TRANSACTIONS ON ENERGY CONVERSION, VOL. X, NO. Y, MARCH 201X 1

Virtual Prototyping for Distributed Control of aFault-Tolerant Modular Multilevel Inverter for

PhotovoltaicsLuan Viet Nguyen, Student Member, IEEE, Hoang-Dung Tran, and Taylor T. Johnson, Member, IEEE

Abstract—In this paper, we present virtual prototyping of thedistributed control for a modular multilevel inverter used as agrid-tie interface for photovoltaics. Due to the distributed controland inherent redundancy in the system composed of many panelsand inverter modules, the system topology exhibits fault-tolerancecapabilities that we study through virtual prototyping. The fault-tolerance is enable by several distributed algorithms, such as ser-vices to identify which if any agents controlling inverter moduleshave failed. A distributed identifier algorithm allows the systemto keep track of the number of operating panels to appropriatelyregulate the DC voltage output of the panels using buck-boostconverters, and determine appropriate switching times for H-bridges in the grid-tie. We evaluate the distributed inverter, itscontrol strategy, and fault-tolerance through thousand of sim-ulation scenarios in Mathworks Simulink/Stateflow. Our virtualprototyping framework allows for generating multilevel inverterscomposed of many inverter modules, and we evaluate inverterscomposed of five to dozens of inverter modules. Our analysissuggests the achievable total harmonic distortion (THD) of themodular multilevel inverter may allow for operating solar arraysin spite of failures of the power electronics, control software, andother subcomponents.

Index Terms—distributed control, multilevel inverter, dis-tributed inverter, hybrid systems.

I. INTRODUCTION

Multilevel inverters have become popular in recent yearsfor interfacing DC sources to the grid for a plethora ofreasons, such as their ease of implementation, efficiency, fault-tolerance capabilities, etc. [1]–[8]. In this paper, we describethe model-based design and virtual prototyping analysis of amodular multilevel inverter implemented using fault-tolerantdistributed control. The inverter is composed of N invertermodules that communicate and coordinate in a distributedmanner to perform the DC to AC energy conversion. While thearchitecture allows for general DC sources, in this paper, wefocus on inverter modules consisting of a solar panel composedof photovoltaic (PV) modules and corresponding electronics.In this case, each panel’s control software and electronics im-plement maximum power-point tracking (MPPT) and regulatethe panel output voltage using a buck-booster converter. Then,a (2N + 1)-level modular multilevel inverter is implemented

L.V. Nguyen and T.T. Johnson are with the Department of ComputerScience and Engineering, University of Texas at Arlington, Arlington, TX76019 USA, e-mail: (luanvnguyen@mavs.uta.edu, taylor.johnson@uta.edu.H.D. Tran is with the Department of Automatic Control, Ho Chi MinhCity University of Transport, Ho Chi Minh City, Vietnam, e-mail: trhoang-dung@gmail.com.

Manuscript received March 17, 2014; revised September 1, 2014.

using H-bridges to create a grid-tie connecting the regulatedDC output of each buck-boost converter. An inverter moduleis the complete plant and computer controller consisting of aDC source (such as a panel), its microcontroller and networkinterface, buck-boost converter, and H-bridge. See Figure 1 foran overview of the modular multilevel inverter architecture.

The modules communicate with one another to ensure theyswitch at appropriate times to create the AC waveform forthe grid that is in frequency, in-phase, and of the appropriatevoltage. A distributed identifier algorithm is used by the Nmicrocontrollers to determine (a) the number of non-faultyinverter modules, and (b) the switching time for each non-faulty inverter module to minimize total harmonic distortion(THD) for the AC grid-tie [9]. This setup makes the multilevelinverter modular, where it is not necessary to know the numberof functioning modules NO ≤ N, a priori, as the distributedalgorithm determines this. In addition, the distributed identifieralgorithm lends the system to be fault-tolerant, whereby ifsome NF of the N inverter modules and corresponding controlsoftware fails, the remaining panels and modules continueoperating to ensure the grid-tie remains operational withreasonable THD and response time. Specifically, the switchingtimes to connect each inverter module in series must bedetermined to minimize THD, which is equivalent to solving acertain distributed consensus problem in one dimension, andwe base this distributed consensus algorithm on an existingfault-tolerant one-dimensional consensus algorithm [10].

We utilize an abstract failure model of both cyber andphysical components, where software/hardware crash faults ofany microcontroller are detected and tolerated, as are actuatorstuck-at faults, which correspond to failed switches in the H-bridges. We characterize the THD of the system as a functionof NF, the number of faulty modules, since as the number offaulty modules increases, the best response of the inverter willdecrease, as the sinusoidal approximation has fewer discretelevels. In the optimal case, the best achievable THD of aninverter with N total modules and NF faulty modules is thatof an inverter with NO = N− NF functioning modules.

In this paper, we utilize the framework of virtual pro-totyping [11] to evaluate the general architecture, electricalcomponent parameter variations, THD performance, and fault-tolerance capability. Instead of physically constructing oneinstance of the proposed architecture and evaluating it, wepresent simulation results for thousands of scenarios repre-senting dozens of different system configurations, exploringa significantly larger design space than would be possible if

TRANSACTIONS ON ENERGY CONVERSION, VOL. X, NO. Y, MARCH 201X 2

Inverter Module

Solar Panel

Buck-Boost

ConverterH-Bridge

Microcontroller

Sunlight

Grid… (N-2 times)

Inverter Module

Solar Panel

Buck-Boost

ConverterH-Bridge

Microcontroller

Sunlight

Network Connection

Fig. 1. Overview of the modular multilevel inverter for interfacing photo-voltaics to the AC grid, consisting of N inverter modules, each of which iscomposed of a solar panel, a microcontroller with communication hardwareand control software, a buck-boost converter, and an H-bridge for selectingpolarity.

following an experimental process of building an individualprototype. The simulations are conducted in standard devel-opment environments (Mathworks Simulink/Stateflow, SLSF)and utilize high-fidelity models of the circuit components,the distributed control algorithms, and the interfaces betweenthe cyber and physical states of the system. Overall, thevirtual prototyping study presents a complete system-levelpicture of a sophisticated and fault-tolerant distributed cyber-physical system (DCPS) [12], and serves as a first step towardconstructing instantiations of this system. Numerous modernsystems, including other power electronics systems like theinverter analyzed in this paper, have been developed in thisway recently, such as numerous components of a hybridelectric car [13], a power supply [14], and a tracking systemfor photovoltaic panels [15].

Related Work: There are abundant modulation techniquesand control paradigms have been developed for multilevel con-verters such as sinusoidal pulse width modulation (SPWM),selective harmonic elimination (SHE-PWM), space vectormodulation (SVM), and others. The two main advantages ofmulti-carrier PWM inverters in comparison to square-waveinverters are control over output voltage magnitude reductionin magnitudes of unwanted harmonic voltages. There are fourmain kinds of multi-carrier PWM: (a) in-phase disposition(IPD), (b) phase opposition disposition (POD), (c) alternativephase opposition disposition (APOD),and (d) phase disposition(PD). The PD method is used most frequently since it pro-duces minimum harmonic distortion for the linetoline outputvoltage [16].

Fault tolerance contributes critically to eliminate downtimein industrial processes and enhance safety of critical systems.There is extensive literature [8], [17]–[27] regarding fault-tolerance capabilities of single and multi-phase multilevel in-verters, as due to their topology, they have inherent redundancythat may be useful for providing fault-tolerance due to switchand other failures. However, compared to all these existingworks, our work exploits the modular and distributed design

of the system to enable fault-tolerance in both software andhardware subcomponents, as distributed control algorithmsare typically implemented in software and rely on networkedcommunications, all of which have the capability to fail. Fora recent overview of general reliability and fault-tolerance inpower electronics, see [24], for a particular focus on multilevelinverters, see [23], and for a focus on the reliability of DC-to-DC converters in PV energy conversion systems, see [28].In [17] the reliability of multilevel inverters was studied topresent an argument against reliability necessarily decreasingdue to increased component counts, each with their own failurerates, which is an important observation for the topologyconsidered in our paper, as we do not minimize compo-nent numbers, but instead strive for modularity and system-level fault-tolerance. A single-phase fault-tolerant multilevelinverter is developed and experimentally validated with 5-level prototype in [18] and focuses on utilizing redundantcircuitry and appropriate control for maintaining the outputvoltage. Fault-tolerance in multilevel inverters can be achievedby adding some power device to the basic topologies suchas fourth-leg [29] or reconfiguring the flying capacitor mul-tilevel inverter into a full binary combination scheme, andbalance capacitor voltage by using three-phase joint switchingstates [30]. A comparison of several inverter topologies alongwith their cost and reliability tradeoffs is presented in [19].In [20], a strategy is developed for reconfiguring carrier-basedmodulation signals to provide fault-tolerance in multilevelinverters due to switches either failing open circuit or shortcircuit, and is experimentally evaluated on a three-phase five-level prototype. The authors of [21] develop a fault diagnosissystem for multilevel inverters using neural networks.

Overall, the vast majority of fault-tolerance capabilities inmultilevel inverters focus on handling hardware faults usingredundant hardware and topology (i.e., physical) solutions. Incontrast, in this paper, we consider primarily software-basedfault-tolerance methods that exploit the inherent redundancyin the modular inverter topology. These distributed software-based techniques have the capability to handle both hardware(e.g., switch failures) and software faults (e.g., microcontrollercrashes) using software (i.e., cyber) solutions. The topologyof the inverter we consider in this paper is similar to thatof [7], [31], but we utilize a buck-boost converter for DCvoltage regulation, and we focus on distributed control in-stead of communication-less control. The topology of theconverters and distributed control in [8] are also similar toour study, although we focus on photovoltaics instead ofwind conversion. Additionally, one instance is experimentallyanalyzed in [8], while our virtual prototyping approach focuseson the distributed control and fault-tolerance to examinesthousands of different scenarios through thousands of virtualexperiments. We do not focus on any particular maximumpower point tracking (MPPT) scheme in this paper, but referreaders to numerous methods and their tradeoffs in [32].

Our virtual prototyping simulator is developed in Math-works Simulink/Stateflow, and allows for simulating inverterscomposed of an arbitrary number of modules (N) and failures(NF). Numerous power electronics simulation models havebeen developed previously using Simulink/Stateflow [33]–

TRANSACTIONS ON ENERGY CONVERSION, VOL. X, NO. Y, MARCH 201X 3

[36], and our simulator utilizes high-fidelity models of boththe cyber and physical components of each inverter module.A MATLAB simulation model for PV modules is presentedin [33] and considers factors such as temperature, shading,etc. In [34], the authors develop a MATLAB/Simulink modelof a grid-connected single-phase array with MPPT, but do notconsider multilevel inverters as we do. In [35], the authors de-velop a MATLAB/Simulink model of PV modules accountingfor numerous non-idealities, such as nonuniform irradiance.Requirements for DC-link voltages are detailed in [37]. Adetailed MATLAB/Simulink for studying partial shading isstudied in [36]. Overall, numerous practical issues of utiliz-ing photovoltaics in micro-inverters, cascaded inverters, andmultilevel inverters—such as nonuniform irradiance, commonmode voltage issues, floating panels, large leakage currents,efficiency comparisons, etc.—have been addressed throughmodeling and experimentation elsewhere [33]–[36], [38], [39],but the contributions of our work are in the distributed controland virtual prototyping.

Contributions: The main contributions of this virtualprototyping study are: (a) the development and implemen-tation of the fault-tolerant distributed control strategy for amodular multilevel inverter for DC-to-AC conversion, (b) theholistic design and analysis of a distributed cyber-physicalsystem (CPS) in a standard virtual prototyping environment(Mathworks Simulink/Stateflow), and (c) the application ofdistributed and hybrid systems modeling techniques in thevirtual prototyping process. We highlight that in contrast tomost existing work on fault-tolerance of multilevel inverters,the failure model considered in this paper is an abstraction ofboth cyber and physical failures, and works by coordinationthrough distributed control.

Paper Organization: The remainder of this paper is or-ganized as follows. Section II presents the modular multilevelinverter and its distributed control, including the communi-cation and computation capabilities of its subcomponents, aswell as the cyber-physical failure model of the subcomponents.Section III presents the simulation-based analysis of the virtualprototype, including comparisons of THD with and withoutfailures, different failure modes, and arrays consisting ofN = 5 to N = 35 panels and inverter modules. Section IVconcludes the paper and presents directions for future work.

II. MODULAR MULTILEVEL INVERTER ARCHITECTURE

Preliminaries: For a set S, let |S| be the cardinality ofS, which is the number of elements in S. For a set S, letS⊥ be S ∪ ⊥ where ⊥ /∈ S. We model several of thecyber-physical components of the system using the hybridautomaton formalism. We begin by briefly reviewing hybridautomata, and refer interested readers to [40]–[43] for detaileddefinitions of such modeling formalisms, and to [44]–[47] fordescriptions specified to power electronics and systems. Ahybrid automaton is a (possibly nondeterministic) state ma-chine with state that can evolve both instantaneously (throughdiscrete transitions) and over intervals of time (according totrajectories). Variables are associated with types and are usedas names for state components, such as currents, voltages,

and times. For a set of variables V , a valuation v is afunction that maps each variable v ∈ V to a point in itstype, denoted type(v). The set of all possible valuations isval(V ). For a valuation x, we use x.x to denote the value ofthe variable x ∈ V . Since the distributed system is composedof N inverter modules, each of which has its own powerelectronics, software, etc., we model the ith inverter moduleas an automaton Ai.

Mathematically, a hybrid automaton Ai is a tuple〈Vari , Loci, Qi,Θi,Edg i,Grd i,Rst i,Flow i, Inv i〉, where:(a) Vari : is a set of variables, where Xi ⊆ Vari are thecontinuous, real-typed variables. (b) Loci: is a set of discretelocations. (c) Qi

∆= val(Vari) is the set of states, and is

the set of all valuations of each variable v ∈ Vari . Astate is denoted by bold x and assigns values to everyvariable in the set of variables Vari . For a state x ∈ Qi,the valuation of x.loc is called the location, and along withthe valuations of any discrete variables, it describes thediscrete state. The valuation of the continuous variables inXi , that is x.x : x ∈ Xi, is called the continuous stateand is referred to as x.Xi . (d) Θi ⊆ Qi is a set of initialstates. (e) Edg i is the set of edges. (f) Grd i : Edg i → Qi

is a function that associates a guard (a valuation of Vthat must be satisfied such that a transition may be taken)with each edge. (g) Rst i : Edg i → (Qi → 2Qi) is afunction, called the reset map, associated with each edge.A reset map associates a set of states with each edge.(h) Flow i : Loci → (Qi → 2Qi) associates a flow map witheach location. (i) Inv i : Loci → 2Qi associates an invariantwith each location.

The semantics of Ai are defined in terms of sets of tran-sitions and trajectories. The set of transitions Di ⊆ Qi × Qi

is defined as follows. We have (v,v′) ∈ Di if and only if,for e = (v.loc,v′.loc), (a) e ∈ Edg i, (b) v ∈ Grd i(e),and (c) v′ ∈ Rst i(e)(v.X). A trajectory for Ai is a functionτ : [0, t]→ Qi that maps an interval of time to states such that:(a) For all t′ ∈ [0, t], τ(t′).loc = τ(0).loc, that is, the discretestate remains constant, (b) (τ ↓ X), that is, the restriction ofτ to Xi is a solution of the differential equation specified bythe flow function Xi = Flow i(τ(0).loc)(τ(0)), and (c) For allt′ ∈ [0, t], τ(t′) ∈ Inv i(τ(0).loc). The set of all the trajectoriesof Ai is written Ti. The domain for a trajectory τ ∈ Ti isdenoted by τ.dom. We define τ. ltime as the right endpointof τ.dom, τ. lstate ∆

= τ(τ. ltime), and τ. fstate∆= τ(0). An

execution of Ai is a sequence α = τ0τ1 . . ., such that: (a) eachτk ∈ Ti, (b) for each k, (τk(t), τk+1(0)) ∈ Di, where t is theright endpoint of the domain of τk, and (c) τ0 ∈ Θi. A statev ∈ Qi is said to be reachable if there exists a finite executionα that ends with v.

A. Modular Multilevel Inverter Architecture and Modeling

The modular multilevel inverter consists of N invertermodules for implementing the modular multilevel inverteras a grid-tie for photovoltaics (see Figure 1). Each invertermodule consists of a microcontroller (computer), communica-tions system, a DC source (a solar panel in this paper), andpower electronics. Each inverter module’s power electronics

TRANSACTIONS ON ENERGY CONVERSION, VOL. X, NO. Y, MARCH 201X 4

BBC1SP1

MP

PT

SPN

Iac

MP

PT BBCN

Net

wor

k C

ontr

ol

Microcontroller u1ac

Microcontroller uNac

+

-V1

dc

+

-VN

dc

+

-V1

ac

+

-VN

ac

Vac

Fig. 2. High-level circuit diagram of the modular multilevel inverter illustrat-ing the solar panels (SPi) controlled with MPPT that feed the panel outputvoltage V sp

i into the buck-boost converters (BBCi) with output voltage V dci .

Next, the H-bridges switch at appropriate times to connect the N DC regulatedvoltage sources V dc

i with potentially reversed polarity in series to create thegrid connection voltage V ac . The buck-boost converter control (V ref

i ) andH-bridge switching control (uaci ) for inverter module i depends upon networkinformation from other inverter modules in the system.

consist of a DC-to-DC buck-boost converter for regulatingthe DC source’s potentially varying output voltage, and anH-bridge for connecting and disconnecting the buck-boostconverter’s output voltage at appropriate times to generate theAC waveform (see Figure 2). We note that inclusion of asoftware-controlled bypass switch in parallel on the output ofthe H-bridge would allow the inverter to tolerate both open andcircuit-circuit failures, although such a method has previouslybeen investigated, so we instead focus on both cyber andphysical failures [8]. We refer to each inverter module as anagent with a unique identifier i ∈ ID , where ID ∆

= 1, . . . ,N.We model the ith inverter module’s buck-boost converter asa hybrid automaton (see Figure 4) denoted Adc

i , and its H-bridge as a hybrid automaton (see Figure 6) denoted Aac

i . Eachinverter module is specified as a hybrid automaton consistingof the composition of the individual components:

Ai∆= Adc

i ‖ Aaci . (1)

For a given N, the complete system A composed of the N in-verter modules consists of N panels, N buck-boost converters,N H-bridges, and computer control software and hardware is:

A ∆= A1 ‖ . . . ‖ AN, (2)

where ‖ is a parallel (concurrent) composition of automata(see, e.g., [43, Chapter 2]).

Each agent i ∈ ID is associated with the following electrical(physical) real variables: (a) V sp

i : the voltage output of agenti’s solar panel and input to agent i’s DC-to-DC converter,(b) Ispi : the output current of agent i’s solar panel and input toagent i’s DC-to-DC converter, (c) V ref

i : the reference voltagefor agent i’s DC-to-DC converter to track, (d) V dc

i : the voltageoutput of agent i’s DC-to-DC converter and input to agenti’s H-bridge, (e) Idci : the current output of agent i’s DC-to-DC converter and input to agent i’s H-bridge, (f) V ac

i : thevoltage output of agent i’s H-bridge and input to the grid, and(g) Iaci : the current output of agent i’s H-bridge and inputto the grid. Additionally, each agent i ∈ ID is associatedwith the following communications and computational (cyber)quantities: (a) ∆ac

i∆= δz+i , δpi , δz−i , δz−i : a set of switching

times for agent i’s H-bridge to connect/disconnect V aci with

what polarity to the grid, (b) uaci : the H-bridge control timerfor agent i used to compare to the switching times in ∆ac

i ,(c) Nbrsi: the communication neighbors of agent i, consistingof the agents to its left (denoted Li) and right (denoted Ri).The left and right neighbors are defined to be the adjacentinverter modules, e.g., in Figure 1. Without failures, we haveLi = i − 1 and Ri = i + 1, for i ≥ 2 and i ≤ N − 1,respectively, but will redefine these in the case of failuresshortly. These variables define the set of variables Vari of theautomata Adc

i and Aaci . As we consider their compositions, we

do not differentiate between variables of the two automata.Additionally, we note that all these variables are mappingsfrom time to elements in the variables’ types. For somev ∈ Vari , we will denote this interchangeably by x.v forsome reachable state x, or by v(t) for some time t ∈ R≥0such that t = τ. ltime and x = τ. lstate, i.e., t is the endpointof a trajectory τ ending in reachable state x.

B. Failure Model and Distributed Failure Detection

We utilize the following failure model of each agent’sphysical and cyber components, inspired by similar modelsdeveloped in [10], [48]. While H-bridge failure modes couldpotentially turn them into open circuits, thus disconnectingthe inverter from the grid, we do not consider such scenariosand assume if the H-bridge fails, it fails as a short addingzero voltage to V ac . We model general abstracted failuresof the entire inverter module that do not cause open circuits,such as the microcontroller crashing, the buck-boost converterentering a failure mode, etc. We assume we have a method todetect failures within a finite time, e.g., through a heartbeatservice for crash failures. This assumption is reasonable forboth cyber and physical failures. For cyber failures—e.g.,computer crashes and may recover, communication link is losttemporarily—such heartbeat services are typical in distributedcomputing systems, but here we desire the grid-tie to recoverwhen the computer restarts or the communication link isrestored. For physical failures, each inverter module mayimplement a detection method to detect if its subcomponentsare faulty. Thus, this failure model is an abstraction of moredetailed failures. Each agent i ∈ ID is augmented with anadditional Boolean-valued variable Fi indicating whether ithas failed (true) or not (false). If agent i ∈ ID is failed,then Fi(t) = true , and if not, Fi(t) = false . The set offailed agents is denoted by IDF(t) ⊆ ID and is the seti ∈ ID | Fi(t). We define the number of failed agents asNF(t)

∆= |IDF(t)|. The set of operating (non-failed) agents is

denoted by IDO(t) ⊆ ID and is the set ID \ IDF(t). We alsodefine the number of operating agents as NO(t)

∆= |IDO(t)|

and we note NO(t) = N− NF(t).A distributed gossip protocol [49] spreads the identifiers of

any failed agents throughout the inverter, so any agent knowswithin a short period of time if any other agent is failed ornot. Using this information, the left and right neighbors are re-defined, respectively, as Li(t) = max j ∈ ID |Fj(t) ∧ j < iand Ri(t) = min j ∈ ID |Fj(t) ∧ j > i.

TRANSACTIONS ON ENERGY CONVERSION, VOL. X, NO. Y, MARCH 201X 5

V spi Li

Idci

CiV Ci RiV dc

i

Fig. 3. Buck-boost converter circuit—a DC input V spi is increased or

decreased to a higher or lower DC output V dci based on the number of non-

faulty inverter modules.

Distributed Identification and Notification: Each agenti ∈ ID is augmented with a variable id i with index type(type(id i) = ID⊥), which indicates its identifier in the set ofoperational agents, IDO. First, each agent keeps track of thenumber of failures to its left (lower identifiers) as LF

i (t) =|j ∈ ID | Fj(t) = true ∧ j < i|, and symmetrically RF

i (t)for agents to its right (higher identifiers). We observe thatNF(t) = LF

i (t) + RFi (t), so agents may compute the number

of failed agents. Each operational agent i ∈ IDO determinesid i using the following local method:

id i(t) = i− LFi (t). (3)

Using this method, we have that maxi∈ID

id i(t) = NO(t). To-gether, these distributed identifier services allow each opera-tional agent i ∈ IDO to compute the number of operational andfailed agents for use in determining the DC voltage referenceV refi and switching times ∆ac

i as described next.

C. Buck-Boost Converter Model and Control

The buck-boost converter circuit appears in Figure 3. Forthe buck-boost converter model, we utilize an extension of thehybrid automaton model developed and analyzed in [46]. Eachinverter module’s buck-boost converter has two real-valuedstate variables modeling physical quantities: the inductor cur-rent Idci and the capacitor voltage V dc

i , depicted in Figure 3.These two state variables at time t are written in vector formas:

xi(t) =

Idci (t)

V dci (t)

.The model includes the discontinuous conduction mode(DCM), see e.g., [50], [51].

The reference voltage for each DC-to-DC converter is:

V refi (t)

∆=

V p

NO(t), (4)

where V p is the AC peak voltage (e.g., V p =√

2V rms forthe root mean square (RMS) AC voltage V rms ). If V ref

i (t) <V spi (t), then the buck-boost converter is in a buck mode and

decreases its output voltage V dci (t). Otherwise, if V ref

i (t) >V spi (t), then the buck-boost converter is in a boost mode and

increases its output voltage V dci (t). Note that since V ref

i (t) isdefined in terms of the number of operating agents NO(t), itmay vary over time.

D. H-Bridge Modeling and Distributed Control

We model the H-bridge plant as ideal switches with delays,where the output voltage of the inverter module is either:

Switch Si State Ami Bm

i Duty Cycle δdci (t)

Open

[0 − 1

Li1Ci

− 1RiCi

] [0

0

]V

refi (t)

Vrefi (t)+V

spi (t)

Close

[0 0

0 − 1RiCi

] [1Li

0

]

DCM

[0 0

0 − 1RiCi

] [0

0

]TABLE I

DYNAMICS OF AGENT i’S BUCK-BOOST CONVERTER Adci .

Openxi = Ao

i xi +Boi

τdci ≤ (1− δdci )T dci

startClose

xi = Acixi +Bc

i

τdci ≤ δdci T dci

DCMxi = AD

i xi +BDi

τdci ≤ δdci T dci

τdci ≥ δdci T dci

τdci′

:= 0

τdci ≥ (1− δdci )T dci

τdci′

:= 0

τdci ≥ (1− δdci )T dci

τdci′

:= 0 Idci ≤ 0

Fig. 4. Hybrid automaton model Adci for agent i’s buck-boost converter. The

matrices and vectors Aoi , Ac

i , ADi , Bo

i , Bci , and BD

i are constant but mayvary between inverter modules, and T dc

i is constant. The state vector xi, dutycycle δdci , and τdci are variables and vary with time.

(a) V aci = 0: disconnected (locations Zero+ and Zero−),

(b) V aci = V dc

i : connected in series with positive polarity(location Positive), or (c) V ac

i = −V dci : connected in

series with reverse polarity (location Negative). The H-bridge controller that connects the output voltage is shownin Figure 6. The grid-tie AC voltage V ac is then defined asthe series connection of all NO operating inverter modulesoutput voltages:

V ac(t)∆=

∑i∈IDO(t)

V aci (t). (5)

The set of switching times for the H-bridge to connect V dci

with different polarities to create V aci is denoted:

∆aci (t)

∆= δz+i (t), δpi (t), δz−i (t), δni (t), (6)

where the elements are respectively the time to spend withV aci = 0, then the time to spend with V ac

i = V dci , then the

time to spend with V aci = 0 again, and finally the time to

spend with V aci = −V dc

i before repeating. See Figure 11 foran example of the switching signals illustrating these varioustransitions. For finding the switching times of the H-bridge,we utilize the following protocol and we derive the idealizedswitching times for each agent i ∈ ID :

i

NO + 1= sin

(2πt

T ac

), and solving for t,

t =T ac

2πsin−1

(i

N + 1

).

Of course, t is not unique, but defines the amount of time δz+i

TRANSACTIONS ON ENERGY CONVERSION, VOL. X, NO. Y, MARCH 201X 6

Microcontroller

Vac

DC1

DCN

V1ac

++

-VNac

u1ac

uNacMicrocontroller

-V1

dc

+

-VN

dc

+

-

+

-

Fig. 5. For the purpose of the H-bridge control and finding the switchingsignals uac1 , . . ., uacN , the panel and buck-boost converter are abstracted andtreated as ideal voltage sources (DC1, . . ., DCN) due to the buck-boostconverter regulation.

Zero+

uaci = 1uaci ≤ δ

z+i

V aci = 0

start

Positiveuaci = 1uaci ≤ δ

pi

V aci = V dc

i

Zero−

uaci = 1uaci ≤ δ

z−i

V aci = 0

Negativeuaci = 1uaci ≤ δni

V aci = −V dc

i

uaci ≥ δz+i

uaci ≥ δz+i + δpi

uaci ≥ δz+i

+δpi + δz−i

uaci ≥ δz+i

+δpi + δz−i + δniuaci′ := −δz+i

Fig. 6. Hybrid automaton model Aaci for agent i’s H-bridge switching logic.

spent in the zero state before switching to the positive outputstate. The other waiting times simply subdivide the period,and accounting for failures using i’s identifier id i out of theNO operating agents, we have:

δz+i (t) =T ac

2πsin−1

(id i(t)

NO(t) + 1

), (7)

and likewise for the shifted switching times δpi , δni , and δz−i .We assume that the sinusoid used to generate the switchingtimes in Equation 7 is synchronized with the grid phase, using,e.g., a phase-locked loop (PLL), which can be implemented ina distributed fashion by informing all operational agents of thegrid phase. Refer to Figure 11 for examples of the switchingtimes generated using this method with failures.

III. VIRTUAL PROTOTYPE SIMULATION ANALYSIS

Next we describe the virtual prototyping simulation setup toanalyze the distributed control and fault-tolerance capabilitiesof the modular multilevel inverter. We wrote a MATLAB pro-gram to programmatically generate Simulink/Stateflow (SLSF)models of the inverter for varying the number of invertermodules (N). Specifically, for a given N, the program generates

Component / Parameter Name Symbol Value

Buck-Boost Input Voltage V spi (t) 18.6 V ± ε

Desired Buck-Boost Output Voltage V refi (t) V rms

NO(t)V

Actual Buck-Boost Output Voltage V dci (t) varies

Load Resistance Ri 4 Ω ± 5%

Capacitor Ci 60 uF ± 5%

Inductor Li 40 uH ± 5%

Switching Period T dci 4 µs

Switch-closed duty cycle δdci (t) varies

Switch-open duty cycle 1− δdci (t) varies

Grid Period Tac 0.0167 s

Grid Frequency fac 60 Hz

Desired Grid Voltage V grid 120 Vrms, 60 Hz

Actual Array Voltage V ac(t) varies

TABLE IISUMMARY OF VARIABLES AND PARAMETERS USED IN SIMULATIONS.

an array A consisting of the N solar panels, N invertermodules, and their control software composed together, i.e.,, asspecified in Equation 2. That is, the simulator generates SLSFsimulation models corresponding to Figures 1 and 2. Thevarious parameters used for the circuit components are sum-marized in Table II. The grid-tie was configured for a standardresidential-style connection at 120 V and 60 Hz. The controllogic for both automata Adc

i and Aaci are implemented as

continuous-time state-machines using Stateflow. Using theseprogrammatically-generated array models, we have performedthousands of simulations for analyzing the system in scenarioswith and without failures, as detailed next.

A. Total Harmonic Distortion (THD) with Static Failures

Static failures are those that occur before the grid-tie isconnected and do not affect the dynamic performance. Figure 7shows an example execution for N = 35 inverter moduleswith both no failures and NF = 5 static failures, along withan execution for N = 10 inverter modules with no failures.Figure 8 shows the THD of the array as a function of thenumber of operating agents, NO. Additionally, Figure 8 showsthe THD for static failures, which are those where someagents are failed at start-up and remain failed. The resultsillustrate that increasing the number of static failures returnsthe array to the achievable THD in an array with NF fewerinverter modules. The different curves in Figure 8 correspondto the numbers of non-failed agents NO for a given array ofN inverter modules. The simulations varied NF from 0 (nofailures) to 6 (six failed agents), and N from 10 agents through35 agents, corresponding to 21 and 71 levels, respectively.For example, in the N = 10 configuration with no failures(NF = 0), the THD of the array is around 5%. In the N = 15configuration with NF = 5 failures, the THD is also around5%. These configurations may result in too high a THD forthe grid-tie, but the THD is around 2.5% for NO ≥ 16, soas long as there are at least a large fraction of functioningpanels and inverter modules in large arrays, the grid-tie couldbe connected.

TRANSACTIONS ON ENERGY CONVERSION, VOL. X, NO. Y, MARCH 201X 7

0.02 0.025 0.03 0.035

−150

−100

−50

0

50

100

150

Time (s)

Vac

(V

olts

)

60Hz 120V SineN = 35, N

F = 5

N = 35, NF = 0

N = 10, Nf = 0

Time 0.022833

Time 0.023033

Fig. 7. Executions of three configurations of the array, with N = 35 agentsand NF = 5 failures, with N = 35 agents and no failures, and N = 10 agentsand no failures. The figures illustrate the different H-bridge switching timesand buck-boost regulated voltage levels in different configurations.

10 15 20 25 30 35

2

4

6

8

10

12

N

TH

D (

%)

N

F = 0

NF = 1

NF = 2

NF = 3

NF = 4

NF = 5

NF = 6

Fig. 8. THD for different array configurations consisting of N panels andinverter modules (agents), along with different numbers of statically failedagents NF at system start-up. The y-axis scale is logarithmic.

B. THD with Dynamic Failures

Dynamic failures are those that occur once the grid-tieis operational and connected. We consider dynamic failures(NF = 1) of one agent at a time. Figures 9 and 10 each,respectively, show the grid-tie voltage V ac versus time forthree executions with one random dynamic failure that occursat a uniformly distributed random time in the period. Thesescenarios are considered as failures at different times resultin varying performance degradation of the THD. For instance,one scenario is where a failure of an agent that is not connectedto V ac at a time instant. One hypothesis is that such a failuremay not negatively impact the THD, as it is not connectedto the output. However, each of the remaining operationalagents i ∈ IDO must (a) increase their output voltagesV dci since there is one fewer level, and (b) change their H-

bridge switching times ∆aci using the algorithm of Equation 7.

Figure 11 shows the H-bridge output voltage V aci for each

agent i ∈ ID for a configuration with N = 6 agents and onedynamic failure.

0.02 0.025 0.03 0.035

−150

−100

−50

0

50

100

150

Time (s)

Vac

(V

olts

)

Time 0.024667

Time 0.033

Fig. 9. The black line is an ideal 60 Hz 120 V sine, and the green, yellow,and blue lines are each an execution of A with N = 5 agents and 1 dynamicfailure at a different random time. The failure causes the total number ofvoltage levels to transition from (2N+1) = 11 to (2NO+1) = 9 levels. Thezoom plots illustrate the fast recovery as the buck-boost converter referencevoltage control and the H-bridges’ switching times are changed. Note thatin each of the three executions, in the first quarter-period (t ≤ 0.022) thereare N = 5 positive voltage levels as there are 5 functioning agents, and therecovery is fast enough that by fourth quarter-period (t ≥ 0.0325) there areN = 4 negative voltage levels due to the one dynamic failure (NF = 1).

0.02 0.025 0.03 0.035

−150

−100

−50

0

50

100

150

Time (s)

Vac

(V

olts

)

Time 0.024667

Time 0.033

Fig. 10. The black line is an ideal 60 Hz 120 V sine, and the green, yellow,and blue lines are each an execution of A with N = 30 agents and 1 dynamicfailure at a different random time. The failure causes the total number ofvoltage levels to transition from (2N+1) = 61 to (2NO+1) = 59 levels. Thezoom plots illustrate the fast recovery as the buck-boost converter referencevoltage control and the H-bridges’ switching times are changed. Note that ineach of the three executions, in the first quarter-period (t ≤ 0.022) there areN = 30 positive voltage levels as there are 30 functioning agents, and therecovery is fast enough that by fourth quarter-period (t ≥ 0.0325) there areN = 29 negative voltage levels due to the one dynamic failure (NF = 1).

Figure 12 shows averaged THD versus time over twoperiods (2T ac) for arrays composed of N = 5 to 35 agentsin increments of 5 agents where a single dynamic failure(NF = 1) occurs in the first of the two periods. These resultscorrespond to the scenarios depicted in Figures 9 and 10, withthe averaged THD in Figure 13. Figure 12 indicates that inthe case of a single failure, the THD of the N agent systemreturns to that of the N − 1 agent system quickly (withinone period T ac). It is unlikely more than a single dynamicfailure would occur simultaneously before recovery, which asshown in Figures 9, 10, 11, and 12, happens in under half

TRANSACTIONS ON ENERGY CONVERSION, VOL. X, NO. Y, MARCH 201X 8

−500

50V

dc 1

−500

50

Vdc 2

−500

50

Vdc 3

−500

50

Vdc 4

−500

50

Vdc 5

0.02 0.025 0.03 0.035 0.04 0.045 0.050

2040

Vdc 6

Time (s)

Fig. 11. Execution of N = 6 agents with one dynamic failure (NF = 1)illustrating the H-bridge switching signals and output voltages V dc

i for eachagent i ∈ ID . The failure causes agent i = 6 to have Fi = true andV dci = 0, so the operating agents i ∈ IDO increase their reference voltagesV refi and update their switching times ∆ac

i .

0.02 0.025 0.03 0.035 0.04 0.045 0.05

2

4

6

8

10

12

Time (s)

TH

D (%

)

N = 05N = 10N = 15N = 20N = 25N = 30N = 35

Fig. 12. Averaged THD versus time for the 20 executions with uniformlysampled random failure time for A with N = 5 through N = 35 agents and1 dynamic failure at different random times. The time-varying lines are theTHD at different instances due to the dynamic failure. The y-axis scale islogarithmic.

a grid period T ac. Furthermore, if one failure occurs, fromour previous analysis of THD under static failures (Figure 8),we see that the array behavior simply returns to the system’sbehavior with N − 1 operating agents. Thus, if more than asingle dynamic failure occurs (NF > 1, as long as each failureis spaced out enough in time (greater than a half grid periodapart), the overall behavior will just return the array to thebehavior with N−1, then N−2, . . ., N−NF agents operating.

IV. CONCLUSION AND FUTURE WORK

In this paper, we presented a model-based design and virtualprototyping analysis of a modular multilevel inverter used tointerface N DC voltage sources—in this paper, solar panels—to the grid. In addition to the modular multilevel inverter con-sidered in this paper, the virtual prototyping, failure modeling,and analysis may be useful in scenarios using multilevel invert-ers as grid-ties for other DC sources and in other topologies.Our results illustrate the feasibility of individual and multiple

5 10 15 20 25 30 35

2

4

6

8

10

12

N

TH

D (

%)

NF = 1

Fig. 13. Averaged THD of 20 simulations for different array configurationsconsisting of N panels and inverter modules (agents) in increments of 5between 5 and 35, along with a one dynamically failed agent, NF = 1,that fails at a uniformly-sampled random time in the grid period Tac. They-axis scale is logarithmic, the center line is the mean, and the upper andlower lines are α = 95 confidence intervals.inverter modules failing in certain ways, while being ableto keep the grid-tie operational with acceptable performancedeterioration (in terms of THD). In future work, we plan toconstruct an actual prototype of the modular multilevel in-verter and evaluate its fault-tolerance capabilities in real-worldscenarios, although the detailed virtual prototyping analysispresented in this paper indicates such a system will be feasible,and has extensively explored the design space of possiblesystem instantiations to be investigated in experimental work.For an actual prototype, we plan to employ a switchingscheme to vary the switching times used by each agent’s H-bridge to decrease wear by periodically changing identifiersof all the agents using a distributed identifier algorithm.Additionally, given the formal hybrid automaton models ofthe system, we plan to formally verify several specificationsof the distributed control algorithms regardless of the numberof inverter modules, N, using the Passel verification tool [43].For example, one basic specification is that the switchinglogic of the modules never results in modules with oppositepolarity voltages being connected together for the grid tie.Alternatively, this can be formulated as a verification problemfor timed automata as done previously for an array with fixedsize (N) in [44].

REFERENCES

[1] J.-S. Lai and F. Z. Peng, “Multilevel converters-a new breed of powerconverters,” Industry Applications, IEEE Transactions on, vol. 32, no. 3,pp. 509–517, May 1996.

[2] L. Tolbert, F. Z. Peng, and T. Habetler, “Multilevel converters for largeelectric drives,” Industry Applications, IEEE Transactions on, vol. 35,no. 1, pp. 36–44, Jan. 1999.

[3] B. McGrath and D. Holmes, “Multicarrier PWM strategies for multilevelinverters,” Industrial Electronics, IEEE Transactions on, vol. 49, no. 4,pp. 858–867, Aug. 2002.

[4] S. Kjaer, J. Pedersen, and F. Blaabjerg, “A review of single-phase grid-connected inverters for photovoltaic modules,” Industry Applications,IEEE Transactions on, vol. 41, no. 5, pp. 1292–1306, 2005.

[5] L. Franquelo, J. Rodriguez, J. Leon, S. Kouro, R. Portillo, and M. Prats,“The age of multilevel converters arrives,” Industrial Electronics Mag-azine, IEEE, vol. 2, no. 2, pp. 28–39, June 2008.

[6] C. Cecati, F. Ciancetta, and P. Siano, “A multilevel inverter for photo-voltaic systems with fuzzy logic control,” Industrial Electronics, IEEETransactions on, vol. 57, no. 12, pp. 4115–4125, 2010.

TRANSACTIONS ON ENERGY CONVERSION, VOL. X, NO. Y, MARCH 201X 9

[7] B. Johnson, “Control, analysis, and design of distributed inverter sys-tems,” Ph.D. dissertation, University of Illinois at Urbana-Champaign,2013.

[8] M. Parker, L. Ran, and S. Finney, “Distributed control of a fault-tolerant modular multilevel inverter for direct-drive wind turbine gridinterfacing,” Industrial Electronics, IEEE Transactions on, vol. 60, no. 2,pp. 509–522, Feb. 2013.

[9] F. Filho, L. Tolbert, Y. Cao, and B. Ozpineci, “Real-time selectiveharmonic minimization for multilevel inverters connected to solar panelsusing artificial neural network angle generation,” Industry Applications,IEEE Transactions on, vol. 47, no. 5, pp. 2117–2124, 2011.

[10] T. T. Johnson and S. Mitra, “Safe flocking in spite of actuator faultsusing directional failure detectors,” Journal of Nonlinear Systems andApplications, vol. 2, no. 1-2, pp. 73–95, Apr. 2011.

[11] G. G. Wang, “Definition and review of virtual prototyping,” Journal ofComputing and Information Science in Engineering, vol. 2, no. 3, pp.232–236, Jan. 2003.

[12] T. T. Johnson, “Fault-tolerant distributed cyber-physical systems: Twocase studies,” Master’s thesis, Department of Electrical and ComputerEngineering, University of Illinois at Urbana-Champaign, Urbana, IL61801, May 2010.

[13] L. U. Gokdere, K. Benlyazid, R. A. Dougal, E. Santi, and C. W. Brice,“A virtual prototype for a hybrid electric vehicle,” Mechatronics, vol. 12,no. 4, pp. 575–593, 2002.

[14] Q. Li, F. Lee, and T. Wilson, “Design verification and testing of powersupply system by using virtual prototype,” Power Electronics, IEEETransactions on, vol. 18, no. 3, pp. 733–739, May 2003.

[15] C. Alexandru and C. Pozna, “Virtual prototype of a dual-axis trackingsystem used for photovoltaic panels,” in Industrial Electronics, 2008.ISIE 2008. IEEE International Symposium on, June 2008, pp. 1598–1603.

[16] B. Urmila and D. Subbarayudu, “Multilevel inverters: A comparativestudy of pulse width modulation techniques,” Journal of scientific andengineering research, vol. 1, no. 13, pp. 1–5, 2010.

[17] C. Turpin, P. Baudesson, F. Richardeau, F. Forest, and T. Meynard,“Fault management of multicell converters,” Industrial Electronics, IEEETransactions on, vol. 49, no. 5, pp. 988–997, Oct. 2002.

[18] A. Chen, L. Hu, L. Chen, Y. Deng, and X. He, “A multilevel convertertopology with fault-tolerant ability,” Power Electronics, IEEE Transac-tions on, vol. 20, no. 2, pp. 405–415, 2005.

[19] F. Chan and H. Calleja, “Reliability: A new approach in design ofinverters for pv systems,” in International Power Electronics Congress,10th IEEE, Oct. 2006, pp. 1–6.

[20] M. Ma, L. Hu, A. Chen, and X. He, “Reconfiguration of carrier-based modulation strategy for fault tolerant multilevel inverters,” PowerElectronics, IEEE Transactions on, vol. 22, no. 5, pp. 2050–2060, Sep.2007.

[21] S. Khomfoi and L. Tolbert, “Fault diagnostic system for a multilevelinverter using a neural network,” Power Electronics, IEEE Transactionson, vol. 22, no. 3, pp. 1062–1069, May 2007.

[22] A. Ristow, M. Begovic, A. Pregelj, and A. Rohatgi, “Development of amethodology for improving photovoltaic inverter reliability,” IndustrialElectronics, IEEE Transactions on, vol. 55, no. 7, pp. 2581–2592, Jul.2008.

[23] P. Lezana, J. Pou, T. Meynard, J. Rodriguez, S. Ceballos, and F. Richard-eau, “Survey on fault operation on multilevel inverters,” IndustrialElectronics, IEEE Transactions on, vol. 57, no. 7, pp. 2207–2218, Jul.2010.

[24] Y. Song and B. Wang, “Survey on reliability of power electronicsystems,” Power Electronics, IEEE Transactions on, vol. 28, no. 1, pp.591–604, Jan. 2013.

[25] S. Harb and R. Balog, “Reliability of candidate photovoltaic module-integrated-inverter (pv-mii) topologies–a usage model approach,” PowerElectronics, IEEE Transactions on, vol. 28, no. 6, pp. 3019–3027, 2013.

[26] Y. Zhao, J. de Palma, J. Mosesian, R. Lyons, and B. Lehman, “Line-line fault analysis and protection challenges in solar photovoltaic arrays,”Industrial Electronics, IEEE Transactions on, vol. 60, no. 9, pp. 3784–3795, 2013.

[27] J. Fischer, S. Gonzalez, M. Herran, M. Judewicz, and D. Carrica,“Calculation-delay tolerant predictive current controller for three-phaseinverters,” Industrial Informatics, IEEE Transactions on, vol. 10, no. 1,pp. 233–242, 2014.

[28] S. Dhople, A. Davoudi, A. Dominguez-Garcia, and P. Chapman, “Aunified approach to reliability assessment of multiphase dc-dc convertersin photovoltaic energy conversion systems,” Power Electronics, IEEETransactions on, vol. 27, no. 2, pp. 739–751, Feb 2012.

[29] S. Bolognani, M. Zordan, and M. Zigliotto, “Experimental fault-tolerant

control of a pmsm drive,” Industrial Electronics, IEEE Transactions on,vol. 47, no. 5, pp. 1134–1141, 2000.

[30] X. Kou, K. A. Corzine, and Y. L. Familiant, “Full binary combinationschema for floating voltage source multi-level inverters,” in IndustryApplications Conference, 2002. 37th IAS Annual Meeting. ConferenceRecord of the, vol. 4. IEEE, 2002, pp. 2398–2404.

[31] B. Johnson, P. Krein, and P. Chapman, “Photovoltaic ac module com-posed of a very large number of interleaved inverters,” in AppliedPower Electronics Conference and Exposition (APEC), 2011 Twenty-Sixth Annual IEEE, Mar. 2011, pp. 976–981.

[32] T. Esram and P. Chapman, “Comparison of photovoltaic array maximumpower point tracking techniques,” Energy Conversion, IEEE Transac-tions on, vol. 22, no. 2, pp. 439–449, June 2007.

[33] H. Patel and V. Agarwal, “MATLAB-based modeling to study the effectsof partial shading on PV array characteristics,” Energy Conversion, IEEETransactions on, vol. 23, no. 1, pp. 302–310, Mar. 2008.

[34] M. Ropp and S. Gonzalez, “Development of a MATLAB/Simulinkmodel of a single-phase grid-connected photovoltaic system,” EnergyConversion, IEEE Transactions on, vol. 24, no. 1, pp. 195–202, Mar.2009.

[35] K. Ding, X. Bian, H. Liu, and T. Peng, “A MATLAB-Simulink-basedPV module model and its application under conditions of nonuniformirradiance,” Energy Conversion, IEEE Transactions on, vol. 27, no. 4,pp. 864–872, Dec. 2012.

[36] A. Maki and S. Valkealahti, “Effect of photovoltaic generator compo-nents on the number of MPPs under partial shading conditions,” EnergyConversion, IEEE Transactions on, vol. 28, no. 4, pp. 1008–1017, Dec.2013.

[37] A. Yazdani and R. Iravani, Voltage-Sourced Converters in Power Systems: Modeling, Control, and Applications. Wiley, 2010.

[38] R. Gonzalez, J. Lopez, P. Sanchis, and L. Marroyo, “Transformerlessinverter for single-phase photovoltaic systems,” IEEE Transactions onPower Electronics, vol. 22, no. 2, pp. 693–697, Mar. 2007.

[39] P. Sun, “Cascade dual-buck inverters for renewable energy and dis-tributed generation,” Ph.D. dissertation, Virginia Polytechnic Instituteand State University, 2012.

[40] R. Alur, C. Courcoubetis, N. Halbwachs, T. A. Henzinger, P.-H. Ho,X. Nicollin, A. Olivero, J. Sifakis, and S. Yovine, “The algorithmicanalysis of hybrid systems,” Theoretical Computer Science, vol. 138,no. 1, pp. 3–34, 1995.

[41] N. Lynch, R. Segala, and F. Vaandrager, “Hybrid I/O automata,” Infor-mation and Computation, vol. 185, no. 1, pp. 105–157, 2003.

[42] D. K. Kaynar, N. Lynch, R. Segala, and F. Vaandrager, The Theoryof Timed I/O Automata, ser. Synthesis Lectures in Computer Science.Morgan & Claypool, 2006.

[43] T. T. Johnson, “Uniform verification of safety for parameterized net-works of hybrid automata,” Ph.D. dissertation, University of Illinois atUrbana-Champaign, Urbana, IL 61801, 2013.

[44] T. T. Johnson, Z. Hong, and A. Kapoor, “Design verification methodsfor switching power converters,” in Power and Energy Conference atIllinois (PECI), 2012 IEEE, Feb. 2012, pp. 1–6.

[45] S. Hossain, S. Dhople, and T. T. Johnson, “Reachability analysis ofclosed-loop switching power converters,” in Power and Energy Confer-ence at Illinois (PECI), 2013, pp. 130–134.

[46] L. V. Nguyen and T. T. Johnson, “Benchmark: Dc-to-dc switched-modepower converters (buck converters, boost converters, and buck-boostconverters),” in Applied Verification for Continuous and Hybrid SystemsWorkshop (ARCH 2014), Berlin, Germany, Apr. 2014.

[47] M. Althoff, “Formal and compositional analysis of power systems usingreachable sets,” Power Systems, IEEE Transactions on, no. 99, pp. 1–11,2014.

[48] T. T. Johnson, S. Mitra, and K. Manamcheri, “Safe and stabilizingdistributed cellular flows,” in Proceedings of the 30th IEEE InternationalConference on Distributed Computing Systems (ICDCS). Genoa, Italy:IEEE, June 2010.

[49] N. A. Lynch, Distributed Algorithms. San Francisco, CA, USA: MorganKaufmann Publishers Inc., 1996.

[50] R. P. Severns and G. Bloom, Modern DC-to-DC Switchmode PowerConverter Circuits. New York, New York: Van Nostrand ReinholdCompany, 1985.

[51] R. W. Erickson and D. Maksimovic, Fundamentals of Power Electronics,2nd ed. Springer, 2004.

TRANSACTIONS ON ENERGY CONVERSION, VOL. X, NO. Y, MARCH 201X 10

Luan Viet Nguyen Luan Viet Nguyen is a PhDStudent in Computer Science and Engineering atthe University of Texas at Arlington. He graduatedwith honors in May 2013 from the MSc programat the Catholic University of America, where hehad previously earned his BSEE in December 2012.He is currently working in the Verification andValidation for Intelligent and Trustworthy AutonomyLaboratory (VeriVITAL), under the supervision ofProf. Taylor T. Johnson. His main research interestsare cyber-physical system (CPS), distributed system,

formal method, and control theory, with a focus on conducting reachabilityanalysis and building software tools to enhance the reliability of CPS.

Hoang-Dung Tran Hoang-Dung Tran is an As-sistant Lecturer in Automatic Control at Ho ChiMinh University of Transport and is a researchassistant in the Automation Group at Ton Duc ThangUniversity, Vietnam. He earned his BSEE from theGifted Undergraduate Program at Ho Chi MinhUniversity of Technology, Vietnam in December2007. He graduated from the MSc program in July2013 at the Huazhong University of Science andTechnology, China. His research interests are cyber-physical systems, networked control systems, multi-

agents systems, and control theory.

Taylor T. Johnson Taylor T. Johnson is an AssistantProfessor of Computer Science and Engineering atthe University of Texas at Arlington (since Septem-ber 2013), where he directs the Verification andValidation for Intelligent and Trustworthy AutonomyLaboratory (VeriVITAL). Dr. Johnson completed hisPhD in Electrical and Computer Engineering (ECE)at the University of Illinois at Urbana-Champaign in2013, where he worked in the Coordinated ScienceLaboratory with Prof. Sayan Mitra. Dr. Johnsoncompleted his MSc in ECE at Illinois in 2010,

earned a BSEE from Rice University in 2008, was a visiting graduate researchassistant at the Air Force Research Laboratory (AFRL)’s Space VehiclesDirectorate at Kirtland Air Force Base in 2011, and was a visiting facultyresearcher at the AFRL’s Information Directorate in 2014. Dr. Johnson workedin industry for Schlumberger at various times between 2005 and 2010 helpingdevelop new downhole embedded control systems. Dr. Johnson’s researchfocus is developing algorithmic techniques and software tools to improve thereliability of cyber-physical systems. Dr. Johnson has published over twentypapers on these methods and their applications in areas like power and energysystems, aerospace, and robotics, two of which were recognized with bestpaper awards, from the IEEE and IFIP, respectively.