A Sensor Fault Detection Scheme as a Functional Safety Feature for DC-DC Converters

DC-DC converters are widely used in a large number of power conversion applications. As in many other systems, they are designed to automatically prevent dangerous failures or control them when they arise; this is called functional safety. Therefore, random hardware failures such as sensor faults have to be detected and handled properly. This proper handling means achieving or maintaining a safe state according to ISO 26262. However, to achieve or maintain a safe state, a fault has to be detected first. Sensor faults within DC-DC converters are generally detected with hardware-redundant sensors, despite all their drawbacks. Within this article, this redundancy is addressed using observer-based techniques utilizing Extended Kalman Filters (EKFs). Moreover, the paper proposes a fault detection and isolation scheme to guarantee functional safety. For this, a cross-EKF structure is implemented to work in cross-parallel to the real sensors and to replace the sensors in case of a fault. This ensures the continuity of the service in case of sensor faults. This idea is based on the concept of the virtual sensor which replaces the sensor in case of fault. Moreover, the concept of the virtual sensor is broader. In fact, if a system is observable, the observer offers a better performance than the sensor. In this context, this paper gives a contribution in this area. The effectiveness of this approach is tested with measurements on a buck converter prototype.


Introduction
Safety principles were initially considered in the military and nuclear areas and were then transferred to transport, process and control industries. Particular sector standards, dealing with safety critical points were defined afterwards. A large number of products and processes satisfy the standards of IEC 61508, for instance, automotive safety products, medical devices, sensors, actuators, diving equipment and process controllers. The international standard IEC 61508 (Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems) describes methods on how to apply, design, deploy and maintain safety-related systems. The adaption of IEC 61508 for Automotive Electric/Electronic Systems is ISO 26262, which defines functional safety as: "The absence of unreasonable risk due to hazards caused by malfunctioning behavior of electrical/electronic systems". It further classifies malfunction of the electrical/electronic component into two types of failures: • Systematic failures • Random failures.
Systematic failures are induced during development, manufacturing, or maintenance (process issues) and can be addressed by safety management activities. Random failures are hardware failures due to aging processes or random defects. They are addressed by safety mechanisms that detect or control faults to achieve or maintain a safe state of the system. Some of these safety mechanisms are: • Error correction code • Hardware redundancy • Built-in-self-test.
Detecting faults is one of the most challenging and important tasks in any field of application, see [1,2]. In the presence of strong noise, detecting faults becomes a difficult task. In [3], a new advancing coupled multi-stable stochastic resonance method, with two first-order multi-stable stochastic resonance systems, namely CMSR, is proposed to detect motor-bearing faults. Fault detection is also important in economy in which, very often, fault assumes the meaning of risk. In [4], a novel first-hitting time model is established to measure the relationship between the option reliability index and the value of risky assets. Detecting faults and isolating them using observer-based techniques has been applied to many technical fields. In this sense, a sensor fault detection scheme for induction motors was proposed in [5]. An aircraft engine fault diagnostic system based on Kalman Filters (KFs) was shown in [6]. Other examples for applied diagnosis systems are air conditioning [7], multilevel converters [8] and DC-DC converters [9].
To achieve functional safety, the term "hardware redundancy" often means redundant sensors, with all its drawbacks, including extra costs. In general, in the field of fault detection and safety, observers are used to establish a strategy to detect faults and errors. In [10], a Fuzzy observer based on Takagi-Sugeno (T-S) Fuzzy systems for sensor faults is proposed. In this work, sufficient conditions are obtained by determining the Fuzzy observer gains to detect sensor faults. However, in most publications, the observer used for fault detection is a KF-based scheme. The KF is one of the most important and widely used algorithms in the field of identification and observation for systems of any nature. After the seminal work proposed in [11], many different articles were proposed in the field of state observation which were summarized in surveys and books, see, for instance, the pioneer contributions in [12,13]. More application-oriented works are those in which discrete nonlinear systems are considered, as it is done in [14]. In this publication, it is shown that under certain conditions, the Extended Kalman Filter (EKF) is an exponential observer, i.e., the dynamics of the estimation error is exponentially stable. This is proven by the direct method of Lyapunov. An introduction to discrete KF and EKF can be found in [15]. More recently, in [16][17][18] and in [19], the author proposed different EKF structures for a valve control in an Otto motor application. Another emerging field in which EKFs are very often applied is the field state of charge estimation for batteries [20][21][22]. An up-todate paper [23] shows further advancement of equivalent circuit model-based EKF. In the technical domain of synchronous drives, the KF has already found its way to many marketready products. Nevertheless, there are still implementation pitfalls, which are addressed by [24]. Within the domain of power electronics, observers are used for a broad variety of tasks. The detection of grid fundamental and harmonic components for synchronization using a KF is described in [25]. In many cases, EKFs are used to estimate parameters. In [26], a new state observer dedicated to an online estimation of the model parameters is proposed. An example for parameter estimation of DC-DC converters using a KF can be found in [27]. Another approach to estimate parameters in this context is to use Adaptive infinite impulse response (IIR) filters, as [28] shows. In [29], a KF is utilized to estimate junction temperature of insulated gate bipolar transistor (IGBT) power modules.
For DC-DC converters, which need to be functionally safe by means of ISO 26262, redundant sensors are the standard safety mechanisms. In this context, this paper applies two crossing Extended Kalman Filters in order to estimate possible sensor faults as represented in Figures 1 and 2. The idea is to cross the information obtained by the output state estimation (output voltage and output current) to detect the fault and to replace the faulty sensor.  This idea is based on the concept of the virtual sensor. A virtual sensor works parallel to the real sensor and replaces the real sensor in case of fault. Moreover, the concept of the virtual sensor is broader. In fact, if a system is observable, the observer offers a better performance than the sensor. The main contribution of this paper consists in the following: The possible proposed scheme estimates the states of a DC-DC converter and detects the occurrence of sensor faults. Within the context of functional safety, the scheme is meant to work as a redundant sensoring structure implemented in software. The structure works in a cross-parallel form to the real sensors. This directly addresses random hardware failures by "achieving or maintaining a safe state" according to ISO 26262. More in depth, after a fault is detected, the other KFs provide the current signal and/or the voltage signal. In the case where no fault occurs, the signals Faultsafe Current and Faultsafe Voltage of Figure 1 and in Figure 2 are the sensor signals. If a fault is detected, the sensed signals are the estimated states generated by the cross-KF. In particular, in Figure 2, a possible scheme is shown in which we can see how this strategy can be utilized by a possible control scheme.
The paper is organized in the following way. Section 2 is devoted to the DC-DC Converter Model. Section 3 deals with the state estimation using augmented and extended Kalman filters. Section 4 shows the proposed method for fault detection and isolation. Experimental results and conclusions close the paper. In Appendix A, the Matlab code for fault detection scheme is shown explicitly for the user.

DC-DC Converter Model
Many approaches are proposed to model DC-DC converters and one of the most popular review contributions can be found in [30] in which a clear picture on the general law and framework of the development of next-generation step-up DC-DC converters is presented. Real reviews and classifications of various step-up DC-DC converters based on their characteristics and voltage-boosting techniques are using concrete examples carried out. Another general overview on these devices can be found in [31], even though, more oriented on the dual-active-bridge isolated bidirectional DC-DC converter. One of these approaches is to describe the converter by means of a hybrid system model (see, e.g., [32]). Through this, a highly accurate model can be achieved in which the switching frequency directly indicates the sample time for the solver. Because of this, these kind of models lead to a high computational effort. The field of multi-harmonic modeling for DC-DC converters is recently reconsidered, for instance, in [33]. In [33], the proposed modeling technique is based on the large-signal averaged model of the PWM switch cell and on the Fourier series expansion. Since the aim of this paper is to detect sensor faults within a real time scenario, this model type is not reasonable. Another approach is to average over one switching period, which leads to a highly reduced dynamic of the model. There are several methods known from the literature which follow this general idea. In [34], most of these modeling techniques are covered. Within this reference, the methods are called "The Basic AC Modeling Approach", "State-Space Averaging", "Circuit Averaging" and "Averaged Switch Modeling". In this article, the "State-Space Averaging" technique is chosen, because it leads to the most compact mathematical description of the system. A synchronous buck converter as shown in Figure 3 is considered in this contribution. It is assumed that the DC-DC converter only works in continuous conduction mode. This assumption means that the converter does not work under light or no-load conditions, which for most applications is a sufficient working condition. To apply averaging techniques, a first step is to separate the model by its switch positions.   (1) and (2) are derived: For the second interval, where switch T 2 is closed (T 1 open), the remaining circuit is shown in Figure 5. The next step is to derive differential Equations (3) and (4): To obtain a description for the whole system, the subintervals are merged by: where the A, B, C, E are averaged matrices for a full switching interval. Applying this method on the examined system in Figure 3, the averaged system matrices obtained are: with These matrices fully describe the average system response. For the purpose of control design, often an AC small signal model is sufficient. This can be calculated with the following equations: where the quantitiesx(t),û(t),ŷ(t),d(t) are small AC variations around the equilibrium solution. The steady state and output vectors are calculated by: where X, U, Y, D are the DC equilibrium components:

State Estimation Using Augmented Extended Kalman Filters
Since the model of the considered DC-DC converter was derived in the previous section, an observer based on the model can be designed. Due to the fact that the model described by Equations (11) and (12) is nonlinear in nature, the nonlinearity is taken into account in this step. For this task, there are several approaches known from the literature. This broad field of applications makes the KF and its extended version one of the most used estimation structures in the field of control systems. In this section, an EKF is implemented. Although the KF can be written as a single equation, it is more often described with two phases: the "Predict" and the "Update" phase. The "Predict" phase makes use of the previous estimation to predict the current state. Within the "Update" phase, the current prediction is combined with the current observation (measurement). This leads to an improved state estimation. These two phases can be summarized by the equations listed from Equation (14) to Equation (20).

PREDICT PHASE
Predicted (a priori) state estimate: Predicted (a priori) error covariance:

UPDATE PHASE
Innovation (or measurement pre-fit) residual: Near-optimal Kalman gain: Updated (a posteriori) state estimate: Updated (a posteriori) estimate covariance: Measurement post-fit residual:ỹ To set up the filter, the following matrices have to be determined: For the state estimation within the fault detection scheme, EKFs are used. It has, in general, the same structure as its regular version. The difference is that, the measurements or the state transition model, or both, are nonlinear. Due to this, the discrete time structure of the filter is utilized.
The state transition matrix F can be calculated by discretizing and calculating the Jacobian matrix of the model described in Section 2. Since the load R load of the DC-DC converter can change while the converter is working, it has to be taken into account. Therefore, another state is introduced by an augmented state variable R out through the following differential equation: which states, in accordance with [15], the expression of a random constant which in the discrete form assumes the following expression: R k = R k−1 + w R k , where w R k represents the corresponding Gaussian white process noise associated with this equation. This state extends the model defined in Section 2 to four states, which need to be considered during further procedures. Next, the measurement matrix H needs to be determined. This matrix follows from the output equation, the system defined in Section 2 adding the augmented state. For practical implementations of the Kalman filter, the main difficulty is obtaining a good estimate for the noise covariance matrices R k and especially Q k . R k contains the variance of the measurement. It can often be determined by knowing the standard deviation of the sensor system that is used in the system. Supposing a sensor has a standard deviation of σ, its R simply is R = [σ 2 ], due to the fact that variance is the square of the standard deviation. Determining the matrix for the process noise Q k is a more challenging task. Procedures to adapt process noise covariance and measurements noise covariance matrices are known in the literature. In [35], different algorithms and methods are presented to calculate these two matrices using training data. The approach to guess this matrix is taken from [36], within this publication. Here, a set of discretely sampled points is used to parameterize this covariance matrix of the KF. In this way, the process noise covariance matrix is calculated with a sample of measurements. The process noise covariance is determined via calculations based on these measurements. By assuming that some measurements can be done on the system, the main idea of this approach is to utilize the sample mean of N measurements to obtain an estimate of this matrix. The sample mean vector can be defined as:X Using these values as expected values, the deviation between observation and the sample mean can be computed as (see [37]): In matrix form, this is: From this, the covariance matrix can be calculated as: σ represents the standard deviation of the states. This means, in the considered case, the matrix describes the variance between estimated states and the mean of measurement sample on the main diagonal. The other entries are the standard deviations between estimated states and different state measurement samples. For the sake of brevity, the details for the calculations of all these matrices are omitted. However, all necessary calculations are described within this section and the observer is implemented.

Residual-Based Fault Detection and Isolation
Now that the model and observer have been derived in the previous sections, the next step is to detect and isolate sensor faults. Therefore, every sensor under observation is equipped with a KF. In the case being considered, the voltage sensor and the current sensor are measuring the output voltage and the output current. Because these measurements are not equal to the states defined in Section 2, the following equations are used to fit the states to the measurements: For one observer, the measurement is the current and the estimated states are the remaining ones including the augmented state R out . The other observer is provided by the voltage sensor data as measurements and estimates of the other states.
To detect and isolate sensor faults, measured and estimated states are compared with each other. If the deviation exceeds a limit, a first a fault is detected. After this recognition, the fault is isolated utilizing several logic operations (see Appendix A). Figure 6 shows the general workflow of how faults are detected and isolated. The outputs of the fault detection scheme are called "Faultsafe States" from now on, in order to clearly separate them from measurements and estimated states. Firstly, the estimated and measured states are compared to each other. If they are equal (within a residual), the output ("Faultsafe State") equals the measured states. If not, a fault is detected. In such a case, the fault has to be isolated, which means a distinction must be made between a current sensor fault and a voltage sensor fault. In case of a current sensor fault, the "Faultsafe Current" is set to the estimated current and the "Faultsafe Voltage" remains as the measured voltage. The exact opposite is the case in the event of a voltage sensor fault, meaning that the "Faultsafe Voltage" is set to the estimated voltage and the "Faultsafe Current" remains as the measured current. This guarantees that the proposed scheme in the event of a single sensor fault provides correct state signals for a controller. For better traceability and to gain a deeper insight, the program code of this procedure is provided in Appendix A.

Experimental Results
Since the general structure of the fault detection and isolation approach were derived in the previous sections, they have to be validated. For this purpose, a buck converter prototype was constructed (see Figure 7). In order to generate PWM signals and do measurements, a "dSPACE DS1103" system was used. A "PeakTech 2275" electronic load functions as variable load. Furthermore, a "Grundig PN300" laboratory power supply was used to feed the system with power. The complete system installation is shown in Figure 8. For the sake of completeness, the parameters of the DC-DC converter prototype used here are shown in Table 1. The tests are done in a closed loop. As a first test, the Kalman filter response is tested by ramping up the duty cycle from D = 0 to D = 0.5 within one second. For R load = 2.5 Ω, the response is shown in Figure 9. It can be seen that the first Kalman filter follows the measured signal nearly exactly. The second filter follows the voltage measurement exactly, which is a consequence of being its measured state. The current estimation reaches the steady state in about 0.3 s after D is constant (after the transient is completed). As depicted in Figure 10 with R load = 5 Ω, both filters react in a similar manner. The Kalman 2 filter now attains its steady state in approximately 0.4 s after the duty cycle is constant. Comparing the different ramp-up tests with each other, it can be observed that for all tests, the voltage estimation is very accurate and fast. However, the current estimation for the second Kalman filter is less accurate until steady state is reached. Considering that the load is also an estimated state, this highly depends on its starting value. Other factors that can explain this behavior are: • The starting values of the Kalman filters for the current estimation and especially the covariances; • Current measurement becomes more inaccurate with smaller currents; • Current sensor only works with a minimal current.
Within the possible control scheme of Figure 2, the voltage loop is the outer loop. This means that the voltage controller provides the setpoint for the current controller. Therefore, a slower response of the current estimation will only slightly influence the controller response. A second test validates the sensor fault detection scheme. Here, the converter is operated at a constant duty cycle of D = 0.5 and the sensor is disconnected at a random time. After a fault is detected, the other KF provides the current signal. In the case where no fault occurs, the signals I out Faultsa f e and V out Faultsa f e are the sensor signals. If a fault is detected, the signals are the estimated states generated by the cross-KF. As shown in Figure 11, a current sensor fault occurs at t ≈ 4.8 s. In this case, no interruption of the I out Faultsa f e signal can be determined. For the voltage, the signal is still provided by the sensor. To recall, after a fault is detected, the other KFs provide the current signal and/or the voltage signal. In the case where no fault occurs, the signals Faultsafe Current and Faultsafe Voltage of Figures 1 and 2 are the sensor signals. If a fault is detected, the signals are the estimated states generated by the cross-KF. In Figures 11 and 12, it is possible to see how the KFs "replace" the faulted signal. In particular, in Figure 2, a possible scheme is shown in which we can see how this strategy can be utilized. For a reduced electrical load of R load = 5 Ω as displayed in Figure 12, the behavior remains similar.
Next, the voltage sensor fault detection is tested. The general test scenario remains the same. The sensor is randomly disconnected while the converter runs at a constant duty cycle of D = 0.5. Doing so yields the response as shown in Figure 13. In fact, in Figure 13 and in Figure 14, it is possible to see how the KFs "replace" the faulted signal. It can be observed that, in such a situation, the fault detection takes some time to register the fault. From Figure 15, it is possible to see a particular of the voltage sensor fault. The transient takes around 100 ms and the recognition of the faults is around 99% of the tested cases.   A further increase of R load to 5 Ω leads to a response as it is depicted in Figure 14. The behavior remains similar to the first test.
From Figure 15, it is possible to see a particular of the voltage sensor fault. The transient takes around 100 ms.
The next test is performed in the following way. The sensor is disconnected at a random time and afterwards, the load is changed from R load = 2.5 Ω to R load = 5 Ω. For a current sensor fault, the behavior is depicted in Figure 16. In addition, in Figure 16 and in Figure 17, it is possible to see how the KFs "replace" the faulted signal.  From the definition of functional safety, "to achieve or maintain a safe state", both handling options are in agreement with ISO 26262.

Remark 1.
In the field of EKFs, typically, we are not able to prove the convergence of the estimation algorithm. The reason of that is rooted in the non-convexity of the optimization problem due to the nonlinear (switching) nature of the system. Nevertheless, the EKFs generate very good practical results in terms of performance, see [12]. In fact, if the filters are well tuned, the EKFs reach a good suboptimal performance almost always. Nevertheless, the tuning problem is in general a hard problem, in particular, if an adaptation of the process and of the measurement noise matrices is needed. In this specific case, due the stationarity of the problem, once the tuning process is realized, the EKFs offer a good result without any adaptation. The method used in this paper is taken from [36] and is sketched in Equations (22)-(25).

Conclusions and Future Perspectives
The manuscript focuses on achieving functional safety within a DC-DC converter, without having hardware-redundant sensors. For this purpose, the converter under investigation is modeled. Since the proposed fault detection and isolation scheme are based on EKF, a brief description for this algorithm is given. Basing on this knowledge, a residualbased fault detection and isolation scheme are described. The proposed structure consists of a cross-combination of EKFs. This means that, the EKFs work in parallel with a sensor, but it is provided with the measurement of another one. Real measurements are included to show the effectiveness of the application. Future work includes the possibility to apply this algorithm to different architectures of DC-DC converters and to test also different control strategies such as, for instance, Sliding Mode Control. Due the structural non-convexity of the EKFs, in order to improve also the performance of the EKFs, a Particle Swarm Optimization Method can be possibly applied to improve the tuning of the EKFs. ConV2=abs(VoutM-VoutK2) 10 CondI2=abs(IoutK2(k)-IoutK2(k-1)) Within this code listed in Listing A1, variables ending in "M" are measurements. "K1" and "K2" denote an estimation by the first or the second Kalman filter. The "res" term denotes several residuals and "k" marks the actual time step.

Appendix B. Jacobian
Starting from the discrete state transition matrix, with the following calculations, the Jacobian matrix, implemented in the Extended Kalman Filter, can be derived: and, thus, (A2) If the augmented state R out is considered, then the Jacobian matrix is as follows: It is to recall that T s = 10 −4 which implies a sampling frequency of 10 kHz.