PREPARACION OF FUL PAPER FOR THE INTERNATIONAL CONFERENCE ON RENEWABLE ENERGIES AND POWER QUALITY TRANSACTIONS ON ENVIRONMENT AND ELECTRICAL ENGINEERING ISSN 2450-5730 Vol 1, No 3 (2016) © Igor Bolvashenkov and Hans-Georg Herzog Degree of Fault Tolerance as a Comprehensive Parameter for Reliability Evaluation of Fault Tolerant Electric Traction Drives Igor Bolvashenkov and Hans-Georg Herzog Abstract – This paper describes a new approach and methodology of quantitative assessment of the fault tolerance of electric power drive consisting of the multi-phase traction electric motor and multilevel electric inverter. It is suggested to consider such traction drive as a system with several degraded states. As a comprehensive parameter for evaluating of the fault tolerance, it is proposed to use the criterion of degree of the fault tolerance. For the approbation of the proposed method, the authors carried out research and obtained results of its practical application for evaluating the fault tolerance of the power train of an electrical helicopter. Keywords: reliability, degree of fault tolerance, multi-phase electric motor, multilevel inverter, traction vehicle drive. I. INTRODUCTION With the constant growth of complexity of modern engineering systems it becomes more complicated to achieve the required level of sustainable and safety operation. The task of implementing the specified requirements is closely related to the problem of the most accurate assessment of indicators of sustainable operation of the system, shown in Fig.1. Particularly important is to assess the required reliability and security for the safety-critical systems correctly. In safety- critical applications such as vehicle propulsion systems, the fault tolerance of all the equipment is obligatory. According to the plans for the electrification of various types of vehicles based on the electric energy generated by renewable sources, the tasks of a quantitative estimation of fault tolerance in creating of the safety-critical systems have now become very topical. Fig.1. Indicators for sustainable operation One of the most important requirements for the vehicle’s propulsion system is the level of fault tolerance. In other words, the vehicle’s propulsion system should operate and continue its sustainable functioning even if one or more of its components have failed. To implement this requirement, all components included in the system should be fault tolerant. As an example of practical use of the proposed method the fault tolerance of a two main parts of the vehicle’s propulsion system - traction multi-phase permanent magnet synchronous motor (PSM) of electrical helicopter and electric inverter in conventional and multilevel versions were evaluated. In this case, according to the specified requirements of a safe flight of the designed electrical helicopter, the total failure rate for the entire traction drive of designed electrical helicopter should be less than 10-9/h [1]. Due to the constant need of traction electrical machines for special application, there are many publications describing the comparison or analysis of different fault tolerant electric machines and electric inverter topologies for different vehicle applications [1]-[7] and [8]-[12]. Thus, it should be noted that the authors generally have studied various aspects of the fault tolerance, and in most cases only a qualitative assessment was performed. For example in [1] a qualitative method for the fault tolerance evaluation is proposed, which results are given in Table I. TABLE I. COMPARATIVE EVALUATION OF THE FAULT TOLERANCE [1] Phase number Parameter 5 Phase 6 Phase 7 Phase 9 Phase Overload capacity 8 9 9.5 10 Partial load mode 7 9 8 10 Torque ripple 7 8 10 9 Total 22 26 27.5 29 Modern methods for determining the degree of fault tolerance of electrical machines, power electronics, and the computer network topology are presented in [13]-[15] and [28]-[31]. The proposed methods have one typical common disadvantage - the lack of universality. Each of them allows solving a local specific problem for a particular object. The authors have proposed a new universal approach and developed the methodology of assessing the degree of fault tolerance (DOFT) of safety-critical systems as a whole, as well as the DOFT of their components. II. APPROACH AND METHODOLOGY A. Degree of Fault Tolerance Considering the definition of the fault tolerance of a technical system as an ability to maintain the required functional level of the system in case of one or more failures of its components, DOFT can be defined as the amount of time which the system may remain in a degraded state without irreversible changes in its functionality. Mathematically, in general form this can be written by (1): (1) where WR and WN – reduced and nominal values of performance of technical system; ti , tN – respectively, duration of functioning after i-number of failures and without failure. As the value of the performance W can be considered the productivity, power, energy, quantity of information, etc. The value of ti is defined by overload capability of the system after i-number of failures. In the case when the required level of WR has been predetermined by project requirements, it is useful to determine DOFT for each corresponding level of performance in accordance with (2): (2) tN is determined depending on the type of electric vehicles and is largely depending on the specifics of its operation (aircraft, ships, trains, cars). For example, for the electric helicopter 30 minutes are needed for sustainable and safety completion of its function “search and rescue”. ti is determined by the overload capacity of system and its thermal stability. ti indicates the duration time during which the system may operate in a critical failure mode without irreversible changes in the quality and functional inability to further use. Based on the considerations above, the procedure for determining the DOFT is following:  Determination of all possible failures on the basis of Fault-Tree Analysis (or Failure Mode and Effects Analysis);  Classification of all failures on critical dangerous and non-dangerous failures;  Definition of opportunities and complexity (if recovery is possible) of the failure elimination;  Definition of development and the consequences of each non-repairable failure (if the recovery is not possible);  Evaluation of degree of reduction of the system’s functionality;  Estimation of an acceptable level of performance reducing in accordance with the requirements;  Evaluation of the ratio between the performance and demand for each failure operational mode;  In the cases when the demand is greater than the required performance, the analysis and evaluation of system’s overloading state is carried out, and the value of ti is calculated for the appropriate level of performance reduction;  Based on the calculated data the DOFT can be computed. On the Figure 2 and Figure 3 the values of DOFT, respectively of traction multi-phase electric motor and electric power inverter are equal to the area below the degradation curves. The “grey” area above the curve of the degradation of 9-phase motor is equal to probability of the transition of this motor in the next degraded state following the critical failure. The number of "steps" in Fig.2 corresponds to the number of degraded states of the electric machine after each critical failure until the moment of time when the motor losses completely their functional ability. For multi-phase electric motor, this corresponds to the next critical phase failure. Thus, multi-phase traction motor can be regarded as multi-state-system, which will be given special attention in the section II.B. Fig.2. Graphical DOFT representation of different multi-phase motors as multi-state systems Fig.3. Graphical DOFT representation of conventional vs multilevel inverter as multi-state systems Quantitative assessment of the total duration of the electric motor operations in all degraded states allows a quantitative comparative analysis of various possible topologies and design of the machine, considering their lifetime. Figure 3 is a graphical representation of the qualitative comparison’s results of the DOFT of conventional and multilevel inverter for 6-phase traction motors. The figure shows that DOFT of the multilevel inverter is much superior to the conventional version. Additionally to the critical failures, the effect of small (non- critical) failures on the fault tolerance value of traction electric motor and electric power inverter, leading to partial or temporary loss of system functionality, can also be investigated using DOFT, as can be seen in Figure 4. Fig.4. Graphical DOFT representation of different types of failure A distinctive feature of the proposed methodology of quantitative assessment of technical systems in comparison with existing techniques is its universality, i.e. the possibility of its use for different types of technical systems. As an example of its practical use, figure 5 shows the evaluation of the fault tolerance and transition probabilities of electric helicopter traction drive with multi-phase motors and multilevel inverters. B. MSS Markov Models and Transition Probabilities Considering the above requirements on the probability of total failure of electrical helicopter, as well as statistical data on the reliability of traction electric motor and electric inverter it was determined that the optimal model for an analysis of fault tolerance in such conditions is a MSS Markov Model (MSS- MM), with K states, as shown in general form in Fig.5. Theoretical base of this method is well known and described in [16]-[18] and examples of application in [25]-[27]. Fig.5. Multi-State Markov model of electric traction drive [16] The first state corresponds to a completely failure-free operation of the system. The second and other states (before state K) are the states of degradation and correspond to failure cases – phase open-circuit failure, respectively, of the one, two or more phases. The state K of the model corresponds to the completely failed system when the helicopter’s drive completely loses the ability to operate. Thus, every following state of the degradation corresponds to one critical failure with a corresponding partial functionality loss of the traction drive. At the same time, the number of the degraded state of the MSS-MM determined in accordance with the requirements of the project on the fault tolerance defines the technical capabilities of the system to continue functioning with reduced performance level as a result of the critical failure. The most important and most difficult point for simulations using Markov models is to determine the transition probabilities and the number of states with a reduced level of functionality. The values of the transition probabilities , Kare derived from the results of calculations of Degree of Fault Tolerance (DOFT) for the states 1, 2 and K respectively: (3) Here R is the value of reduced performance level according to the project requirements and i - number of critical failures. The values of transition probabilities are affected by a large number of different factors, from design and environmental parameters to the using types of maintenance strategies, monitoring, and diagnostics. As can be seen from (3), for the calculation of the transition probabilities the main importance is the correct calculation of DOFT for a given project required performance levels. Application cases of proposed methodology for the estimation reliability features of electric traction drive of helicopter will be presented in the next section. III. FAULT TOLERANT ELECTRIC TRACTION DRIVE A. Electric Traction Drive The power part of the traction drive of electric vehicles includes a source of electrical energy (battery, fuel cell, etc.), an electric energy converter/inverter, and a traction electric motor, as can be seen from Figure 6. In the present study, the electric power source was not considered, but will be considered at the next stage of research. (a) (b) Fig.6. Schematic graphical system definition for a multi-phase traction motor (a) and for the whole traction drive (b) B. Critical Failures In the paper [6] has been demonstrated that the vast majority of elements failures of the system "power inverter- traction electric motor" can be reduced to four basic types of failures of electric traction drive:  open-circuit and short-circuit of the electric motor’s phase;  open-circuit and short-circuit of the inverter submodule. In the development of an electric motor scheme is usually provided such a connection of the each inverter submodule with the protection system, which disconnects the electrical circuit of the failed submodule. This solution allows the failure "short-circuit" of the inverter’s submodule to lead to the failure "open-circuit" of submodule. The failure type "phase short-circuit" of electric motor can be reduced to the failure of "phase open-circuit" based on special design options of the stator winding performance, improve the quality of insulation materials and advanced production technology. Excluding the possibility of failure type "short-circuit" on the basis of their reducing to the failures of the type "open- circuit" is one way to keep a functionality of multi-phase electric motors in failure cases. Thus, in the simulation of functioning of electrical traction drive in failure conditions, as the critical failures will be considered the motor’s "phase open- circuit" and inverter’s “submodule open-circuit". C. Multi-Phase Electric Motor The results of a previous study by the authors [1] indicate that for the 3-phase PSM the specified requirements on the reliability for the entire power drive of a designed helicopter is not achievable without a functional and/or structural redundancy, and/or other activities that improve the indicators of reliability to the required value. One way to create the fault tolerant traction electric motors of high reliability is to increase the number of motor phases without changing the value of the motor’s power. This allows to reduce the current value in each phase’s open winding and to perform the power electronics unit integrally fabricated. Based on the diversity of various schemes, connection methods of power supplies and inverters as well as switching algorithms of the stator phases of electric motor, it is possible to implement the system using automatically changed structures and parameters, resp., depending on the purpose and functioning conditions. At the same time, independent performance of each phase’s switching channels provides increased reliability of the electric machine based on the principle of functional redundancy. Unlike an electrical machine with a small number of phases in which the majority of critical elements failures leads to a complete failure of the machine, the multi-phase electrical machine remains in operation up to a certain level of degradation and a corresponding change in the output characteristics. This allows realizing so called functional redundancy. Thus, on the one hand, increasing the number of phases of the electric motor reduces the impact of each failure in power electronics control channel or in the phase of the motor, on the characteristics of the whole traction drive. On the other hand, increasing the number of phases leads to an increase of the failure probability in one of phases. In this context, it is necessary to find an optimal compromise solution, based on the design requirements, the possibility of redundancy, and the reliability indices of the electrical machine and power electronics. On the basis of the known values for the failure probability of each phase of the electric motor the optimal number of phases can be calculated, at which the required reliability and fault tolerance indicators of electric motor can be implemented, taking into account the possibility of one or more critical failures. The use of this redundancy method has its own features that must be considered in the study of physical processes and the design of the traction electric drive as a whole. As shown in [1] the optimal electric machine for the safety-critical electric drives, considering system approach techniques, is a multi-phase PSM with distributed stator windings and internal v-shaped arrangement of permanent magnets on the rotor. For a detailed study 5-, 6-, 7- and 9- phase PSM were selected. For the traction electric motor of the helicopter considering high requirements on the drive safety and fault tolerance, the overload capability in the fail operational modes is especially important. In such operating conditions, a stable operation for a specified time on the modes of reduced power without critical asymmetry of PSM’s parameters is also extremely important. Considering a normal, i.e. failure-free, operational mode, the electric motor can endure a short-term overload because the thermal capacity is sufficiently large, whereas for failure cases the situation is changing dramatically. As known from operating experience, the largest numbers of operational failures are caused by technological overloads [19] - [21]. Most of the total failures of traction electric motors (more than 80%) occur because of stator windings faults and bearings failures, so that these components play a crucial role in the overall reliability value of the motor. Their lifetime and fault tolerance significantly affect the operating temperature, developed inside the motor. The overheating causes quickly deterioration of the motor winding insulation and bearing. The causes for overheating of electrical machines can be technological overload of the motor as well as the occurrence of different failure modes. The main of them are the various types of short circuits, unbalanced work at the loss of one or several phases, jamming of the rotor of electric machine. Technological overload leads to an increase in temperature of the motor windings to a higher level, a gradual deterioration and finally to its total failure. In the case of a short circuit in the stator windings, the current value exceeds the nominal value to a multiple. Thus, the rate of rise of the stator winding temperature reaches 7-10°C per second and after 10-15 seconds the motor temperature is out of limits. The unbalanced mode (phase loss) occurs in the case of burned out fuse in the phase, wire breakage, faults in contacts or in the case of protection operation. Thus there is a redistribution of the currents, the magnitude of current in the remaining phase’s increases, which leads to overheating and total failure of the electrical machine. According to recent research [20], long-term operation of the electric motor with an overcurrent by only 5% of the nominal reduces its lifetime by 10 times. Most of the overcurrent failures of electric motors are associated primarily with damages inside the motor, leading to an asymmetric overcurrent and, as a consequence, to overheating. The main types of failures that lead to dangerous overheating of the stator windings and to a total failure of the electric motor (without system of protection) are the short circuit faults:  between turns;  between coils;  between phases;  between wires and the housing of the motor. Their effects are described in detail in the literature. These effects lead to dramatic increasing of the current in one or more phases of the motor and ultimately to the motor’s overheating. At an effective system of protection against emergency situations, each of the above-discussed failures can be reduced to an embodiment of the loss of failed phases (or automatic shutdown). When it is required to maintain the load at a given level, which is a common requirement for safety-critical systems, such as a helicopter traction drive, it is necessary to increase the phase currents in the remaining phases of the electric motor. This will result in a certain level of the motor’s overheating and severely limited, in terms of reliability, duration of operation in this mode of load. For the traction drives of the electric helicopter the given levels of maintain load in the failed operation are: 65% of the nominal load (long time operation) and 85% of the nominal load (short time operation). (a) (b) Fig.7. Overheating at the phase loss, (a) - 65%, (b) - 85% of nominal load To estimate the level of overheating of the windings of multi-phase traction motors and respective conclusions on its thermal stability in the case of failure in one or two phases, it is proposed to use the overheating factor KT, which shows how many times the motor windings temperature exceeds the nominal value: (3) where Ti and TN –, respectively, describe the windings temperature in failed operational mode in i-phases and in the nominal failure-free operational mode. Overheating factor is graphically presented in Fig.7. Table II shows the results of a preliminary assessment of the overload capability of multi-phase traction motors in case of an open-circuit failure of one or two phases. TABLE II. COMPARISON OF OVERLOAD CAPABILITY Table II has the following designations: ++ - there is no overload; + - overload is less than 15%; 0 - overload is greater than 15%. The main goal of the preliminary analysis of the presence (or absence) of overload modes of a traction electric motor at various critical failures, is to find the critical points in terms of thermal stability and overload capacity. Conditional separation of considering multi-phase motors on the level of overload capability into three groups was carried out based on the analysis of the thermal stability of the motor windings for different thermal load conditions. From the operating experience of electrical machines with appropriate power [20] it is known that when the phase current has insignificant excess (10-15% of the nominal value), the electric motor can be operated a certain time without critical deterioration of insulation of the stator windings. Therefore, such failure operational overloads modes can be considered as partially acceptable. Considering the low rates of overload capability and thermal stability of the 5-phase traction motor, as can be seen from Fig.7, this version was excluded from further analysis. When current overloads are larger than the above mentioned values, this operational mode has been regarded as critical. The consequences of the large overload in failure operational mode are overcurrent and overheating of PSM, which lead to a reduction of reliability indices and decrease lifetime of the motor, as can be seen in Fig.8. Fig.8. Lifetime of the parts of electric drive [22] The main characteristic of the load modes of PSM for evaluation of DOFT is the thermal characteristics, estimated by formulas [20]: tN = {ln K 2 – ln (K2 – 1)}/(A/C) (4) where tN – describes the time of achievement of acceptable motor temperature value, K – the rate of exceeding the nominal value of the phase current, A – the heat irradiation of the motor, and C – the thermal capacity of the electrical machine. Figure 9 shows graphically the results of calculating the thermal behavior of the electric motor in overload conditions, as a result of one or two critical failures considering thermal stability of the stator windings. The values of Ndeg and Nnom in Fig.9 correspond to the values of traction drive performance (driving power) in degraded and nominal modes, respectively. (a) (b) Fig.9. The duration of the safe motor operation at 113% load at a one (a) and two (b) critical failures On the basis of the analysis of the thermal behavior of the motor the values ti for the different versions of the traction motor and the various failure modes can be determined. Based on the value ti, the transition probabilities of Markov Models were calculated. Schedule of DOFT at 65%, 85% and 113% of nominal load, on the number of critical dangerous failures is shown in Fig.10, a, b, c, respectively. (a) (b) (c) Fig.10. DOFT of multi-phase PSM in fail operations, (a) - 65%, (b) - 85% and (c) – 113% of nominal load Based on the constructed graphs a comparative analysis of DOFT for considered variants of the electric motors can be carried out quite easily. However, according to the authors, more informative and convenient for practical use are the dependencies of DOFT on the value of a given load maintenance level, as shown in Fig.11. Thus, it is possible to assess the compliance of parameters of fault tolerance for each compared alternative to design requirements. (a) (b) Fig.11. DOFT of a given load level in fail operations, (a) – one failed phase, (b) – two failed phases D. Electric Inverter Considering the current developments in the field of power electronics, for the comparative analysis of the fault tolerance has been considered two options of electrical power inverter: conventional and multilevel. Voltage Source Inverter (VSI) is the most commonly used power converter between the series- parallel-configured batteries and the electric motor in electrical mobility applications. It is well known that multilevel inverters offer several advantages compared to their two-level counterparts [12]: smaller power filters, smaller voltage ratings for semiconductors, lower switching frequencies and less power losses. They offer also more modularity and are more reliable. Currently, mainly three types of electric multilevel inverters are used: Neutral Point Clamping (NPC), Flying Capacitors (FC), and Cascaded H-Bridge (CHB). Considering [8], [10], [11], and [12], CHB inverters need the lowest number of components. NPC and FC inverters need more components than CHB and have less modularity, due to the central storage unit. Thus, CHB inverters are constructed on a series connection of single-phase inverters supplied by isolated DC electric energy sources. This kind of inverters gives a high modularity degree and consequently high reliability and fault tolerance. An approach based on the full inverter’s power control could optimize the implementation and the reliability of the inverter while offering optimized operational behavior. It should also be noted that CHB is an interesting inverter’s topology for the electrical vehicle because of its possibility to work with unbalanced or faulty DC sources. This in turn can increase the life time of battery packs and the autonomy of the vehicle. In the case of using CHB inverters with appropriate control strategies, state of charge unbalances can be managed as well as state of health allowing to optimize the access to the electrical energy and electric vehicle autonomy. Based on the reqired design parameters of the traction drive of electric helicopter, the preferred inverter option is a topology 17-Level CHB inverter. So, in each phase there are 8 submodules, as shown in Fig.12. Figure 12 shows the basic topology of one phase of a CHB using batteries on the DC side. Each battery module is connected to a H-bridge with 4 MOSFETs. The use of MOSFETs enhances the efficiency of the CHB inverter, because of the low conduction losses. Fig.12. One submodule of the proposed 17-level CHB inverter For the fault tolerant operation in failure case either the inverter module must be shut down or switched to a possibly existing redundant inverter leg/module. Each of these modes leads to a rapid increase of the current at the emergency site and an overload of the semiconductors. At overload, power losses occur in the p-n-transition and its temperature increases dramatically, due to the low heat capacity. In the case of exceeding a certain critical temperature of p-n-transition, the semiconductor device fails. Hence, overheating temperature is the main parameter characterizing the overload capability of semiconductor devices, as it is shown in Fig.8. The graph presented in Fig.13 has been plotted based on the data regarding the standard overload capability of the power electronics. Fig.13. Overload capacity of inverter Based on the analysis of the thermal modes of inverters in the failure cases, critical operational point considering the thermal stability of semiconductor devices have been identified as shown in Table III and Table IV. TABLE III. OVERLOAD OF CONVENTIONAL INVERTER IN FAILURE MODES TABLE IV. OVERLOAD OF MULTILEVEL INVERTER IN FAILURE MODES Table III and IV have the following designations: + + + - overload is less than 10 %; ++ - overload is less than 25 %; + - overload is less than 40%; MF - motor failure; PhF - phase failure. Qualitative analysis of the data presented in the Tables shows that the 17-level inverter significantly exceeds the level of fault tolerance of the inverter with a conventional topology. IV. SIMULATION RESULTS ON THE MARKOV MODEL For more accurate assessment of fault tolerance of each comparable traction motor and electric inverter, and for compliance (or non-compliance) with design requirements, MSS Markov Models of reliability were built, which theoretical base is described in [16] and [17]. To construct such models the multi-phase PSM as well as the multilevel inverter can be considered as a system with a loaded functional redundancy and consequently, with an appropriate reserve of fault tolerance. The transition probabilities for MSS Markov Models were calculated using the above mentioned DOFT method. As was discussed above, the phase open-circuit failure has been considered as the main dangerous failure for electric motor’s stator, i.e. it is the most severe kind of failure, to which less dangerous failures can be summarized. For the electric inverter, the MOSFET’s submodule open-circuit failure was considered to be the worst case. Considering the above requirements on the fault tolerance of safety-critical drives as well as statistical data on the reliability of the multi-phase PSM and electric power inverter from [1], [23], [24], and [27], it was determined that the optimal model structure for the analysis of fault tolerance in such conditions is a MSS Markov Models with four states for traction motor and five states for electric power inverter, respectively, as shown in Fig.14 and Fig.15. The number of states of the MSS Markov Model is determined by the probability of failure-free operation of the system in the failure-free mode and fault tolerance requirements established by the design documentation. Fig.14. Multi-State Markov model of traction multi-phase PSM Fig.15. Multi-State Markov model of multilevel inverter The first state corresponds to a completely failure-free operation of the motor and inverter. The second and third states of the motor and the second, third, and fourth of the inverter are the states of degradation and correspond to failure cases. For the electric motor this means phase open- circuit failure of one and two phases, respectively. The fourth state of the motor’s model (Fig.14) corresponds to the completely failed electric motor when the helicopter’s drive completely loses the ability to operate. Thus, every following state of the degradation corresponds to one emergency phase loss with a corresponding loss of the part of functionality of the motor. The fifth state of the inverter’s model (Fig.15) corresponds to the completely failed conventional inverter when the traction motor does not receive the necessary power for a safe flight. Thus, every following state of the degradation corresponds to the worst case – a loss of an inverter’s submodule. For the multilevel CHB inverter the fifth state of the model means the loss of one complete phase of the electric motor. The proposed assessment approach for transition probabilities in the MSS Markov reliability model is well formalized and suitable for practical application in reliability engineering to assess fault tolerance indices of multi-phase traction motors considering the aging process under the influence of operating conditions. Regarding the design requirements on fault tolerance of an electric helicopter, the reliability of the traction electric motor at reduced power of 65% or 85% of the nominal value as well as at 113% of nominal value was analyzed using the MSS MM. Corresponding graph for 6-, 7- and 9-phase PSM at the 113% load level are presented in Fig.16. The horizontal axis indicates operational time in hours and vertical axis - probability of total failure of traction motor. Fig.16. Probability function of total failure of PSM at the 113% load TABLE III. PROBABILITIES OF COMPLETE FAILURE OF PSM The simulation results of two consecutive critically dangerous failures allow of quantifying the reliability indices degree of the fault tolerant multi-phase electric motor, which is one important part in the traction drive of electric helicopters, and of estimating the compliance of calculated values with design requirements. The obtained results confirm the results of the studies presented in [5] and [6], that 7-phase electric traction motors can be operated after the loss of two phases during a limited time, at nominal load (limitation because of thermal stability), and for a long time with a reduced load. For the simulation the worst case and critically dangerous variant of failure has been considered, i.e. the submodule failures occur in the same phase. In case of a simulation of a not safety-critical failure, as well as the possibility of partial recovery of the power drive’s operating ability in the degraded state, the value of the fault tolerance will be significantly higher. Regarding the design requirements on fault tolerance, the reliability of the inverter was analyzed using the above MSS Markov Models, in case of emergency reducing the power to 113% of the nominal value. The corresponding graphs for a different number of phases and inverter topologies are presented in Fig.17 and Fig. 18, respectively. Fig.17. Probability function of a total motor failure with conventional inverter at the 113% load Fig.18. Probability function of a total failure of one motor phase with multilevel inverter at the 113% load The results of the probability calculations of a failure- free operation of the electric inverter during one operational hour at 113% of nominal load for two inverter’s topologies are summarized in Table IV. TABLE IV. PROBABILITIES OF COMPLETE FAILURE OF INVERTER The results of simulation of three consecutive critically dangerous failures allow quantifying the degree of fault tolerance of a 17-level inverter, which is one of the important parts of the traction drive of helicopters. The 7- and 9-phase options have shown the maximum compliance with the requirements relating to the safety-critical drives. V. CONCLUSION The paper presents a new approach and methodology for assessing the degree of fault tolerance of a safety-critical technical system, such as a vehicle’s electric traction drive. The suggested assessment of the reliability of fault tolerant topologies of electric traction drives is well formalized and suitable for practical application in reliability engineering to assess fault tolerance indices of multi-phase traction motors as well as an electric power inverter, considering the aging process under the influence of operating conditions. As an example of practical use of the proposed method the fault tolerance of two important parts of a vehicle’s electric propulsion system - traction motor and electric inverter - were evaluated. Results of comparative analysis allow to conclude that for given project requirements on the level of reliability and fault tolerance of helicopter’s electric traction drive in the real flying conditions only 9-phase motors in combination with 17-level inverters completely fulfill the design requirements without any restriction. More broadly, the proposed method can be used as a universal tool for evaluation and optimization of the degree of fault tolerance in safety-critical technical systems, considering all the possibilities of its increasing, such as redundancy, monitoring, predictive control and type of maintenance strategy. REFERENCES [1] I. Bolvashenkov, J. Kammermann, S. Willerich and H.-G. Herzog, “Comparative Study of Reliability and Fault Tolerance of Multi-Phase Permanent Magnet Synchronous Motors for Safety-Critical Drive Trains”, in Proceedings of the International Conference on Renewable Energies and Power Quality (ICREPQ’16), 4 th to 6th May, Madrid, Spain, 2016, pp.1-6. [2] E. Levi, “Multiphase Electric Machines for Variable-Speed Applications”, IEEE Transactions on Industrial Electronics, Vol.55, No 5, 2008, pp.1893-1909. [3] M. Villani, M. Tursini, G. Fabri and L. Castellini, “Multi-Phase Permanent Magnet Motor Drives for Fault-Tolerant Applications”, In Proc. of IEEE International Electric Machines & Drives Conference (IEMDC), 5-18 May 2011, Niagara Falls, Canada, 2011, pp.1351-1356. [4] F. Scuiller, J.-F. Charpentier and E. Semail, “Multi-Star Multi-Phase Winding for a High Power Naval Propulsion Machine with Low Ripple Torques and High Fault Tolerant Ability”, In Proc. of the IEEE Vehicle Power and Propulsion Conference (VPPC), 1-3 Sept. 2010, Lille, France, 2010, pp.1-5. [5] E. Semail, X. Kestelyn and F. Locment, “Fault Tolerant Multiphase Electrical Drives: the Impact of Design”, European Physical Journal - Applied Physics (EPJAP), Vol.43, Iss.2, 2008, pp.159-162. [6] P.G. Vigrianov, “Assessment the impact of different failures on the power characteristics of the low power 7-phase permanent magnet synchronous motors”, Moscow, Journal “Questions to Electromechanics”, Moscow, Vol.128, Iss.3, 2012, pp.3-7. (in Russian) [7] D. Fodorean, M. Ruba, L. Szabo and A. Miraoui, “Comparison of the main types of fault-tolerant electrical drives used in vehicle applications”, In Proc. of International Symposium on Power Electronics, Electrical Drives, Automation and Motion, (SPEEDAM), June 11-13, Ischia, Italy, 2008, pp. 895-900. [8] O. Josefsson, T. Thiringer, S. Lundmark and H. Zelaya, “Evaluation and comparison of a two-level and a multilevel inverter for an EV using a modulized battery topology”, In Proc.of IEEE 38th Annual Conference on Industrial Electronics Society (IECON), Oct. 25-28, Montreal, Canada, 2012, pp. 2949-2956. [9] A. V. Brazhnikov and I. R. Belozyorov,”Prospects for Use of Multiphase Phase-Pole-Controlled AC Inverter Drives in Traction Systems”, European Journal of Natural History, Russia, Vol.2, 2011, pp.47-49. [10] B. Sarrazin, N. Rouger, J. P. Ferrieux and J. C. Crebier, “Cascaded Inverters for electric vehicles: Towards a better management of traction chain from the battery to the motor?”, In Proc. of IEEE International Symposium on Industrial Electronics, June 27-30, Gdansk, Poland, 2011, pp. 153-158. [11] S. Fazel, S. Bernet, D. Krug and K. Jalili, “Design and Comparison of 4-kV Neutral-Point-Clamped, Flying-Capacitor, and Series-Connected H-Bridge Multilevel Converters”, IEEE Transactions on Industry Applications, Vol.43, No.4, Jul.-Aug. 2007, pp. 1032-1040. [12] M. Malinowski, K. Gopakumar, J. Rodriguez and M. Perez, “A Survey on Cascaded Multilevel Inverters”, IEEE Transaction on Industrial Electronics, Vol. 57, No. 7, July 2010, pp. 2197-2206. [13] B. A. Welchko, T. A. Lipo, T. M. Jahns and S. E. Schulz, “Fault Tolerant Three-Phase AC Motor Drive Topologies: A Comparison of Features, Cost, and Limitations”, In: IEEE Transactions on Power Electronics, Vol.19, No 4, 2004, pp.1108-1116. [14] U. De Pra, D. Baert and H. Kuyken, “Analysis of the Degree of Reliability of a Redundant Modular Inverter Structure”, In Proc. of IEEE 12th International Telecommunications Energy Conference, 04- 08 Oct. 1998, San Francisco, CA, 1998, pp.543- 548. [15] S. Krivoi, M. Hajder, P. Dymora and M. Mazurek, “The Matrix Method of Determining the Fault Tolerance Degree of a Computer Network Topology”, Sofia, Bulgaria, Publisher: ITHEA, Vol.13, No 3, 2006, pp.221-227. [16] A. Lisnianski, I. Frenkel and Y. Ding, “Multi-state System Reliability Analysis and Optimization for Engineers and Industrial Managers”, Berlin, New York, Springer, 2010, 393 p. [17] B. Natvig, “Multi-state systems reliability theory with applications”, John Wiley & Sons, New York, 2011, 232 p. [18] I. Bolvashenkov and H.-G. Herzog, “Use of Stochastic Models for Operational Efficiency Analysis of Multi Power Source Traction Drives”, In Proc. of IEEE of International Symposium on Stochastic Models in Reliability Engineering, Life Science and Operations Management (SMRLO’16), 15-18 Feb. 2016, Beer Sheva, Israel, 2016, pp.124-130. [19] D. Hann,“A combined electromagnetic and thermal optimisation of an aerospace electric motor”, Int. Conference on Electrical Machines, ICEM, 6-8 Sept. 2010, Rome, Italy, 2010, pp.1-6. [20] M. M. Katzman, “Electrical machines“, Akademia, Moscow, Russia, 2001, 463 p. (in Russian) [21] S. Mahdavi, T. Herold and K. Hameyer, “Thermal modeling as a tool to determine the overload capability of electrical machines”, International Conference on Electrical Machines and Systems (ICEMS), 26-29 Oct. 2013, Busan, Korea, 2013, pp.454–458. [22] I. Bolvashenkov and H.-G. Herzog, “Approach to Predictive Evaluation of the Reliability of Electric Drive Train Based on a Stochastic Model”, In Proc. of IEEE 5th International Conference on Clean Electric Power (ICCEP’15), 16-18 June 2015, Taormina, Italy, 2015, pp.1-7. [23] E. Lauger, “Reliability in electrical and electronic components and systems”, North - Holland Publ. Co., Amsterdam, 1982, 1171p. [24] N. P. Ermolin and I. P. Zerichin, “Zuverlässigkeit elektrischer Maschinen“, Berlin, Verlag Technik, 1981, 227 p. (in German) [25] A. H. Ranjbar, M. Kiani and B. Fahimi, “Dynamic Markov Model for Reliability Evaluation of Power Electronic Systems”, In Proc. of IEEE International Conference on Power Engineering, Energy and Electrical Drives (POWERENG), Malaga, Spain, May 2011, pp.1-6. [26] M. Molaei, H. Oraee and M. Fotuhi-Firuzabad, “Markov Model of Drive-Motor Systems for Reliability Calculation”, In Proc. of IEEE International Symposium on Industrial Electronics, 9-13 July 2006, Montreal, Canada, pp.2286-2291. [27] T. Geyer and S. Schroder, “Reliability Considerations and Fault- Handling Strategies for Multi-MW Modular Drive Systems”, In: IEEE Transactions on Industry Applications, Vol.46, No.6, Nov.- Dec. 2010, pp. 2442-2451. [28] K. S. Trivedi, “Probability and Statistics with Reliability, Queuing, and Computer Science Applications”, Second edition, Wiley, 2002, 848 p. [29] S. J. Bavuso, J. B. Dugan, K. S. Trivedi, E. M. Rothmann and W. E. Smith, “Analysis of Typical Fault-Tolerant Architectures using HARP”, In: IEEE Transactions on Reliability, Vol.R-36, Iss.2, June 1987, pp.176-185. [30] N. Muellner and O. Thee, “The Degree of Masking Fault Tolerance vs. Temporal Redundancy”, In: IEEE Workshops of International Conference on Advanced Information Networking and Applications (WAINA), 22-25 March 2011, Biopolis, Singapore, 2011, pp.21-28. [31] R. Ubar, S. Devadze, M. Jenihhin, J. Raik, G. Jervan and P. Ellervee, “Hierarchical Calculation of Malicious Faults for Evaluating the Fault-Tolerance”, In Proc. of 4th IEEE International Symposium on Electronic Design, Test & Applications (DELTA), 23-25 Jan. 2008, Hong Kong, 2008, pp.222-227. Igor Bolvashenkov, Dr.-Eng., Senior researcher, Institute of Energy Conversion Technology, Technical University of Munich (TUM), Munich, Germany. Igor Bolvashenkov obtained his diploma (1981) and doctoral degree (1989) in Electrical Engineering from Admiral Makarov State University of Maritime and Inland Shipping, Leningrad, USSR. From 1987 till 1993 he worked as Associate Professor at the Murmansk State Technical University, Russia. Since 2004 he works at the Institute of Energy Conversion Technology of Technical University of Munich (TUM), Germany. He has specialized in development and simulation of electric propulsion safety-critical systems for ships, cars, aircraft with analysis of their reliability, survivability, and fault tolerance. He published more than 75 scientific articles, book chapters and patents in the fields of development of traction drives for the various type of electric vehicle and system analysis of efficiency, reliability and fault tolerance. Hans-Georg Herzog, Prof. Dr.-Eng., Institute of Energy Conversion Technology, Technical University of Munich (TUM), Munich, Germany. Hans-Georg Herzog holds a diploma and a doctoral degree (with distinction) from Technical University of Munich (TUM). After his time as a research associate, he joined Robert Bosch GmbH, Leinfelden- Echterdingen, Germany. Since 2002, he is Head of the Institute of Energy Conversion Technology at TUM. His main research interests are energy efficiency of hybrid- electric, full-electric vehicles and electric aircrafts, reliability of drive trains and their components, energy and power management and advanced design methods for electrical machines Hans-Georg Herzog is Senior member of IEEE and member of VDI and VDE.