated clock synchronizing and handshaking their operations towards one goal: fault detection and compensation.


I. INTRODUCTION
The industrial achievements of the last decade focused on development of electric drives that have to be more and more reliable and must perform safe-critical and continuous operation; in case of faults occurrence. Up to an extent, reliability was increased by using high quality electric and electronic components, using optimization based designs and materials with better performances. As all the electrical drives nowadays are controlled by internal processors, increased system reliability was achieved by adding fault detection and compensation abilities to controllers.
Function of the exploitation area of the future drive, either automotive, space or defense, the fault free operation became mandatory to be implemented both into the physical system's architecture and into its controller. For the latter, The associate editor coordinating the review of this manuscript and approving it for publication was Dong Wang . many researchers invested efforts to develop highly reliable solutions, which can perform fast and secure fault observation, isolation and compensation.
In many operational circumstances, not the system itself can go faulty, but the sensors that monitor its behavior. Hence, solutions were developed to overcome such drawbacks. Engaging complex calculations based on resiliency using estimators and observers to provide data as replacement of the faulted sensors [1], [2], using fuzzy logic or artificial neural networks observers [3], were some proposed solutions.
Induction motor fault tolerant controllers using a wavelet index [4] proved to have satisfactory behavior. Another philosophy for high reliability was to use multi-controllers able to replace the original one after fault occurrence [5].
Safe-critical applications demand real time or virtual detection of the faulted sensors, issue solved by researchers in publications such as [6], [7]. Model based fault tolerant controllers [8] or modified Kalman filter-based ones [9] proved to be operational and lucrative solutions when users have good model description at their disposal. More complex implementations based on state observers [10] or parity space approach [11] were developed, however, their real implementation is quite difficult. Overall, the trend nowadays is to create systems that can reconfigure after fault occurrence as proved in [12], [13]. The advances in the field of control processors resulted in extremely fast, fixed sample time and hardware programmable units such as the Field Programmable Gate Array (FPGA). These became more and more involved in the industry of power electronics controllers due to their high reliability and development of their programing environments [14]. Taking advantage of the mentioned benefits of FPGAs, these can by their nature give the opportunity to implement fault-tolerant algorithms [15]- [17]. As one FPGA can handle several internal loops operating at different clock rates, it is straight forward to implement fault detection loops that run faster than the inverter controller one [2]. Nevertheless, if grid tied inverters are required to be fault tolerant, power quality and grid fault indicators have to be included in the fault detection and compensation algorithm [18], [19].
In the present article, the authors explain and prove the functionality of a mathematically simple, fast and reliable fault detection and compensation method. The philosophy relies on running the fault detection algorithm (FDA) much faster than the actual FOC. This can easily be achieved by using a FPGA as controller.
It is known that the sampling of the measured currents for FOC is triggered on the PWM frequency. The latter is much smaller than the sampling frequency of the FPGA that is in the range of few to tens or hundreds of MHz.
The FOC, by its nature, outputs the reference I Dref and I Qref currents, computed function of the chosen control strategy. Supplying these references to the FDA together with the (θ ) angle of the rotor, results in obtaining a 3-phase reference currents system. The FDA monitors the instantaneous difference between the measured and these reference currents, accumulating it for each PWM cycle. If the accumulated difference passes a certain threshold, the FDA will label this event as faulted sensor or sensors, performing compensation calculations. By the time the FOC requires new input data it will receive instead of the wrongly measured currents, those calculated to perform continuous operation. Using a fixed threshold instead of a current percent based calculated one [19], [20] proved to be a much more reliable and robust solution. The FPGA and PWM chosen frequencies are up to the designer's will, those used in this paper are pure examples. The method can ensure continuous operation in case of one or two out of three sensors are faulted. It is important to mention that the same philosophy can be applicable for mono-phase inverters, poly-phase ones, as well as for DC-DC converters. This method is registered at the State Office for Inventions and Trademarks, Romania, under no. A/00156/04.07.2018 [21]. The patent's claims regard its operation based in between PWM cycles and its compounding 4 functions that will be detailed further on.

II. FAULT DETECTION ALGORITHM
In fig.1 the complete control unit of the investigated system is depicted. This includes the classical FOC that outputs the dq voltages to be converted into 3-phase values using the inverse Park transformation, based on the measured rotor position (θ). The 3-phase voltages are sent to a PWM generator to be compared with the fixed frequency carrier. The outcomes of the comparison are the gate (ON/OFF) signals for the electronic power inverter which supplies the permanent magnet synchronous machine (PMSM). The rotor position and its velocity are fetched using a resolver mounted directly on the shaft.
It is known that in any inverter controller, the sampling of the measured currents used by the FOC is triggered on the PWM frequency. For practical exemplification, one can assume that the latter is fixed to 10kHz. On the other hand, the FPGA base clock operates at much higher frequencies, say for example 5MHz.
This points out that between 2 consecutive FOC current samplings there are 499 FPGA ticks available for the FDA to perform its fault detection and compensation calculations.
During the 499 free ticks when the FDA performs its calculations, the input currents for the FOC will not be refreshed. New measured currents will be supplied to the FOC on tick no. 500+1, corresponding to the PWM carrier reset. This process is repeated every 500 FPGA ticks, considering the above mentioned two fixed frequencies.
For better understanding, this discussion must be referred to fig. 2. The FDA is designed to operate exclusively on the 499 ticks while the FOC is not supplied with new current measurements. By the end of the 499 ticks, the FDA observes, calculates and compensates the occurred fault(s) and supplies the FOC with proper current values for it to have continuous operation without any disturbance due to the loss of sensor measurements. It must be reminded that the 10 kHz and 5 MHz frequencies values presented above are just examples. The FDA can be applied for any other such combinations as long as the FPGA frequency is at least 100 times larger than the PWM's one. This conclusion was formulated via experimental observations of the authors.  The concept of the FDA refers generally to commercial inverter situation equipped with IGBTs or MosFETs. SiC and GaN based inverters with switching frequencies that reach around MHz would require latest generation FPGAs to attempt to run 100 times faster than the PWM frequency, this being admitted as a possible limitation of the procedure.
The concept of fault detection and compensation algorithm is foreseen to be an add-on function to the classical Field Oriented Control (FOC) implemented for permanent magnet synchronous machines supplied from 3-phase inverters.
The add-on function that performs the fault detection algorithm (FDA) intervenes between the currents measured from the sensors and the FOC. This is due to the fact that the FDA, as it will be detailed, will be responsible with detecting the loss of measurements and when needed, their compensation.
The FDA requires as inputs: the measured 3-phase currents (I A , I B and I C ), the measured rotor position (θ ), the reference dq currents computed by the FOC (I Qref and I Dref ) and the PWM Trg signal. The latter is used as trigger signal to inform the FDA when a new PWM period starts. This is mandatory in the FDA logic, as it will be described in the general timing rules section. . These currents will be used on one hand to calculate the compensation of the unmeasurable currents due to faults (in function F2) and on the other hand, will be references for determining when and where a sensor fault occurred (in function F3). This function operates uninterrupted, continuously supplying the reference currents values to the FDA.

C. FUNCTION 3 (F3): FAULT DETECTION
As it can be seen in fig. 3, function F3 computes for each tick (k) the instantaneous error (difference) between the measured currents (I A , I B and I C ) and the reference ones (I Aref , I Bref and I Cref ). This is accomplished for each phase individually. The result of the comparison obtained on each tick is continuously summed with the previous values, performing a real-time monitoring of the error variation on each phase. These sums are continuously streamed to function F4 to be handled as decisional inputs. When the (k) counter resets (at the end of the 499ticks), the 3 errors (ζ A , ζ B and ζ C ) obtained in the previous PWM cycle are reset to 0 in order to be ready to perform the comparisons on the following operational cycle. In section D.3 the coupled operation of the 4 functions in pursuing fault detection will be explained based on the flowchart from fig. 6. Section C and D.3 aim the complete step by step description of the fault detection mechanism implemented in the FDA.

D. FUNCTION 4 (F4): FAULT COMPENSATION AND DECISIONING
The 4 th function is the largest one by means of algebraic algorithms. Based on the information received from all the other 3 functions, F4 has the role of judging when, on which sensor and whether one or two faults occurred and using this information will conclude on how the fault will be compensated. All these calculations will run in parallel with the other functions and by the end of each PWM cycle, there will be 2 general states: the state of no fault, in which case the FOC will receive the actual measured dq current components; if there are faults detected, the FOC will receive the compensated currents, generated by function F4. In any circumstance, the occurrence of the fault(s) is handled in such manner that the FOC will not sense any negative influence nor will have knowledge about the existence of the fault(s). This ensures continuous and seamless operation with or without faulted current sensors. Before discussing the fault detection mechanism, it is proper to manifest a detailed explanation regarding the methodology of compensating the loss of measurements for the damaged sensors.
Any 3-phase inverter can be equipped with two or three current sensors, depending on the application and on its demanded fault tolerant abilities. The following explanations prove the ability of applying this methodology for both types of inverters, handling single or double sensors fault compensation. As general rule, it is known that the Park transformation is approached in 2 steps. First, the 3-phase entities are converted into αβ components and then the latter ones into dq quantities. The mathematical tool for the transformation is expressed in eq. (1).
Eq. (1) highlights that only 2 of the 3-phase components are engaged in the Park transformation. To proceed with the explanations, in eq. (2) the general expression of the 3-phase currents is pointed out. It must be mentioned that both in (1) and (2), (θ c ) was intentionally added. This variable will shift the currents angle for fault compensation purposes, as it will be detailed further on. However, in normal condition, the value of (θ c ) will be 0.
The following discussion will be referred to fig. 4 in which the fault occurrence and the manipulations towards adapting the (θ c ) angle are visually sequenced. Initially all the sensors are operational and measuring the 3-phase currents ( fig.4a) and currents I A and I B are used to perform the Park transformation.
Let us assume that the sensor measuring current I A goes faulty ( fig.4b). In this case, considering eq. (1), the conversion into dq components will be wrong. However, currents I B and I C are still measured and available. Taking advantage that the Park transformation requires only two out of three currents for the dq conversion, manipulating mathematically the remaining two measured currents solves the problem. If the αβ system remains in place, the first step is to reverse the I B and I C currents as follows ( fig. 4c).  In doing so, one will obtain the expressions from eq. (3). At this instance, the calculated values of the dq transformation would still return wrong results. The solution to correct these calculations is to perform another manipulation, rotating the newly obtained system of currents to have any of them overlapping the α-axis. This is the reason why the (θ c ) angle was intentionally introduced in the equations. Hence, knowing that the I A current measurement is faulty, adding (θ c ) with a value of -π/3 and solving the mathematics in eq. (3), shifts the new current to overlap the α-axis. These calculations are detailed in eq. (4).
Comparing eq. (4) with eq. (2) it is obvious that the form of the newly corrected currents I Ac and I Bc are the same as the one of the initial I A and I B currents. This is also visually depicted in fig. 4d.
Identical calculations can be approached for all the other one sensor faults scenarios. The goal is to obtain always a currents system that overlaps the α-axis. In doing so, the dq transformation will always result in correct output. Function of the faulted current measurement, in table 1 are detailed all the possible values of the newly corrected currents and their corresponding shifting angles.
The practical implementation of this concept is quite simple as it is depicted in fig. 5.
In case of normal operation, the I Ac and I Bc currents are equal with I A and I B measured from the sensors, while the correction angle is 0. In case of any faulted sensors, corresponding to table 1, these are compensated.

2) DOUBLE SENSOR FAULT CORRECTION
It is obvious that a single fault correction relies on manipulating the remaining two measured currents to be used in the dq transformation. However, let us assume that two current sensors go faulty, and only one of the 3-phase currents remains measured. In this condition, the solution presented previously cannot perform fault correction as only one measured current is available. Now, taking advantage of this remaining measured current, a second one can be created or estimated.
It is known that in a FOC loop, the calculated reference values for the I Dref and I Qref currents are close values to the actual measured currents in the inverter. Having measured the rotor angle, and using these reference values for the dq currents, it is simple to build an estimated 3-phase currents system, I Aest , I Best and I Cest via the inverse Park transformation, mathematically detailed in eq.(5) In doing so, there will be one available measured current and 3 estimated ones. For the correct Park transformation, the only one remaining measured current in not enough. However, using this measured current and the estimated ones, there is a possibility to create another current as a hybrid mixture between measured data and estimated data. This new current together with the measured one will perform correct Park transformation for fault tolerant purposes.
These 3-phase estimated currents are directly the outcome of the FOC control unit. Simply using them as replacement for the unmeasured ones would be totally incorrect. However, using Kirchhoff's law to obtain one current that contains both measured and estimated data is a lucrative solution. The mathematical calculation is given in eq.(6), having each time 2 possible ways to obtain the calculated current function of the remaining measured and estimated ones. The resulted calculated current (I Ac ) can be used together with the actual measured one (I B or I C ), to perform correct Park transformation. It may seem simple but this approach in fact adds measured data into the estimated one resulting in a new calculated current shape (I Ac , I Bc and I Cc ) that includes PWM noise together with measured amplitude and frequency, all ingredients that gives these new currents reliable attributes to be close to ''measured'' values.
Calculations such as those presented in eq.(6) for (I Ac ) can be performed for the other two phase currents (I Bc and I Cc ), function of the remaining measured ones.
At this moment, the system has one measured current and one calculated. From here, the methodology presented in the D.1. Single sensor fault correction section becomes valid and can be applied. Summarizing the above-mentioned methods for sensor fault correction proves that with simple conversions it is possible to obtain from two or even one measurement the complete and correct system of 3-phase currents required by the inverter's controller.
In table 2, the corrections that are engaged both to the currents and the shifting angle are detailed for any 2 faulted sensors. Tables 1 and 2 cover all the possible one or two sensors faults that can occur and all the corrections that need to be applied for each case.
It is to say that the FDA does not quantify the type of sensor fault nor its damage ratio compared to its healthy state. The FDA declares a sensor as faulted if the quantity measured by it deviates from the known reference over the threshold value. The latter will be detailed in the following sections. The main interest of the research was to offer a genuine, robust and reliable solution for current sensors fault detection and compensation for industrial/commercial inverters.

3) FAULT DETECTION AND DECISION RULES
All the timing details required by the proposed fault detection method were presented in detail in the discussion related to fig.2. The general behavior of the fault detection algorithm was briefly presented in section C. The step-by-step operation to detect the fault, to judge if one or two sensors are misfunctioning and to quantify the occurred damage ratio will be presented based on the flowchart from fig. 6.
When the FDA receives the trigger signal from the PWM (PWM Trg), the counter k is initialized from 0 and starts counting. It will count until the next trigger (PWM Trg) signal which will reset k to 0. On the first tick, k=1, the I A1 , I B1 and I C1 currents are fetched from the sensors and delivered to the FOC for it to perform its own calculations. During the rest of k tics, the current sensor's readings are supplied exclusively to the FDA.
Each pair (k) of measured (I Ak , I Bk and I Ck ) and reference (I Aref_k , I Bref_k and I Cref_k ) currents are compared, resulting 3 differences (ζ A_k , ζ B_k and ζ C_k ). Each of the 3 differences (or errors) are accumulated over the entire PWM cycle. The accumulation is accomplished by adding, for example, to ζ A_k the value from ζ A_k−1 . This algorithm is valid for each of the 3 phases. These errors are non-dimensional factors and represent of the deviation of the measured signal versus its reference one.
This error is continuously streamed to function F4 that monitors it and decides whether a fault occurred or not and how it should be compensated. The fault occurrence is detected by comparing the accumulated error with a fixed threshold (ζ max ). Based on experimental testing, this threshold was set to a value of 12. The motivation of this threshold's value is that during normal operation, the accumulated error's value over a complete PWM cycle ranges between 8 and 10 (mainly due to the signal's pollution with noise). Hence, setting the threshold value to ζ max = 12 proved to be sufficient to ensure fast and precise detection in case of fault occurrence.
If the threshold is passed by any of the 3 accumulated errors (ζ A , ζ B and ζ C ), the FDA will detect the fault occurrence and mark it with the unique Fault Identifier. The mechanism monitors independently the 3 errors. Hence, function of how many errors pass the imposed threshold (ζ max = 12), the FDA judges whether there is one or there are two faulted sensors.
If there is a single sensor fault detected, the monitoring mechanism will be interrupted (disabled) for 3e6 ticks, as already explained. This is practically accomplished by interrupting the process that continuously sums the errors (visible in fig. 6).
If there are two sensors faults detected, the monitoring mechanism is disabled definitely, the FDA being able to withstand only 2 faulted sensors out of 3.
Using the Fault Identifier, the FDA will continue to use only the healthy measured currents while the faulted ones will be replaced by their corrected values (visible in fig.6) In the case of 2 faulted sensors, not only the estimated dq currents but also new PI regulators gains are supplied to the FOC.
The following discussion must be regarded to both fig.3 and 6. In normal conditions, the accumulated error for a complete PWM cycle is less than the threshold. In this case, when the PWM cycle is over, on tick 499, function F3 resets the accumulated errors to 0, ready to start new computations. On the next PWM cycle, on tick no. 1, function F1 will provide the FOC (via function F4) with the first 3-phase currents readings, while the rest of 499 readings (corresponding to the 499 ticks) are streamed to function F3 to be compared with the references.
If the threshold is passed by any of the 3 errors, function F4 will perform the following sequence: 1.Establish which of the errors passed the threshold and mark this error with a unique code as Fault Identifier.
2.Using this identifier, a decision is taken to correct the fault function of its gravity: one or two damaged sensor(s).
3.It disables the fault detection mechanism (function F3) for a period of 3e6 ticks (6000 PWM cycles) to avoid future false fault detection.
4.Using the same fault identifier, function F4, supplies the FOC with new gains (k p_c and k i_c ) for the PI regulators. 5.Ensures that at the end of the cycle the corrected values of the currents and of the angle are sent to the FOC 6.At the end of the cycle the function F3 will reset to 0 only the accumulated errors of the healthy phases. The errors of the faulted ones will remain resilient and set to maximum value.
7.In case of two faulted sensors, function F4 keeps resilient the fault identifiers and shuts down the detection algorithm for the remaining operation time.
Some remarks need to be detailed regarding the steps taken in case of fault occurrence, earlier presented. In case a single or double sensor fault is detected, the unique codes that labels the malfunction are given in table 3. In the same table, depending on the faulted phase or phases, the calculated currents (I Ac and I Bc ) and the required shifting angle (θ c ) are given.
The unique identifiers detailed in table 3 will label the fault(s) observed by the system at step no.1. This will be used in step no.2 to decide what will be the future approach for compensating the fault(s). Such an approach makes sure that certain fault(s) is/are handled with the correct compensation, preparing the new calculated current, shifting angle and if necessary, regulator gains for the FOC.
The 3 rd step disables the detection process for 3e6 ticks to avoid future false fault detection. The latter was experimentally observed to happen due to transients when replacing the measured currents with those calculated (as presented in D.1 and D.2). However, after this period, function F3 is enabled again as the system is considered settled.
Step no. 4 handles the replacement of the original k p_c and k i_c gains of the PI regulators with new values that will keep stable the system and the machine's operation. This was also experimentally observed by the authors to happen in case of double sensors fault. The phenomena is due to the fact that only one real current is used, while the second one is a mix between the measured and the estimated current. The initial regulators can behave unstable and the solution engaged was to online modify their gains. This procedure proved very good performances, as will be observed in the results section.
Step no. 5 handles the last tick of the PWM cycle. During this tick, current values are sent to the FOC for it to perform new reference calculations. If there is no fault, the measured currents are streamed to the FOC. If there is/are occurred fault(s), the FOC will be supplied with the new calculated current(s), shifting angle and if necessary, regulator gains.
The 6th step ensures that the faulted phase's identifiers will remain resident for all the future PWM cycles while the accumulated errors of healthy phases are set to 0 at the beginning of each new cycle.
Because the method can withstand maximum 2 faulted sensors, the detection algorithm is stopped, and the system is operated with the calculated currents until safe shutdown can be performed.
The damage ratio of the faulted sensor is automatically quantified when attaching it to the fault identifier. This label is unique and marks weather is one or two faulted sensors in the system. The type of damage and the actual state of health of faulted sensor is not within the interest of the study as this was focused exclusively on development of a genuine fault detection and compensation method for power inverter's currents sensors.

III. FAULT DETECTION ALGORITHM PERFORMANCE TESTING
In order to test the functionality of the described method, a testbench compound of a 300W PMSM (28Arms, 2Nm and 1000rpm) supplied from a 3-phase inverter with 48V DC link voltage was used. The controller that included the classical FOC strategy as well as the proposed fault detection and compensation procedure was a R-Series NI-USB-7856R board from National Instruments. The latter contains a Kintex 7 FPGA programmed using LabVIEW FPGA environment.
The entire architecture of the FOC and the FDA were designed in fixed point (FXP) representation, this being mandatory for the Vivado compiler to synthesize the algorithm into the FPGA. The complete testbench is depicted in fig. 7.
For analyzing the capabilities and the operational skills of the proposed method, several tests were carried out. Single and double faulted sensors operation was studied for low and then for close to rated speed condition. The induced faults were sensor open circuit (sensors signal lost) and faulty measurement (arbitrary sudden amplitude variation).
The continuous operation of the PMSM after fault(s) occurrence is highlighted by the measured machine velocity and by the plotted I D and I Q currents directly from the output of the FOC. In the following plots, with (I abcM ) were denoted the currents measured from the sensors, with I abcE were denoted the estimated currents and with (Err abc ) the accumulated error (fault identifier) for each phase.

A. ONE SENSOR DETECTION/CORRECTION
The first test carried out to highlight the functionally of the proposed method was to create one sensor open circuit during machine operation at 205rpm.
In fig. 8a-top the currents measured from the sensors are depicted, while in fig. 8a-second plot, the estimated ones obtained from the reference values of I Dref and I Qref from the FOC are plotted.
The fault occurs at 0.28s, as open circuit on phase A's sensor. Fig. 8a-third plot highlights the accumulated errors on each phase before and after the fault. When the error accumulated by function F3 passes the threshold imposed by function F4, the latter sets this fault identifier to a value of 25, according to the fault of phase A (see table III). In fig. 8a-bottom it is noticeable that the speed of the machine is not influenced by the fault's occurrence.
Going further with the analysis of the proposed mechanism, in fig. 8b a detail on the errors handling is presented. Fig.8b-left corresponds to the moment of the fault occurrence while fig. 8b-right highlights the fact that until 0.88s the fault detection algorithm is disabled (meaning that all the accumulated errors of the other phases are frozen to a constant value under the threshold). The period from 0.28 until 0.88, meaning 0.6s corresponds to 3e6 FPGA ticks. After this disabled period, function F3 is enabled to continue the comparison of the measured vs. estimated current values.
It can be observed in fig. 8b-right that after enabling once again function F3, the error on phase A remains resilient at its maximum value, while the monitoring is continued only on phases B and C. In fig.9, the 3-phase currents from the sensors and the dq ones from the FOC are plotted before and after the fault occurrence. VOLUME 8, 2020  Despite the missing current measurement on phase A, the dq components of the FOC do not sense any disturbances, continuing smoothly the machine operation.
The second test was fulfilled for the same fault on sensor measuring current A but at a speed of 900rpm. All the explanations manifested for the test at 205rpm remain entirely valid here as well. In fig. 10, the results of this second test are depicted, proving the continuous operation of the machine FIGURE 11. One sensor fault by sudden multiplication of its measurement @ 900rpm.
for one faulted sensor at 900rpm. The machine is able to maintain the imposed constant speed and pass seamlessly over the moment of fault occurrence. In order to have a complete testing approach, another fault was generated by multiplication of the measured signal with a constant obtaining sudden increase of its value. To prove the functionality of the method, randomly selected, the sensor measuring phase B's current was faulted. The results are plotted in fig. 11, highlighting again the fault tolerant ability of the method and the continuous operation of the machine.
It can be seen that the fault identifier is now 5, according to fault on phase B (see table 3). In order to avoid redundancy when presenting results, in the article this test was included only for 900rpm.
However, the authors ensure that such tests were carried out at several other machine velocities, several multiplication and simplification factors. These tests were performed randomly on all the 3 phases of the machine. For each test, the performances proved the method's operational attributes and robustness.

B. TWO SENSORS DETECTION/CORRECTION
The next level of fault tolerant abilities of the proposed method refers to allowing continuous operation of the system when only one current sensor remains functional. The philosophy and the mathematics behind this approach were presented already in detail in section D.2 and D.3.
As reminder, for the dq transformation, 2 sinusoidal currents are required as inputs to be able to perform correct calculations. In the previous sections it was proven that with proper manipulations, one can mix the single remaining measured current with estimated values, in order to obtain the second needed current for the Park transformation.
For these tests, the same scenarios were considered as for the single sensor faults. Hence, testing the machine behavior under dual sensor fault was performed at 205rpm and 900rpm as well as for a sudden increase of the measured values.
In fig. 12a, the first such test results are depicted. Already one sensor was faulted (the one measuring current A), hence the fault identifier was kept resilient by function F4 at the value of 25 (according to table III). At the instance of 0.55s a second fault occurs (the sensor of phase B). The fault is detected, and the identifier is modified from 25 to 30. The latter is obtained by summing the fault identifier of phase A (25) with the one of phase B (5). In doing so, the new identifier labels the dual sensor fault that will be the decisional value for function F4 on how to compensate it in order to keep the continuous operation. In the same time, function F3 is disabled until safe stop of the system, as the method allows operation with maximum 2 faulted sensors.
Analyzing fig. 12a-bottom, the velocity of the machine is not influenced even if only one sensor keeps measuring the PMSM current. The second current required by the Park transformation is supplied to the FOC based on the methodology already presented.
In fig. 12b-top, the dq currents of the FOC are plotted. It can be observed that in the instance when the fault occurs, there is a small spike due to the replacement of the measured with the calculated currents. This justifies why there is a need in replacing the PI regulator gains in order to minimize its perpetuation on the remaining operation time of the inverter. In the same plot, after the fault occurrence it is noticeable that the shape of the dq currents have a light change compared to the time period before the fault. This is motivated by the change of the regulator that now have different values for the proportional gains.
The second test carried out for double sensor fault is performed at 900rpm. The results are depicted in fig.13. Again, it is considered that initially phase A's sensor is faulted this being labeled by the fault identifier set to 25.
The sensor reading phase B is faulted at 0.37s, increasing the fault identifier to 30, as explained previously. It is noticeable that the speed of the machine is not influenced by the occurrence of the second fault in fig. 13a-bottom. In fig. 13b-top, the dq currents prove the minimal influence of the fault over the operation of the controller. The same debate as for 200rpm test is valid in this case as well.
The last performed test was to apply a sudden multiplication factor to one phase, in the hypothesis that another phase already has increased incorrect reading. These results are plotted in fig.14. Initially, phase C has wrong sensor reading, hence the fault identifier is already set to 15. At the time instance of 0.32s a second fault is applied by multiplying the readings of the sensor of phase A.
This fault adds to the initial identifier the value of 25, resulting in total 40, that labels for function F4 that VOLUME 8, 2020 measurements of phases C and A are not usable any more. However, the machine pursuits continuous operation as it can be seen in fig. 11a-bottom, maintaining it velocity at around 900rpm.
It has to be mentioned that in order to avoid redundancy of the results, other tests were not included in the paper. However, the authors ensure that laboratory tests proved the operation of the system for any faults on any phases.
Not only multiplication but also division of the measured signal with arbitrary constants were tested, and the response was always the desired one. Continuous operation was always reached in any considered fault scenarios.

C. ONE AND TWO SENSORS DETECTION/CORRECTION IN TRANSIENT CONDITION
All the experimental tests carried out in the previous sections prove the operational skills of the method, however these were presented in steady state condition. In order to certify that by this method the machine can pursuit continuous operation in any of the mentioned fault conditions until it can be safely stopped, a transient condition is analyzed with one and then two faulted sensors.
The results from fig.15 depict a totally random machine acceleration for a time period of about 2s. Initially, all the 3 sensors are measuring the current supplying the machine.
At 0.25s the first fault is applied by opening the circuit of the sensor measuring phase C. In this case the fault identifier is set to 15 (according to table III). At 0.95s a second fault is applied opening the circuit of sensor measuring phase A.
The fault identifier receives an extra 25 reaching the value of 40. As the limit of 2 allowed faults is reached, function F3, handling the fault occurrence monitoring via continuous comparison is disabled. In fig. 11b-top, the sequence of fault occurrence is visible by the disappearance of the currents, initially of phase C and then of phase A.
The continuous and correct machine operation is proven by fig. 15-bottom. Here, the random refence machine speed is compared to the one measured from the PMSM's resolver. The quite good agreement highlights that the method can perform continuous operation even if the machine is in transient condition. This also proves that in case of 2 occurring faults, the controller can handle transients like deceleration to stop safely, even if only one sensor remains operational.

IV. CONCLUSION
Fault tolerant control units were proved to be approached widely in the literature, as presented in the introduction section of the paper. However, many solutions were either limited for certain operational domains either mathematically too complex. Developing robust, reliable and simple solutions comes as added value to the existing publications. Such an approach was presented in detail in this paper. Industrial 3-phase inverters are based directly on measuring only 2 out of 3 phase currents, however, even in this case, the proposed methodology works fine if one of the 2 sensors used is faulted. Inverters equipped with 3 current sensors are used in more safe critical systems such as automotive, aerospace or defense. Hence, for these applications, the presented methodology offers a straight forward solution for implementing an add-on tool, which can be optionally included in the inverter controller. This plug-and-play attribute of the method allows future users to implement it even on existing commercial inverters, by simply creating a software update.
The methodology was implemented in a FPGA because lately these became more and more used as control processors for inverters. However, with proper programming and sequencing of its functions, the method can be implemented in other types of processors. The most essential principle that has to be mandatory is to perform all the fault detection and compensation calculations between 2 PWM cycles, while the FOC is not supplied with new measurements. In doing so, each time the FOC requires new current inputs, the method will provide measured or calculated current values, according to the state of health of the sensors. Such an approach ensures that there is no possible way for wrong readings to reach the FOC and this mitigates the possibility of hazardous operation in case of fault occurrence.
This method of fault detection and compensation is foreseen to be implemented in commercial inverters equipped with IGB's or MosFETs, with switching frequencies up to hundreds of kHz. On the other hand, implementation of the FDA in inverters built with SiC and GaN devices might be limited by the requirement of the FDA to run 100 times faster than the PWM frequency.