Research Article | Open Access
Florian Bauer, Ralph M. Kennel, "Fault-Tolerant Power Electronic System for Drag Power Kites", Journal of Renewable Energy, vol. 2018, Article ID 1306750, 37 pages, 2018. https://doi.org/10.1155/2018/1306750
Fault-Tolerant Power Electronic System for Drag Power Kites
An approach for a fault-tolerant power electronic system for drag power kites is proposed. The key idea is to use a high number of electrical cables in the tether and leave rotor drivetrains in groups isolated on the kite, in the tether, and on the ground. The power flow is paralleled behind an uninterruptible power supply of each drivetrain group on the ground. It is shown that this approach hardly affects the overall system performance, for example, due to the anyways high optimal number of electrical cables in the tether. With this approach, a fault in one drivetrain group does only affect the same drivetrain group and a fault between two drivetrain groups affects only the same two drivetrain groups. A fuse system and a fault shut-off control for the power converters are proposed, with which also faults between two drivetrain groups lead at most to unavailability of only one drivetrain group. In particular also open circuit faults and short circuit faults in the tether are mitigated and are overall not harmful for the system and a usual multicopter-like landing is still possible. Therefore, the proposed power electronic system design has no single point of failure. A generalization and a number of variants are discussed. In detail, a number of power electronic topologies and both tether power transmission types, DC and AC, are possible. The proposed approach was verified by a high number of circuit simulations and by a proof-of-principle demonstrator. In all cases it was confirmed that any open circuit fault and any short circuit fault lead at the most to unavailability of only one rotor drivetrain group.
Kites are tethered wings and promising alternatives to harvest wind energy (cf., e.g., [1–4]). As shown in Figure 1, a kite is flown in crosswind trajectories like figure eights or circles. The considered kite has onboard (“airborne wind”) turbines and generators to generate electrical power. For minimal aerodynamic losses and mass of the tether, the electrical power is transmitted to the ground via medium-voltage electrical cables integrated in the tether . Due to the high speed of the kite, the (true) airspeed at the kite is about a magnitude higher than the actual wind speed, so that the onboard turbines are small. Before the kite flies in crosswind trajectories, the generators and wind turbines are used as motors and propellers for a vertical take-off and subsequent transition into crosswind flight. The reverse procedure is used for the landing when the wind calms down or for maintenance. This airborne wind energy concept is called “crosswind kite power/drag power”  or sometimes also “onboard power generation”; “continuous power generation”; “fly-gen”; or “airborne wind turbine” (whereby, here, this term is used for an onboard wind turbine of a drag power kite).
Compared to conventional wind turbines, crosswind kite power promises to harvest wind energy at higher altitudes with stronger and steadier winds, but by requiring only a fraction of the construction material. Hence, it promises to have a lower levelized cost of electricity (LCOE). A drag power kite with a rated electrical power of 20 kW (“Wing 7”) was developed by the company Makani Power/Google and demonstrated autonomously power generation as well as launching and landing [6, 7]. Currently, a full-scale 600 kW system (“M600”) is being developed [6–8].
The kite power plant design is a difficult, interdisciplinary challenge. Many studies investigated the control and flight path optimization (e.g., [2, 9]), but only a few studies investigated the design of the power electronic system (throughout this paper, the term “power electronic system (of a drag power kite),” or alternatively “powertrain,” means the combination of all power electronics with a high-power rating, electrical machines, rotors, electrical cables, transformers, and batteries, but not, e.g., low-power DC-DC converters to supply sensors or control electronics and the like, unless denoted otherwise): Kolar et al. derived in  that a medium-voltage DC power transmission with about 8 kV tether voltage is optimal for drag power kites. They ruled out an AC transmission over the tether, because it can suffer from high reactive currents and thus losses are caused by the high capacitance of the electrical cables of the tether. Another reason against AC is that the insulation of the electrical cables must be designed to withstand the peak voltage, which is times higher than the voltage of a DC transmission (with the same power and current rating). Hence, AC cables would be thicker. They also investigated if medium-voltage or low-voltage generators with DC-DC converters are better and decided for the latter. Figure 2 visualizes the investigated solutions.
Another approach was published in the patent  filed by Makani, in which a resonant AC transmission is proposed as visualized in Figure 3. Hereby, the electrical cables in the tether are connected to a transformer and a power electronic converter on the kite. The latter is further connected to an aerial DC bus to which the rotor drives are connected. On the ground, the electrical tether cables are also connected to a transformer and power electronic converters and then to the power grid. The (relatively high) capacitance of the tether (and possibly additional capacitors on the kite and/or on the ground) and the inductance of the transformers (and possibly additional inductors on the kite and/or on the ground) form a resonant circuit. The power electronic converters generate a voltage with an AC frequency at the resonant frequency (in the magnitude of a few kilohertz). As the transformers decouple the high tether voltage from the power electronic converters with corresponding winding numbers, the power electronic converters and the generators can have a low-voltage rating, and therefore the drawbacks of an AC power transmission can be outweighed.
Yet another approach, which employs a series connection, is shown in Figure 4. This concept was developed independently by the authors  and Makani . Herein, the rotor drives are connected partly in parallel and partly in series on the DC-side to avoid DC-DC-converters and yet use lower-voltage power electronics and machines. However, the voltage balancing is coupled with the overall kite moment control and is thus challenging. In  a current-source DC-link is also discussed briefly but discarded.
Finally, a variation of that series connection is disclosed in another Makani patent  and shown in Figure 5. Herein, a machine is divided into several submachines (e.g., single-phase or three-phase). Each submachine has one converter and all submachine converters are connected in series on the DC-side. One advantage of this concept is the simplified voltage balancing which is then only coupled with the overall torque of a single machine.
In all mentioned works, fault tolerance was of minor interest. Several rotors and several DC-DC converters were ultimately proposed in  (instead of, e.g., a single DC-DC converter on the kite and on the ground) to obtain some level of fault tolerance through redundancies. This is similarly an obvious possibility also for the other mentioned approaches. The only further detail about fault tolerance mentioned in [10, 12, 13] is that “[m]aterials may be selected [chosen] to allow for a  redundant and/or fault-tolerant design.” Other works considering the electrical system of a drag power kite or its fault tolerance were not found. However, a high reliability through fault tolerance can be considered as a very important design goal, such that a crash of the kite, particularly for a multimegawatt system with a kite mass of several tons, is the maximum credible accident, which should have only a negligibly low probability of occurrence. As visible in Figures 2–5, the previously proposed systems do have single points of failures, for example, a short circuit in the tether cables, with which a landing in multicopter mode would be impossible. Even though it could be possible to obtain a relatively low probability of such a failure, for example, by high quality manufacturing, a more reliable solution is a power electronic system design without a single point of failure—note that batteries onboard a multimegawatt kite, which are able to supply the rotors for a multicopter-like (emergency) landing, are not an option, because a high power and energy would be required for which the batteries are likely unfeasibly heavy (cf. ). Similarly, a hybrid solution, for example, with a gasoline engine might be too heavy and/or too complex.
This was the motivation for this study: the results of the mentioned previous works were used as basis to extend the power electronic system design with the goal of no single point of failure and thus with a very high fault tolerance. In particular, the contributions of this study can be summarized as follows: (i) characterization and problem description of the design of the power electronic system (or powertrain) of a drag power kite without single point of failure; (ii) proposal and theoretical investigation of a solution; (iii) verifications through simulations and experiments; (iv) discussions to obtain a drag power kite without any single point of failure (besides the power electronic system).
This study is organized as follows: the next section describes the design problem and derives specific requirements for the power electronic system of a drag power kite. Section 3 proposes solutions and Section 4 presents simulative and experimental verifications. Section 5 discusses the proposed solution and if a drag power kite design without any single point of failure is possible. Finally, Section 6 gives conclusions, recommendations, and an outlook.
The here presented concepts are patent-pending. Parts of this paper’s contents are included in the patent application, which, however, was not published at the time of the submission of this paper. In addition to the descriptions in the patent application, this paper provides more figures, more references, and more simulation and experimental results.
2. Problem Description
2.1. Generalized Power Electronic System
Figure 6 shows a generalized block diagram of the power electronic system of a drag power kite; from right to left: the power from the wind is harvested and converted by rotors and electrical machines (i.e., motors/generators) into electrical power. Rotating field electrical machines (hence multiphase AC electrical power), in particular permanent magnet synchronous machines, are preferable, as these machines achieve the highest power-to-mass ratio and efficiency compared to other AC-machines or DC-machines. The electrical machines are controlled by power electronic converters (second block from the right) which may include also further converters, such as DC-DC or AC-DC. The electrical power from the kite power electronic converter(s) is transmitted via electrical cables in the tether at the transmission voltage to the ground station power electronic converters (second block from left). They convert the transmission voltage into the grid voltage and may also include grid transformers (50 Hz or 60 Hz). The power transmission is bidirectional. Note the generality of Figure 6: it includes all concepts mentioned in the motivation and Figures 2–5.
2.2. Subsystem Failure Modes
In any of the shown blocks in Figure 6, faults can occur, whereby only the two electrical failure modes of open circuits and short circuits are reasonable. Note also that, for example, a fault in a microcontroller of a power electronics converter stops that converter from operating which is thus like an open circuit, or, for example, an overvoltage can damage an insulation which thus can lead to a short circuit.
There are further possible failures, for example, of mechanical nature with effects on the power electronic system, for example, a tether tear. However, as this study focuses on the fault tolerance of the power electronic system, these failures are of less interest, but preventions are discussed below in Section 5.
2.3. Number and Placement of Rotors
During crosswind flight, the airspeed is usually high enough such that the control surfaces (which are usually fault-tolerant or redundant themselves) can control the kite alone. Therefore, a stable crosswind flight is usually also possible if one or more rotors have a failure and are not available. However, during hovering, that is, launching and landing, the rotors are the only (or most important) actuators with which the kite can be kept airborne and under control. Even if a rotor fails during crosswind flight instead of during hovering, the kite needs to be landed/hovered to the ground station for maintenance. Therefore, for designing a fault-tolerant power electronic system, hovering is the worst case and is the only mode that needs to be further considered.
As the kite is a (tethered) multicopter during hovering, all fault tolerance measures for fault-tolerant multicopters can be applied (cf., e.g.,  and references therein). For multicopters, the higher the number of rotors is, the higher the fault tolerance is and, depending on the system design, possibly even without special measures in the control algorithm (cf., e.g.,  and references therein). Moreover, the higher the number of rotors is, the smaller the percentage of missing thrust is (and moment), the higher the rotor efficiency is due to lower rotor disk loadings, and hence the lower the power excess is to maintain hovering thrust during a rotor failure (cf., e.g., ).
Another important design choice is the placement of the rotors with respect to the center of mass of the multicopter/kite and their rotation direction (clockwise or counterclockwise). Usual multicopters have a somewhat symmetrical placement, for example, in a circle or in two rows as in Figure 7, whereby one or more rotors are placed in each of the horizontal axis directions (in Figure 7: , , , and ) some distance apart from the center of mass. The placement and rotation direction are usually chosen such that an arbitrary 3D moment can be generated by differential angular speeds of the rotors. A difference to usual multicopters is that the kite is tethered. Therefore, the kite should always pull (slightly) on the tether via a (small) pitch angle such that the tether is always under tension and does not drag on the ground and tether angle sensors as in  are usable. If a “Y”-like bridling as in Figure 7 is chosen to connect the tether to the kite, the movement about the vertical axis is constraint (or more precisely, there is a restoring tether bridling moment if the yaw angle does not coincide with the azimuth angle) , with which the rotor moment about the vertical axis and thus the rotor rotation directions might be irrelevant and all rotors can even rotate in the same direction.
Many rotor numbers and placements are possible. However, with the discussion above, and to obtain a level of fault tolerance where at least one rotor can fail, a meaningful number of rotors is six, eight, or a higher even number. Moreover, in a symmetrical design any rotor has a counterpart rotor which is point symmetrical with respect to the center of mass (cf. Figure 7). This allows for a conservative estimation: if one rotor fails, the counterpart rotor needs also to be turned off to balance the moments. The thrusts of the remaining rotors are increased to compensate the missing thrust for maintaining hovering. This estimation also allows that any two point-symmetrical rotors can fail simultaneously. In this study, a kite dimensioning is considered in which the excess thrust and power at least in one of these two rotor fault cases are available.
2.4. Drag Power Kite Tether
Figure 8 shows the considered tether design, which is similar to [5, 18]: the tether has(i)a mechanical load carrying core (black), made of a material with a high strength-to-weight ratio such as Dyneema,(ii)electrical load carrying cables around the core in a helix along the tether, with positive litz wires (red)/negative litz wires (blue) (note that also for AC two electrical cables are needed, for which arguable better labels might be “life wires 1 and 2”; however, for the sake of simplicity, “positive and negative wires” are used throughout this study), insulation (dark grey), “half-conducting” grounded shield (green) to control the electric field and possibly to ground the kite’s frame, and jacket (medium grey) for mechanical protection (of the shield/electrical cable), and(iii)an outer jacket (light grey), for mechanical and weather protection of the tether.
The voltage between a positive and a negative electrical wire is the transmission voltage, but for a minimal insulation width the transmission voltage is “centered around ground”; that is, the voltage rating of one electrical cable is only half of the transmission voltage (plus safety margin) and the transmission voltage of an electrical cable against ground is either plus or minus half of the transmission voltage. Under stress, the core strains and constricts. Due to the latter and the helical placement of the electrical cables, the electrical cables can follow the strain like a spring with low stress. The tether jacket is assumed to be flexible enough under strain. In between the electrical cables, also optical or conductive communication cables can be placed. Around the core an additional strain-relief layer could be placed as proposed in . The tether’s aerodynamic drag is proportional to the tether’s diameter but independent of the airflow direction, because the tether is round. As the tether is round, it can also easily be wound on a drum.
In Appendix A, a model for the exact tether dimensions is derived, based on the desired rated strength, rated voltage, rated electrical power, and rated electrical transmission efficiency.
2.5. Problem Formulation
With the discussion of the last subsections, the fault-tolerant power electronic system design problem can be formulated as follows: find a power electronic system design (or topology or interconnections) in which(R1)a bidirectional power transmission with a medium-voltage in the electrical cables in the tether is possible,(R2)a short circuit current in any component is stopped to prevent further failures such as a fire,(R3)during a short circuit and after its mitigation (e.g., by a fuse or an overcurrent shut-off) the voltages in all electrical wires remain within the maximum safe design voltage,(R4)the end-effect of a fault (open or short circuit) and its mitigations only lead to the fact that either(R4-a)no rotor is unavailable in motor mode,(R4-b)any single rotor is unavailable in motor mode,(R4-c)any two point-symmetric rotors with respect to the center of mass are unavailable in motor mode, or(R4-d)any two rotors are unavailable in motor mode, if the power and thrust of the remaining rotors are so large, that stable hovering is still possible in such a fault case.
Note that the worst case in Requirement (R4-d) is that two neighboring rotors far away from the center of mass fail; that is, for example, the two leftmost rotors in Figure 7 fail, by which also the two rightmost rotors have to be turned off to balance the moments in a conservative estimation. Therefore, if only eight rotors are considered, half of the thrust and power can become unavailable. However, the required high thrust and power, or vice versa the required high number of rotors, to fulfill Requirement (R4-d) might be impractical in a drag power kite plant realization. Therefore, also a solution without Requirement (R4-d) is desirable, which is why it is written in italic.
3. Proposed Solution
3.1. Basic Idea: “Isolated Drivetrains”
As shown in Figure 8, a number of electrical cables are integrated in the tether, whereby a relatively high number of cables is meaningful such that the tether has a small diameter. The key idea of the proposed solution is to not connect together all of the positive cables to one single positive potential and all of the negative cables to one single negative potential, respectively, neither on the kite nor on ground, as in Figures 2–5. Instead, as visualized in Figure 9, one electrical cable pair is part of a single rotor drivetrain (throughout this paper, the term “(rotor) drivetrain” means the combination of rotor, corresponding machine(s), and corresponding drive power electronics both, onboard the kite and on the ground). Here, only the special case of a DC transmission and paralleled power flow at the AC-grid is considered, but the concept is generalized below in Section 3.3. In Figure 9, each “isolated drivetrain” consists of a rotor, an electrical machine, AC-DC converters, and, in case of low-voltage electrical machines, possibly DC-DC converters, to which an electrical cable pair of the tether is connected. On the ground, each electrical cable pair is connected to its own uninterruptible power supply (UPS) and its own ground station power electronic converters, before the power flow is paralleled for the injection into the AC power grid. Hereby, a block “ground station power electronic converter(s) ground” includes a potential isolation (most practical by a grid-frequency or medium-frequency transformer as, e.g., in Figure 2) to obtain constant tether transmission voltages against ground. Obviously, with this approach, each rotor drivetrain is isolated (electrically insulated) from all other rotor drivetrains.
For this concept, the following drag power kite plant design measures are necessary: (i) the number of electrical cables in the tether is constrained to twice the number of rotors. (ii) A series connection of rotor drives as in Figure 4 is not possible. (iii) More electrical cables on the kite are needed, as each rotor drivetrain is connected to the tether instead of to a single high-power bus (cf. Figures 2, 3, and 5). (iv) A UPS for each rotor drivetrain is installed on the ground.
However, these measures and their effects on the system performance, costs, and kite mass can be evaluated as minor, if not negligible: (i) Figure 10(a) visualizes the cross section design of a tether with dimensions for a multimegawatt kite based on the model and parameters in Appendix A and Table 1. It has the optimal number of electrical cables to minimize the tether diameter and thus the tether’s aerodynamic drag. Figure 10(b) shows the tether with same ratings, but electrical cables, to consider “isolated drivetrains” with eight rotors for a kite similar to Figure 7. As highlighted in Table 1, the tether diameter is hardly increased and the tether mass is even decreased. In addition to that, parameter sensitivity studies as in  showed that the number of electrical cables in the tether has only a low sensitivity on important figures of merit of the kite power plant. (ii) A series connection as in Figure 4 might be discarded anyways, for example, because of its challenging control. (iii) The electrical cables onboard the kite are so short that the additional mass and complexity are small, if not negligible. However, a to-be-mentioned drawback of the proposed solution compared with paralleled drivetrains is that the tether efficiency is lower if the rotor powers are unequal, because then the current load in the tether cables is not shared equally (the power loss of a cable is proportional to the square of its current). Nevertheless, also that can be evaluated as negligible, because usually the tether transmission efficiency is anyways rather high and all rotors have almost the same power in normal operation. (iv) A UPS on the ground is required anyways to hover the drag power kite to the ground station during a grid fault. With the proposed solution, the power and energy rating that a single UPS would have is just split into smaller UPSs. However, neither the total power rating nor the total energy rating, which define the costs of UPSs, needs to be changed. Note that the UPSs are placed on the ground and therefore their mass is irrelevant and thus may consist, for example, of low cost and heavy lead acid batteries.
is the number which minimizes the tether diameter , found by the optimization described in Appendix A.10.
3.2. Fuse System and Control Approach
With the proposed solution in Figure 9, faults inside any drivetrain affect only the same drivetrain (e.g., a short circuit in a machine winding or in a power electronic component) and faults between any two drivetrains affect only those two drivetrains (e.g., a short circuit between a wire of one and another rotor drivetrain). Therefore, with corresponding straightforwardly placed fuses (or overcurrent shut-offs), in the worst case only any two drivetrains become unavailable. Concluding, if the power and thrust of the drivetrains are so large, that stable hovering is still possible even if two neighboring rotors far away from the center of mass fail, and then all Requirements (R1)–(R4-d) are already fulfilled.
However, as mentioned in Section 2.5, it is desired that Requirement (R4-d) can be dropped. Therefore, a fault between two drivetrains must lead at most to unavailability of only a single rotor, because those two drivetrains might be not point-symmetric with respect to the center of mass, and unavailability of both rotors might thus not fulfill Requirement (R4-c). For that, the fuses (or corresponding overcurrent shut-offs) shown in Figure 11 are proposed and detailed in the following subsections. Hereby, only two drivetrains and the shields of the other drivetrains are drawn, and the parts drawn in grey are only for the generalization described below in Section 3.3.
3.2.1. Underlying Assumptions
The circuit diagram in Figure 11 and the derived fuse system in the next subsections are based on some assumptions which are highlighted and justified as follows.
Assumption 1. The ground power electronic converter(s) and the kite power electronic converter closest to the tether behave like controlled DC current sources in parallel to a capacitor.
Indeed, a power electronic converter or the combination of power electronic converter and machine has filter capacitors and an inductance which is a current source. Moreover the currents are controlled by a pulse width modulation (PWM) with a usually high PWM frequency. Therefore, Assumption 1 can be justified.
Assumption 2. Parasitic capacitances, parasitic inductances, and parasitic resistances are small.
For the design of a fuse system, this assumption can be justified, because the parasitics mainly define a short circuit current’s settling time, its steady-state value, and the value of a temporary overvoltage for an open circuit or a fuse opening event (which however can be limited, e.g., with snubbers). As the parasitic resistances in the tether and ground cables might be significant and required in a circuit simulation, only those are drawn small in Figure 11.
Assumption 3. The UPSs are the main short circuit current drivers and a short circuit current is significantly higher than the rated current of ground power electronics converters, tether, and kite power electronics converters.
This assumption is true with the following conditions: (i) steady-state is reached; that is, for example, in short circuit S2 the capacitor C2a is discharged (in this fault to half of the rated voltage, with a possibly very high current, but only for a very short time). Therefore the fuse timings must be slower than such discharge processes. (ii) A UPS consists of series connected batteries or low-voltage to high-voltage DC-DC converters (connected to a voltage source such as batteries on the low-voltage side) with corresponding power rating. The latter might be more practical, as a high tether voltage in the magnitude of several kilovolts is required, whereas the voltage of a single lead acid battery cell is only ≈2 V and would thus require a very long string. Moreover, the DC-DC converters can keep the tether voltage (UPS voltage) more constant (apart from a short circuit) almost independently of the load and battery charge. Those DC-DC converters must then be rated (at least) for the rated power needed for hovering (steady-state) and to drive a high short circuit current at least for a short time. If the DC-DC converters have enough overloading capability for a short time to drive a high enough short circuit current, they can have the same rated power as a rotor drive.
Note that Assumption 3 simplifies the fuse system design, as the fuses can be selected to open at a significantly higher current than the rated current and a short circuit current is mainly driven by a UPS while the grid and onboard power electronics behave like open circuits during a short circuit.
Assumption 4. There is only one independent fault at a time.
This is a usual assumption for a fault analysis and can be justified by a very low if not negligible probability of occurrence of two independent faults at (almost) the same time and by considering that the kite is landed and repaired if there is a fault (particularly if the then-altered system would have a single point of failure). This is also the reason why only two drivetrains are drawn in Figure 11 and are investigated in the remainder of this study. Note that dependent faults are considered; for example, if a fuse opens during a short circuit fault, the resulting dependent fault is similar to an open circuit for which Requirements (R1)–(R4-c) must be fulfilled.
3.2.2. Considered Faults
Figure 11 visualizes the considered open (O#) and short circuit faults (S#). Note that hundreds of more faults are possible, but here only representative faults are investigated; for example, there could be also a short circuit between the cathode of a diode of a UPS and the anode of the battery of the same UPS, but it would have a very similar effect as short circuit S1. Note also that it is not relevant at which specific item a fault occurs; for example, S2 could be close to the ground or close to the kite or even on the ground or onboard the kite. Moreover it is not relevant what caused the fault or how high the probability of that fault is, as the goal is a system design to fulfill Requirements (R1)–(R4-c) and therefore without single point of failure, even though, for example, the cross-drivetrain short circuits on ground S17–S22 are extremely unlikely or even close to impossible with a reasonable routing and ground station design.
3.2.3. Fault Analysis and Derived Fuse Ratings
Obviously the open circuit faults O1–O7 lead at most to unavailability of only one drivetrain in motor mode. In particular only O2 and O4 make drivetrain (a) unavailable in motor mode, whereas O1 and O3 have no effect and in O5–O7 the UPSs step in. Hereby, O7 stands for a grid fault with which the power flow of all ground power converters is stopped and all UPSs step in (in motor mode).
To mitigate the short circuit faults, the (relative) fuse ratings in Table 2 are proposed, where is the current through fuse F, is the maximum expected current during normal operation (including temporary overload and a safety factor; i.e., is significantly higher than the rated current), is the time delay of a fuse, whereby a fuse is considered to open when the “opening condition” is met over the time delay , and is the minimum time delay which assures that a fuse opens only due to a short circuit current driven by UPSs (cf. Assumption 3 and its justification) and, for example, that no fuse opens due to a start-up process (e.g., during initial charging of C2#). Table 2 originates from analyzing the short circuit faults in Figure 11: Fault S1 requires fuses F5# and F6# near the UPS voltage source. However, that fuse must be slower than all other fuses to isolate faults. For example, S14–S16 and S18-S19 require fuse F1# or F2#, both faster than F5# and F6#, such that the short circuit current is stopped, but only the grid connection is separated and the UPSs can step in; that means, the drivetrains would be still available in motor mode. Similarly, F3# and F4# must both be faster than F5# and F6# for S2–S4, S6–S8, and S10–S12. Note that the cross-drivetrain short circuits between equal potentials S5, S9, S13, S17, and S20 might be not harmful and have no effect if the voltages of both drivetrains are (exactly) equal. For the cross-drivetrain shorts in the tether between unequal potentials S7 and S11 (unregarded short circuits to a shield of another drivetrain S6, S8, S10, and S12, as shields of both drivetrains are connected to a single ground and are thus similar either to S2 or to S3), the timings of F3# and F4# must be different; otherwise fuses of both drivetrains would open in S7 and S11 and would thus make both drivetrains unavailable. For example, S7 would lead to a high short circuit current in F3a and F4b. If F3a opens faster than F4b, then only F3a opens and only drivetrain (a) becomes unavailable (and vice versa if F3a opens slower than F4b). Similarly for S18 and S19, the timings of F1# and F2# must be different. Finally, for S21 and S22, fuses F1# and F2# should be faster than F3# and F4#, such that the UPSs stay available for a rotor and thus both rotors stay available for motor mode; otherwise one rotor drivetrain would be disconnected from a UPS and would thus become unavailable (which however would comply with the specified requirements). Note that all fuses at equal positions in the different drivetrains have equal ratings; that is, for example, F1a has the same ratings as F1b, F1c, and so forth (cf. Table 2).
3.2.4. Ground Converter Control
A grid power electronics converter, that is, a current-source I1#, is controlled as follows: During normal operation, the positive and negative voltages, respectively, are controlled to their rated values. With the simplified circuit model in Figure 11, that voltage controller can be just a P-Controller, whereby the current demanded or generated by the rotor drive onboard the kite is seen as disturbance of the voltage feedback control loop.
If the voltage drops below a threshold longer than a certain time threshold, then the current flow of the corresponding current-source I1# is stopped. This is to stop driving a short circuit current, for example, in case of S14 (although that current, driven by I1pa, would be limited to the rated current).
It should be noted that no overvoltage shut-off is considered for the ground converter control, because the ground converter should always keep trying to reduce an overvoltage by injecting current into the grid.
3.2.5. Kite Converter Control
The kite converter is considered to be controlled as follows: in normal operation, I2# simply injects a (positive or negative) current, depending on the demands of the kite’s flight and power controllers.
If the voltage exceeds a high-threshold and if the drive is operated in generator mode, then the current is stopped immediately to prevent a further increase of the voltage and possibly damage. This can happen, for example, in fault O2. In a real drive with a three-phase AC machine converter, this is done by controlling the torque or the d- and q-currents, respectively, to zero. Note that this is usually possible highly dynamically.
Moreover, the current flow of the corresponding current-source I2# is stopped, if (i) the voltage drops below a low-threshold longer than a certain time threshold or if (ii) the voltage drops below a shut-off-threshold or if (iii) the positive wire’s and negative wire’s voltage against the shield (i.e., kite frame K or ground GND if there were no parasitics) exceed an imbalance threshold longer than a certain time threshold. This is to prevent further driving a short circuit current; for example, during generator mode there would be an undervoltage in case of S4 (although that current, driven by I2a, would be limited to the rated current) and an imbalance-voltage in case of S2. Note that the latter might not necessarily be also an undervoltage at kite converter (a), depending on the threshold values, currents, and parasitic resistances, which is why the proposed voltage-imbalance shut-off is necessary.
One may also find another way to stop a short circuit current in the shields in case of S2 during generator mode. One possibility can be to also place a fuse into the shield (geometrically between F3 and F4 in Figure 11) and connect GND to the shields only (i.e., move the GND connection to the right of F3 and F4 in Figure 11). However, a drawback would be that at least one shield fuse can open in case of S2 (and other faults) and therefore the positive and negative potentials of at least one drivetrain can be floating, which can lead to high voltages of the positive and negative wires against the shield, unless further measures are considered (e.g., ohmic balancing or a sort of active balancing with active components). Due to its complexity, such a solution is not considered here.
3.2.6. Note on Fault Detection
In most fault cases, the fault detection is straightforward: The power flow in most open circuits is interrupted. This is obviously detected by the ground or kite converters and can be communicated to the flight controller to schedule a landing. Similarly, many short circuits lead to a fuse opening with which the power flow of the corresponding drivetrain is also interrupted.
Only a few faults could remain undetected, unless further measures are implemented: for example, open circuit O1 has no effect on the power flow, until that UPS is needed. Moreover, O3 can have no effect as there are other paths of the shield potential. Other possibly undetected faults are shorts between equal potentials S5, S9, S13, S17, and S20. These faults might not lead to immediate harm or immediate unavailability of a rotor but can lead to further faults if they remain undetected. In particular shorts between two shields can be caused by two electrical cables rubbing against each other, which would likely continue, damage the shields and the insulation, and ultimately lead to a wire-to-wire or wire-to-shield short. Moreover, shorts between two positive or two negative wires can lead to a current through the shields, GND, or a current, which is higher than the rated current through a litz wire, if the voltages of the affected drivetrains are not exactly equal, which might or might not have further effects, for example, electromagnetic interference (EMI) or damage. A detection and repair are therefore highly desired; in particular because an additional fault could lead to a single point of failure (e.g., two undetected open circuit faults O1 in two not point-symmetrical drivetrains and then a grid fault O7). A possible approach to detect such faults is measurements of currents and voltages (e.g., including the current through shields and GND), impedance measurements, or insulation tests, all of that before kite-launching or online during flight; for example, S5 could be detected by correlating the measured currents (or/and voltages) on the ground with measured values on the kite. However, not all such faults might be detectable during flight, for example, S9. Moreover, an online detection requires the transmission of communication signals, could be faulty itself, and in the worst case could cause a single point of failure. Therefore, system integrity checks prior to kite launch (e.g., with the mentioned test approaches), or simple current and voltage measurements and correlations during flight, with which the flight controller is commanded to schedule a landing if a (possible) fault is detected, seem most practical. A further investigation of fault detection is out of scope of this study and is therefore not further detailed. However, because of the difficulty to detect some faults, the wire-to-wire shorts are not excluded from the fault-tolerant system design/fault protection design and from the fault analysis (i.e., they are considered as dependent faults, when referring to Assumption 4), even if all electrical cables have shields and thus first S9 or O3 might occur, for example, if two electric cables in the tether rub against each other.
3.3. Generalization to “Isolated Drivetrain Groups” and Variants
The proposed solution can be generalized as visualized in Figure 12. In the following this generalization and variants are explained.
3.3.1. Kite Power Electronics and Number of Electrical Cables in the Tether
On the kite’s side, instead of only one rotor also two point-symmetric rotors can be connected to a tether cable pair and can thus be summarized to one “isolated (rotor) drivetrain group.” This is possible because any fault investigated in Section 3.2 leads to unavailability at most of only a single drivetrain; however with Requirement (R4-c) two point-symmetrical rotors are allowed to fail (and also, with only one rotor per drivetrain group, the point-symmetrical rotor would be turned off anyways, at least in a conservative estimation, as mentioned in Section 2.3). Therefore, the number of electrical cables in the tether must be not twice the number of rotors but equal to the number of rotors, or multiples thereof because several cable pairs can be used for a single isolated drivetrain group as visualized in Figure 12. Note that, in the special case of eight rotors and the considered tether design and parameters, the optimal number of electrical cables can actually be used (cf. Figure 10 and Table 1). With another number of rotors or other dimensions for the tether but two point-symmetrical rotors in one drivetrain group, at least a number of electrical cables closer to the optimum can be achieved. Moreover, in case of low-voltage machines, either one DC-DC converter for each machine as in Figure 2 (K-B) or a single DC-DC converter for the two point-symmetrical machines as in Figure 2 (K-C) can be considered.
3.3.2. Ground Power Electronics
There is a number of possibilities for the choice of the ground power electronic converters, which are divided into three parts in Figure 12 and could also consist only of electrical cables: for example, in the baseline design in Figure 9, the “power electronic converter(s) ground (A)” and “(C)” are just cables, whereas “(B)” consists at least of a DC to three-phase AC converter and a transformer.
Instead of using DC-DC converters just for a UPS as mentioned in Section 3.2.1, it might be more meaningful to use a bidirectional DC-DC converter for the block “power electronic converter(s) ground (A),” such that the UPSs are connected already to a low-voltage bus. This seems to be particularly meaningful, if the tether voltage is much higher than the grid voltage.
Instead of paralleling the power flow on the AC side as in the baseline design in Figure 9, the power can also be paralleled on the DC-side left to the UPSs in Figure 12; that is, “power electronic converter(s) ground (B)” are just cables and “power electronic converter(s) ground (C)” is as in Figure 2 (G-A) or (G-B).
Obviously, the power flow could also be paralleled in another DC or AC voltage bus. In the first, “power electronic converter(s) ground (B)” would be a DC-DC converter (with or without isolation, i.e., e.g., with or without medium-frequency transformer) and “power electronic converter(s) ground (C)” would be a DC-AC converter (with isolation, i.e., e.g., with grid-frequency or medium-frequency transformer if there is no isolation in the DC-DC converter).
For the specific choice of the ground power electronics, there are only a few requirements. Ultimately, Requirements (R1)–(R4-c) must be fulfilled, which is likely the case if the equivalent circuit diagram in Figure 11 with the assumptions in Section 3.2.1 are valid for the chosen topology. In particular, the power flow must be only paralleled left to the UPSs (cf. Figures 11 and 12). In case that the block “power electronic converter(s) ground (A)” consists of a power electronic converter (e.g., DC-DC), fuses F3# and F4# could also be counted as part of the power electronics hardware and software, but with the same shut-off behavior as derived in Section 3.2. Moreover, it seems meaningful that the UPSs have a constant potential and therefore there should be isolation in “power electronic converter(s) ground (B)” or “(C).”
3.3.3. Other Power Transmissions
Besides a DC transmission, also an AC transmission as in Figure 3 is possible, for which “power electronic converter(s) ground (A)” is a medium-voltage transformer and an AC-DC converter (i.e., the right part of the “ground station” in Figure 3). As mentioned in the previous subsection, those power electronics only need to behave like the equivalent circuit diagram in Figure 11. Instead of absolute values for the fuse opening conditions, effective values might be more practical.
A three-phase AC transmission in a similar way can also be imagined, that is, three tether cables for each drivetrain would be used instead of two as in Figure 12. With that, the machine converters or/and DC-DC converters could be placed on ground and thus only (high-voltage) machines are required on the kite. However, as mentioned in the motivation, a three-phase AC transmission comes with a number of disadvantages, and if all converters are placed on the ground the voltage frequency in the tether is defined by the machine’s speed. Besides that, most sensors and the flight controllers would be placed onboard the kite whereas the controllers of important actuators would be placed on the ground, with which a highly reliable and fast real-time communication would be required. Therefore, three-phase transmission approaches are not considered here.
As mentioned in Section 3.1, a series connection of rotor drives as in Figure 4 is not possible with the here proposed approach, unless each isolated rotor drivetrain group consist of such a series connection and unless unavailability of any rotor drivetrain group (i.e., unavailability of a relatively high number of rotors) does not lead to uncontrollability of the kite. This would only be possible, if a very high number of rotors (and/or machines) would be used. Moreover, if a current-source transmission is considered (cf. ) instead of the here considered voltage source DC or AC transmission, adjustments to the fuse system and control approach are necessary, because a short circuit current would be as high as the rated current and an open circuit would lead to very high voltages.
3.3.4. Electrical Cable Placement in the Tether
To decrease the probability of the cross-drivetrain group short circuits in the tether, S7 and S11, which lead to unavailability of one rotor drivetrain group, the electrical cables in the tether should be placed in the pattern (+−)(−+)(+−)… visualized in Figure 13. By that, S7 and S11 are (extremely) unlikely (at least inside the tether, but with a reasonable routing and measures also on ground and onboard the kite) while the shorts S5 and S13 become more likely as cross-drivetrain group faults, which however (likely) do not lead to unavailability of a drivetrain group (cf. Section 3.2). Moreover, if an insulating material (e.g., light foam) or spacers are placed in between the gaps of the electrical cables in Figure 13, wire-to-wire shorts in the tether are even more unlikely. Finally it should be noted that faults should generally be made unlikely by good design, manufacturing, and quality control.
3.3.5. Brake Choppers
The grid fault O7 has an effect on the kite’s flight control during generator mode, because in this fault all rotors stop suddenly generating thrust and therefore the kite’s overall drag is suddenly reduced significantly. Note that this fault can occur at any time, including when the kite is diving towards the ground in a circular crosswind flight path. This can lead to a sudden acceleration of the kite which can be a challenge for the flight control system. To mitigate or eliminate that effect, brake choppers should be installed in each rotor drivetrain group onboard the kite (e.g., a small version for low mass) and/or on ground (e.g., a possibly bigger version due to no mass restrictions). Particularly with the latter the full-rated power could be turned into heat on ground (for a few seconds, depending on the ratings of the brake resistors) and the flight controller can schedule a normal transition into hovering and landing. As soon as the machines demand power from the ground, the UPSs step in. If (at least small) brake choppers are also installed in each drivetrain group onboard the kite, the turn-off of a rotor, for example, during fault O2 (if that is in the tether) would be also less abruptly. However, if such a fault occurs right at the rotor drive power electronics, there would be an immediate shut-off of that rotor anyways, though the abrupt change of the total rotor drag is rather small (e.g., only 1/8 for 8 rotors). Therefore, brake resistors only on ground seem to be the best choice.
3.3.6. Grounding and Power Electronic Topologies
So far it is considered that the cable shields are grounded and that the tether transmission voltage is “centered around ground.” Therefore, per drivetrain group, two UPSs and two ground converters (or parts thereof) are considered—one for the positive voltage and one for the negative voltage. Moreover, the voltage of a UPS is (implicitly) considered to be a (bit) lower than the set voltage of a ground converter; otherwise a UPS could operate even though there is no fault. This might be an unwanted operation which is also a reason for considering diodes (whereby the diodes can also be the body diodes of power electronic switches like MOSFETs or IGBTs to enable a controlled recharging of the UPSs). Therefore, in the normal operation case, the potentials are defined by the ground converters and in a fault case, where a UPS steps in, at least one potential is defined by that UPS. To avoid currents over the shield (“ground loop”), the kite power electronics connected to the tether is considered to be not connected to the shield (or kite frame K or ground GND), even if that part of the kite power electronics consists of a point whose potential is theoretically or in normal operation equal to the shield, like in series connected DC-DC converters as in  or in a multilevel converter. If there is an isolation instance within the kite power electronics, the potential of the isolated part can be chosen freely, of course. As mentioned above, an isolation to the grid is necessary in one of the ground power electronic converters, if the tether potentials shall be (approximately/nominally) constant and if the grid voltage is AC. Obviously, the part of the ground power electronics connected to the tether requires a topology which behaves like two voltage sources (or more precisely two current sources which control a voltage) connected in series. Here, a possibility is also series connected DC-DC converters without or with isolation as in  or a multilevel converter. Nevertheless, these limitations for the choice of power electronic topologies can be evaluated as modest, because the voltage in the tether is very high for which a modular approach is anyways a usual solution.
If instead, for the part of the ground power electronics connected to the tether, a topology which behaves like a single voltage source shall be considered, a passive (ohmic) or active centering could be also possible, but the shut-off control described in Section 3.2.4 has to be extended, for example, with a shut-off for voltage-imbalance. Otherwise, the potential in the tether can be increased to and stay at up to three times its rated value (e.g., during S18). Moreover, further measures might be necessary, to fulfill all requirements or to limit the voltages during fault cases.
It is also thinkable to not connect the shield or the kite’s frame to ground. However, the danger for testing personnel, already in machine hall tests for prototypes, might be an unacceptable risk, which is why such an approach is not considered in this study.
Moreover, also electrical cables without shields are thinkable. A similar approach as the proposed solution can be utilized to obtain a fault-tolerant system, maybe only with minor adjustments to the fuse system and converter shut-off control. However, the kite frame can only be grounded high-ohmic (which might be an unacceptable risk for testing personnel) or with at least one additional ground wire in the tether, and the electrical cable insulation would need to be much thicker or all electrical wires would need to be embedded in materials with similar or the same permittivity to sustain the electric field imposed by the voltage in the tether wires, because the electric field might then be not anymore (almost purely) radial from the litz wire. Therefore, also an approach with cables without shield is not considered in this study.
3.3.7. Fault-Tolerant Fuses
A fuse fault is not explicitly considered in the fault analysis and in the fault-tolerant system design described in Section 3.2, because a short circuit fault and a fuse fault at the same time would be two independent faults at the same time, which are excluded by Assumption 4.
However, to decrease the probability of a false-open or, worse, a false-not-open of a fuse and thus further increase the fault tolerance, redundant fuses, that is, fuses in parallel or/and in series, can be an option. However, a false-open leads to one of the covered open circuit faults and a false-not-open likely leads to opening of another fuse (which, nevertheless, might infringe one of the set requirements), because most short circuit currents go at least through two fuses. An exception to the latter is S1; that is, at least at the UPS voltage source it is meaningful to use (at least) two series connected fuses. Moreover, adjustments to the converter shut-off control might be necessary when considering all faults together with any fuse fault.
In Section 3, lead acid batteries were considered as UPS voltage, power, and energy source. Although lead acid batteries are robust, maintenance-free, and of low cost—even for a multimegawatt system they would make only a small fraction of the total costs—also other sources are thinkable including batteries from other materials, for example, lithium, ultracapacitors, flywheels (but must be rotating practically all the time when the kite flies, as a grid fault can happen at any time), fuel cells, gasoline or diesel generators (preferably, e.g., ethanol or biodiesel from a renewable source but also require batteries as such generators need some time to start), gas turbines (preferably with methane or hydrogen from a renewable source but also require batteries as gas turbines need some time to start), or combinations thereof.
The best choice of the kite power electronic converters, ground power electronic converters, and the UPSs is likely an economical decision which minimizes costs and complexity. An interesting possibility can also be the use of different types of power electronic topologies and UPSs or manufacturers thereof for the different drivetrain groups, with which a high level of versatility can be achieved and the probability of a common fault or a fault that causes several faults (e.g., programming bugs or electromagnetic interference) is decreased. Ordering equal or similar components from different manufacturers can also have economic benefits, as the dependence on one manufacturer can be reduced. Moreover, for an incremental and test driven development of the power electronic converters and machines, real flight verifications and validations of new (e.g., more efficient, lighter, and higher voltage) and possibly still error-prone designs are possible with low risk, if just one drivetrain group is used for the new design while reliable and tested older designs are used for the other drivetrain groups.
Besides the theoretical derivations and investigations also a circuit simulation and a demonstrator were set up and are presented with results in the following.
4.1. Circuit Simulation Model
The circuit model in Figure 11 including the parts in grey was implemented in MATLAB/Simulink/Simscape. The ground-side and kite-side current sources were controlled as described in Sections 3.2.4 and 3.2.5, implemented as MATLAB function blocks. The UPS voltage sources U# were implemented as ideal voltage sources and the UPS diodes were implemented as ideal diodes. The open and short circuits were implemented with switches (which in turn are implemented as resistances with a very high resistance in open mode and a very low resistance in closed mode).
The Simulink model was executed from MATLAB scripts. In order to automatically check a high number of fault cases (e.g., all open and all short circuit faults, one time in motor mode and one time in generator mode) against Requirements (R1)–(R4-c) without manually investigating voltage and current plots, the requirements were translated into a single Boolean condition (i.e., true or false) as follows: with bidirectional converter topologies, Requirement (R1) is obviously fulfilled and does not need further checks. Requirement (R2) is translated to where is the Boolean acceptance variable for acceptable steady-state currents, and are the absolute maximum currents in a wire and in a shield at the end of the fault and fault mitigations , and and are the absolute maximum, by design allowed, steady-state currents in a wire and in a shield. Requirement (R3) is translated to where is the Boolean acceptance variable for acceptable voltages, is the absolute maximum voltage in a positive or negative wire against the shield in the tether or against GND on ground, respectively, and is the absolute maximum, by design allowed, voltage. Requirement (R4) is translated to where is the availability of rotor drivetrain group #, which in turn is In generator mode the availability is true even if the drive is in an overvoltage state, because no brake choppers were considered in the simulation (as in Figure 11). For example, in a grid fault O7 with all drives in generator mode, generated power can only go into capacitors which increase the voltages which lead to state changes into overvoltage which stops injecting currents and further voltage increases, but the kite converters would return into the normal state as soon as they are operated in motor mode, in which ultimately the UPSs step in (cf. Sections 3.2.5 and 3.3.5). The overall acceptance finally is
Table 3 lists all relevant considered parameters.
In motor mode, the current of a kite converter was set to and in generator mode to . Moreover, to verify that the overall acceptance does not change if the currents are changed after a fault and its mitigations occurred, the currents of both drives were stepped up and down some time after the fault and then set back to their initial value.
4.2. Simulation Results
A high number of faults were checked against acceptability as defined in (5). Table 4 lists simulation results of all faults where both drivetrain groups were operated at full-rated current either in motor mode or in generator mode. As indicated by the last column of Table 4, all requirements were fulfilled with the defined acceptance criteria.
= motor mode; G = generator mode; ; at : N = normal; O = overvoltage; U = undervoltage; I = imbalanced voltages; at : N = normal; O = overvoltage; U = undervoltage; ; .
Simulations were also executed for all cases where one drivetrain group was in motor mode and the other in generator mode. Moreover, all simulations were executed with half of the rated current, instead of the full-rated current. In all cases, the result was . Additionally, Appendix B investigates some representative faults in detail.
4.3. Proof-of-Principle Demonstrator
To verify key principles of the proposed solution, a proof-of-principle demonstrator was set up, shown in Figure 14 with the equivalent circuit in Figure 15 and with key data in Table 5. It consisted of two drivetrains, which each consisted of two 12 V lead acid batteries as UPSs, current sense and electronic fuse boards in the positive wire (red), “shield wire” (black) and negative wire (blue) “of the tether,” and a rotor drive with power electronics, machine, and rotor. Therefore, the circuit in Figure 15 is similar to Figure 11 geometrically to the right of F1# and F2#, but without UPS diodes and UPS fuses F5# and F6#. The current sense and electronic fuse boards consisted of a hall-effect current sensor and two power MOSFETs, connected as bidirectional switch, with corresponding drive and power supply circuitry as well as LED indicators. The electronic fuses were controlled by a microcontroller, which was connected to a host laptop via USB for programming, data logging, and supervisory control. That microcontroller communicated with the rotor drives via CAN bus. Open and short circuits were tested by disconnecting cables or by shorting two potentials on the fault injection board. For the sake of safety, all batteries could be disconnected with relays controlled by the emergency stop/main switch, supplied by a laboratory power supply. The same control state machine for the rotor drive converters was implemented as in the simulation and as described in Section 3.2.5 with one exception: The voltage-imbalance was not measured and therefore a drive never went into an imbalance state. However, this is a negligible limitation because for the demonstrator it is not expected that a fault causes a rotor drive converter to go into an imbalance state (cf. Table 4). The time interval of the current measurements and fuse state machines was 0.2 ms. The rotor drive converters execute all controls with 15 kHz control cycle frequency and 30 kHz PWM frequency. The rotor drives sent their measurements and states over the CAN bus in 1 ms time intervals. The central microcontroller collected all data in ring buffers. The occurrence of a fault (i.e., a state change of a fuse or of a drive converter) was used as trigger. After the fault occurrence, all ring buffer contents (before and after trigger) were sent via USB to the host computer (in non-real time).
4.4. Experimental Results
The open circuit faults O2–O4 and the short circuit faults S2–S13 and both drivetrains in motor mode (propeller mode) with about half of the rated current (instead of the full-rated current for the sake of safety) were tested with the demonstrator. Table 6 reports the results. It should be noted that Table 6 has less columns than Table 4 because the demonstrator had no ground converters. Moreover, the tether voltages were not measured, which is why could not be measured and instead was always considered as .
at : N = normal, O = overvoltage, U = undervoltage, and I = imbalanced voltages; ; . available (n.a.), because no trigger event, that is, no detected fault. As both rotors continued to spin, all acceptance criteria were considered as fulfilled.
Obviously, at most one drivetrain becomes unavailable and all fault results are acceptable. The experimentally tested results are identical to the simulation results (cf. Table 6 with Table 4). As indicated by the last column of Table 6, all requirements were fulfilled with the defined acceptance criteria.
Before experimental testing, also simulations with the values of the demonstrator for all faults, with or without grid-side converter, for both modes, motor and generator, and also with the full-rated current, were executed. In all cases the result was . Additionally, Appendix C investigates some representative measured faults in detail.
5.1. Assessment of the Proposed Solution and Obtained Results
Generally, the solution approach can be seen as simple and, in view of Figure 10 with the relatively high optimal number of electrical cables in the tether, maybe somewhat obvious. That simplicity can be assessed as an advantage or even as ideal (“KISS” principle: keep it simple and stupid). Only the analysis of the faults, particularly the short circuit faults between two drivetrains, and the relative fuse ratings and thresholds for the converters’ shut-off control can be tedious. Indeed, finding the theoretical derivation of the relative fuse ratings and the general control approach described in Section 3.2 was supported strongly by the simulations described in Section 4.1. Moreover, the choice of the exact thresholds can be tedious. Initially shorter fuse times and shut-off threshold times were chosen for the demonstrator, which worked well in simulations but did not work in experiments. Therefore, was increased from the initial value of 1 ms to 2 ms (cf. Table 5), although also this value seems to be at the verge of achieving the acceptance criteria by viewing the relatively slow settling times of the currents of the demonstrator (cf. Appendix C). The main reasons for the discrepancy of the simulated and the measured values are the poor estimations or disregard of the parasitics. Therefore, in an implementation for a real drag power kite plant, better models and measurements of the parasitics are beneficial, and particularly experimental verifications and validations of the choice of the thresholds are necessary.
A further advantage of the proposed solution is that fuses and the control of the kite and ground station converters are independent; that is, no communication or a central microcontroller is required which themselves can be faulty (for the demonstrator a central microcontroller and communications were used only for the sake of simplicity for the proof-of-principle and for simple data acquisition). Only to schedule a landing after a fault, a communication to the flight controller is required. However, the same communication busses that are needed anyways to control the kite, namely, the communication with the rotor drive power electronics onboard the kite, can be used for this task.
A grain of salt is the relatively high absolute maximum voltage in a wire which requires a relatively thick insulation. However, this is independent of the fault mitigation concept. Moreover, exceeds twice the rated voltage only in the short circuit faults S21-S22 and, by investigating the actual voltages, only for a very short time, until the capacitors are discharged during the shorts. If parasitic capacitances would be considered, the overvoltage could be smaller. Additionally, S21-S22 are faults which can be made very unlikely or even close to impossible with a reasonable ground station design and routing of the electrical cables. Therefore, in a real implementation, could be reducible.
The proposed solution was verified successfully by simulations and measurements. A grain of salt of the experimental verification is that a demonstrator with only low voltage, low power, two drivetrains, and no real tether and kite was set up, which is why the verification was denoted only as proof-of-principle. However, this enabled low-cost, fast, and simple experimental verifications of key parts of the proposed solution. Because additionally a high number of faults and all combinations of motor mode and generator mode were verified by simulations also for the high-voltage cases, the effectiveness of the proposed solution can also be expected by a real kite power plant, maybe only with small refinements and more detailed analyses for the selection of the exact fuse ratings and control thresholds.
5.2. Fault-Tolerant Onboard Low-Voltage Bus?
Besides the rotors, also the sensors, control electronics, control surfaces, and communication systems need power from a low-voltage source. That power is much smaller than the rated power of a single rotor drivetrain. Therefore, the use of low-voltage busses onboard the kite supplied by DC-DC power electronic converters seems most practical. For a high fault tolerance without single point of failure through redundancies, there should be at least two low-voltage busses. Each rotor drivetrain group could contain a DC-DC converter to supply its drive control electronics and to supply a low-voltage bus, which might be isolated from the other rotor drivetrain group’s low-voltage busses. Moreover, separate DC-DC converters just to supply a low-voltage bus can be used.
To reduce or even eliminate the probability that a high voltage of a drivetrain is shorted to the low-voltage bus with the possible consequence that all connected loads are destroyed, a number of mitigations can be sketched: (i) isolated DC-DC converters should be used, most practically through a medium-frequency transformer. Note, however, a transformer and thus isolation are likely required anyways, because the high-voltage-to-low-voltage ratio is rather high. With good manufacturing and considerable safety factors, a high-voltage to low-voltage bus short circuit fault is already unlikely. (ii) If each DC-DC converter consists of two consecutive isolated stages (i.e., conversion from high-voltage to medium-voltage to low-voltage) and if the windings of the transformers of both stages are insulated for the high voltage and with an appropriate routing, then a short circuit fault down to the low-voltage bus can become close to impossible. Note that such a multistage approach might also be beneficial or even necessary, because of the rather high ratio of the voltages. (iii) Fuses and other circuit protection components such as gas discharge tubes can be used to protect all onboard loads from a high voltage. (iv) If each rotor drivetrain group has a DC-DC converter (possibly with several stages) and each DC-DC converter supplies only a small number of loads (e.g., a small number of control surfaces), which, in a fault case, are not necessary for a safe landing, then there is also no single point of failure. Additionally, with optical communication busses, the “isolated drivetrain groups” can stay fully isolated on every voltage-level and power-level. Finally, also a combination of these approaches is possible. Moreover, (relatively small) onboard batteries just for the low-voltage onboard loads (not for the rotors) can help to increase the fault tolerance or achieve a system without single point of failure.
5.3. Kite without Any Single Point of Failure?
In this study, a power electronic system (or powertrain) design approach of a drag power kite without single point of failure is proposed. Although the rotors (“power plant” in avionics terminology) are very important for the system, also other parts must function in order to enable a safe landing at any time. Therefore, it is worth investigating if other parts can also be designed such that a drag power kite plant design can be obtained without any single point of failure and thus with a high fault tolerance and only with a negligibly low remaining risk of a crash. For that, the following approaches can be sketched: (i) the tether core and the mechanical tether core connections on the ground and at the kite could be redundant. For example, two core ropes could be used, where one alone could also hold the kite (with a safety factor ). As a rope consists of a high number of strands, a tether core redundancy might be also achievable with a single rope with a reasonable safety factor and redundant tether connections on the ground and at the kite. (ii) To limit the load in the tether and in the airframe, active or/and passive strategies should be utilized: for example, strain gauges on the kite measure the load and when a threshold is exceeded the lift coefficient is reduced (e.g., all flaps are retracted or the angle of attack is reduced). The airframe could also be designed to deform at a certain load threshold, such that the lift coefficient is reduced (e.g., by stalling or angle of attack reduction) and the load is always limited passively. (iii) To cover sensor failures, each important value for the flight control should be sensed redundantly either through redundant sensors or through an observer approach. (iv) The control computers, control software, and the communication system should be redundant, for example, similar to Boeing’s and Airbus’s redundant fly-by-wire design (cf., e.g., [20, 21]). (v) Besides the redundant rotors, also the other actuators should be redundant, both on the ground station and onboard the kite. For example, the control surfaces for flaperons, rudders, and elevators should be redundant. (vi) To ensure integrity of the airframe without single point of failure, redundancies should also be used, for example, redundant screws. (vii) To prevent, extinguish, and/or isolate a fire, for example, in a power electronics component, appropriate measures should be taken. In the ground station, a fire should be extinguishable with conventional measures as there are no weight or volume restrictions. Onboard the kite, fire isolation might be an option with appropriate fire-proof walls, such that a fire does not spread. With a fire extinguishing system with low weight and volume, for example, based on CO2, it might be also possible to extinguish fires onboard the kite. Another possibility might be to keep the inside of the kite free of oxygen and instead filled with an inert gas such as nitrogen. Concluding, it seems possible to design and build a drag power kite plant, without any single point of failure; that is, any fault in any component does not lead to a system failure (a crash).
5.4. Extreme Cases: Tether Tear, Lightning Strike, Midair Collision, and Sabotage/Terrorist Attack?
A system without single point of failure might be not tolerant against extreme cases or might still have a too high (or hard to quantify) remaining risk, particularly in an early development stage. Therefore, it is also interesting to further mitigate the probability of a crash: (i) A (ballistic) parachute could also be installed onboard the kite. A drawback is the additional weight of the parachute (and additional development and verification) and particularly that the possibly several tons’ heavy kite lands uncontrolled and still with a not negligible speed on the ground (for reasonable parachute sizes about three meters per second). The kite cannot be relaunched automatically. Instead, a team of technicians, possibly a crane and repairs, are required before the kite can operate again. Therefore, in a kite power plant product, a parachute can only be considered as last resort to avoid the worst. However, a parachute can also prevent a crash in case of a tether tear, if parts of the airframe tear or if several systems fail simultaneously, caused, for example, by a lightning strike or sabotage/terrorist attack (e.g., hacker attack). Therefore, the parachute electronics might also be supplied by an emergency battery and be independent of the other system parts. (ii) In case of a tether tear, one could also think about a horizontal landing, similar to a usual airplane. However, several measures are required for that: the kite needs (small) onboard batteries to supply the control electronics and the control surface actuators (note again that batteries to supply the rotors for a multicopter-like landing are not an option, because batteries would likely be way too heavy, as mentioned in Section 1), landing gears are required, a landing strip is required, and the control system has to be extended to land the kite in this way autonomously. Therefore, a horizontal emergency landing approach might be evaluated as a too large effort. (iii) To prevent lightning strikes, a landing at the right time seems most practical. To determine “the right time,” not only weather forecasts should be used but particularly the atmospheric electric field should be measured on the kite and/or at several points close to the kite power plant installation site, for example, with field mills on the ground similar to NASA’s rocket launch pads . As soon as a threshold of the atmospheric electric field is exceeded, a landing is scheduled. The ground station then only needs usual lightning arresters as used for buildings. (iv) It might be also possible to design the system to withstand a lightning strike. The lightning current is either conducted to earth via a conductive tether core (e.g., future carbon nanotubes, whereby the core might need a surrounding high-voltage insulation layer, which could however also serve as strain-relief layer as considered in ) or via the positive and negative cables, if the power electronics on ground and on the kite are protected accordingly, if the wire area is large enough and if the insulation can withstand the lightning voltage. With a DC transmission in the tether, a lightning voltage protection, for example, based on gas discharge tubes could be used as a possibility of protecting the power electronics. With an AC transmission in the tether as in Figure 3, the transformers could already protect the power electronics from the lightning voltage. In fact, in the corresponding patent “[m]aterials may be selected to allow for a lightning-hardened […] design” is mentioned . (v) To prevent a midair collision of the kite with an airplane, the ground station must be placed far enough away from airports. Moreover, the operation volume of a kite should be a no-fly zone. This is similar to conventional wind turbines or to nuclear power plants. Note that it is meaningful that the tether is relatively short to limit the tether’s drag. Therefore, the flight altitude of a power generating kite is likely below 1000 m (cf., e.g., [19, 23] and references therein). Therefore, the no-fly zone would not be unreasonably large. To further reduce the risk of a midair collision, a radar could be used to schedule a landing or low-altitude hovering, if an airplane comes too close. Additionally, the kite or the ground station could emit a warning signal or could operate a traffic collision avoidance system (TCAS).
5.5. Further Applications of the Proposed Solution
The proposed solution of “isolated drivetrain groups” could also be used in other airborne wind energy concepts like aerostats (cf., e.g., [2, Chap. 13]), lift power kites with multicopter launch and landing (cf., e.g., ), undersea kites with rotors, or even general electric aircraft and electric vehicles.
If no permanent power exchange with the ground is required or considered, an isolated drivetrain group would be just onboard; that is, referring to Figure 12, the “tether” and (in part) the “ground station” are just electrical cabling and components onboard the vehicle. There may be no grid connection and possibly no “power electronic converter(s) ground (C)” and/or possibly no “power electronic converter(s) ground (B)” and/or no paralleling of the power flow left to the UPSs, similar to Figure 15. However, some of those previously mentioned converters and the paralleling of the power flow (parallel connection left to the UPSs) onboard the vehicle may be used, as it may be useful to balance the energies of the individual energy storages of the UPSs. Moreover, “power electronic converter(s) ground (C)” and the grid connection may be existent temporarily in part in a ground unit to recharge the energy storages of the UPSs.
6. Conclusions, Recommendations, and Outlook
An approach to a fault-tolerant power electronic system (or powertrain) design for a drag power kite is presented. The key idea originated from the tether cross section design, in which a high number of electrical cables are optimal for a small diameter. Instead of connecting all positive (negative) cables in parallel on the kite and on the ground, they are left isolated (at least in part) and connect to only one drivetrain group consisting, for example, of a single onboard drivetrain or consisting of the onboard drivetrains of two point-symmetric rotors. On the ground, the cables of one drivetrain group are connected to a UPS before the power flow is paralleled. A fuse system and a shut-off control of the power electronic converters were derived, but in detail a number of power electronic topologies for the converters and either DC or AC transmission in the tether is possible. With the generalization also a number of variants for subsystems are sketched. The effectiveness of the approach is confirmed by simulations and experiments. An assessment of the proposed solution and obtained results is discussed. Moreover, further measures to design a complete kite power plant without any single point of failure, further fault tolerance enhancements, and further applications of the proposed solution are discussed.
To implement the proposed fault-tolerant power electronic system design approach for a real drag power kite plant, the following recommendations can be made: A similar circuit simulation model, as presented, with an equivalent circuit of the chosen topology and tether transmission type (DC or AC) and with parasitics (measured or estimated) should be set up and all thinkable faults (at least all representative ones) at different locations (e.g., very close to the ground, middle of tether, and very close to the kite) in different variants of motor and generator mode (set currents for drivetrains (a) and (b), e.g., , , , , and ) should be simulated. As a high number of cases must be investigated, the simulation executions and checks against requirements should be automatized as presented in this study. If a case results in unacceptable states, it should be investigated in detail by viewing the voltages, currents, and states of fuses and controls, and the fuse ratings, control ratings, and/or component design ratings should be altered accordingly. When all simulations fulfill all requirements, all fault cases should also be verified experimentally. Also here an automatization (at least partly) is beneficial due to the high number of possible faults. Moreover automatized experimental tests can serve to verify a plant either in an end-of-production-line-test or before first operation on site. Additionally, a full failure modes and effects analysis (FMEA) should be performed as for a usual product development.
In future works, the proposed fault tolerance concept is implemented in a real drag power kite demonstrator and the fault tolerance is verified in both, hardware-in-the-loop simulations and crosswind flight.
A. Tether Dimensions
In the following, the employed tether model and the tether dimensions used in the main part are derived. The here presented model is different from  in the following points: Shields and jackets for the electrical cables are considered, first principle models for the electrical resistance and dielectric strength instead of empirical models from data of a cable manufacturer are considered, and more efficient materials are considered. The goal is to find an algorithm in the form
A.1. Rated Power and Rated Tether Force
Rated power and rated tether force of a drag power kite can be related bywhere is the rated wind speed in the kite’s rated altitude at which is achieved and is the rated elevation angle (cf., e.g., ).
A.2. Mechanical Strength
As the mechanical load carrier takes the complete tether force, its cross section area must be where is the tether load safety factor (on yield) and is the yield strength. As the mechanical load carrier is round, its diameter is determined by
A.3. Resistance/Litz Wire Diameter
For the sake of symmetry and simplicity, identical electrical cables and the same amount of positive and negative electrical cables are considered.
The resistance of one litz wire is given bywhere is the tether length, is the litz wire’s cross section area, is the specific conductivity of the material, and is a correction factor which accounts, for example, for the usual construction of a litz wire from a number of strands with which not the complete area might be filled with the conducting material (i.e., the fill factor is ≤1), increased temperature, manufacturing inaccuracies, material defects, the helical placement through which the length of the electrical cables is longer than the length of the tether, and onboard and on-ground cabling.
As only round wires are considered, a litz wire’s cross section area iswith litz wire diameter .
As positive cables are connected in parallel and negative cables are connected in parallel and, in the circuit, all paralleled positive and all paralleled negative cables are connected in series, the total electrical tether resistance is as follows:
Note that this equation is also valid for the overall power flow in “isolated drivetrains” or “isolated drivetrain groups”; i.e., might not be a “real” resistance but an equivalent resistance.
A.4. Tether Transmission Efficiency
The rated electrical power injected into the tether on the kite can be formulated bywith rated efficiency of rotors, machines, and kite power electronic converters . The rated power losses in the tether are given bywith rated (effective) tether current which can be further specified bywith rated (effective) transmission voltage . It should be noted that (A.11) considers that the ground station power electronics control the tether voltage at the kite instead of on the ground to the rated voltage (which is possible by controlling the voltage on the ground to the rated voltage with the offset of the voltage drop with measured current on ground and known/estimated tether resistance ), or it assumes a negligible voltage drop over the tether. The rated tether transmission efficiency is obviously
A.5. Dielectric Strength (Insulation Capability)/Insulation Width
As an electrical cable consists of an electrical conductor in the center and a grounded coaxial shield, the electric field is as in a coaxial cable, for which the electric field strength to be tolerated by the insulation material is (cf., e.g., )where is the rated insulation voltage between wire and ground, is the wire diameter, is the insulation layer’s width, and is a safety factor which accounts, for example, for increased temperature, manufacturing inaccuracies, and material defects. The rated tether transmission voltage and the rated tether insulation voltage are related bywhere the division by two accounts for the centering of the transmission voltage “around ground” and is a correction factor which accounts, for example, for the voltage drop over the tether, voltage spikes induced, for example, by the power electronics and parasitic inductances, and for the -times voltage difference between peak and effective voltage in case of an AC transmission.
A.6. Shield and Jackets Widths
The shield, electrical cable jacket, and tether jacket widths, , , and , can be small and are based, for example, on empiric data or experience.
A.7. Total Diameter
With the introduced diameters and widths, and in view of Figure 8, the tether diameter is given bywith electrical cable diameter
A.8. Total Mass
The mass of the tether component (core, litz wires, insulator, etc.) is given bywhere is the material density andis the volume with cross section area and correction factor which accounts for the helical placement of the electrical cables around the core. As each component generally is an annulus in the 2D cross section (possibly with zero inner radius in the case of a circle), the cross section area of any component is given bywith outer radius and inner radius . The total tether mass is then given by
A.9. Feasibility of Number of Electrical Cables
As in the considered design all electrical cables are placed in one layer around the core; the feasibility of a certain number of electrical cables can be derived as follows: The angle between two electrical cables isIn view of Figure 16, by employing the law of sines, one findswhere is the distance between the center of two neighboring electrical cables. For a feasible number of electrical cablesmust hold.
To solve (A.1), the tether model equations are rearranged and the following algorithm was implemented and executed by a MATLAB script:(1)Estimate/select/choose fixed values:(i)Kite power plant parameters: , , , , , , and (ii)Tether parameters: , , , , , , , , (the number of electrical cables in the tether is optional here, if it is maximized in Step ),, , , , , , , , and .(2)Compute with (A.2)–(A.4).(3)Compute and with (A.9) and (A.11).(4)Compute with (A.12) converted into (5)Compute with (A.10) converted into(6)If no is specified in Step , set .(7)Compute and its feasibility, and possibly maximize for the given :(7.1)Compute with (A.8) converted into(7.2)Compute with (A.6) converted into(7.3)Compute with (A.7).(7.4)Compute with (A.14) inserted into (A.13) and converted into(7.5)Compute with (A.16).(7.6)Compute with (A.21).(7.7)Compute with (A.22) converted into(7.8)Check if is feasible with condition (A.23).(7.9)If no was specified in Step , and if the maximum , in which condition (A.23) is just fulfilled, is not yet obtained, increase (e.g., by two or the number of isolated drivetrain groups) and continue at Step (8)Compute with (A.15).(9)Compute radii, cross section areas, volumes, masses, and total tether mass with (A.17)–(A.20).
Note that the algorithm consists only of a sequence of explicit analytical equations, if the optimization in Step is not used, and even if otherwise, the maximization is executed very fast.
A.11. Considered Ratings and Material Constants
Table 7 summarizes the considered ratings and material constants.
B. Detailed Investigation of Simulations of Some Representative Faults
B.1. Short Circuit Fault S2 in Motor Mode
The short circuit fault S2 can be estimated to have a high probability among the short circuit faults. Moreover, important ideas of the proposed concept become clear, by a detailed investigation. Therefore, Figure 17(a) visualizes the short circuit fault S2 and the short circuit currents, which are driven by the positive UPS of drivetrain (a). As the red colored current path leads through fuse F3a, it opens and stops the short circuit current. As visualized in Figure 17(b), the positive wire and a shield of drivetrain (a) are then connected while there is an open circuit in fuse F3a. In motor mode, the voltage at the drive therefore decreases to the voltage of the negative ground converter (or UPS) which is half of the rated voltage. As the kite converter has an undervoltage turn-off threshold at 70% of the rated voltage (cf. Table 3), it turns off after the turn-off threshold time is exceeded. Moreover, as the positive wire has the same potential as the shield, the voltages at the kite converter are unbalanced, which is why it also goes into an unbalance state. Concluding, the result from Table 4 can be understood from that theoretical investigation.
Figure 18 reports the simulation results. The fault occurs at . The currents in the positive wire of drivetrain (a) are high and driven by the positive UPS voltage source of drivetrain (a). At , fuse F3a opens as expected and stops the short circuit current. The voltage at the kite converter drops below half of the voltage. The undervoltage and the voltage-imbalance thresholds are exceeded which is why the kite converter goes into the undervoltage triggered and imbalance-voltage triggered states. The drive still works in motor mode, supplied by the negative ground converter. At , the undervoltage time threshold is exceeded and the converter is turned off. At also the imbalance time threshold is exceeded, though the converter was already turned off. At , the set currents of both drives are stepped up and down a few times, but no further faults occur. Ultimately, drivetrain (a) becomes unavailable in motor mode but drivetrain (b) is still available in both modes. Obviously, all acceptance criteria are fulfilled.
B.2. Short Circuit Fault S2 in Generator Mode
Investigating short circuit fault S2 for the case where both drivetrains are in generator mode also helps to make important concepts of the proposed approach clear: Figure 19 reports the simulation results. The most important difference to Figure 18 is that the voltage at the kite converter of drivetrain (a) does not drop as much, after the fuse opens at . With the considered parameters, it is below the 70% rated voltage threshold such that the kite converter goes into the undervoltage triggered state. However, with other parasitic resistances, another rated current, or other thresholds, this might be not the case, but as also the imbalance threshold is exceeded the converter will be shut off soon or later. In Figure 19, it is already shut off at with the undervoltage state. If no undervoltage had been triggered, it would have been shut off at , where also the imbalance time threshold is exceeded. Again, ultimately, drivetrain (a) becomes unavailable, but drivetrain (b) is still available in both modes, and all acceptance criteria are fulfilled.
B.3. Short Circuit Fault S7 in Motor Mode
The previously investigated fault S2 affects virtually only one drivetrain (though the short circuit current also does flow through the other drivetrains’ shields which has effects on the tether voltages and currents; cf. Figures 18 and 19). However, an important feature of the proposed fault tolerance concept is that only one drivetrain becomes unavailable, even if there is a short between two drivetrains. Figure 20(a) draws the short circuit current during fault S7, which is driven by the positive UPS of drivetrain (a) and the negative UPS of drivetrain (b). The current path leads through fuses F3a and F4b, but fuse F3# opens faster than fuse F4#. Therefore, the short circuit current is stopped when F3a opens. As visualized in Figure 20(b), the positive wire of drivetrain (a) and negative wire of drivetrain (b) are then connected, while there is an open circuit in fuse F3a. If drivetrain (a) is in motor mode, its voltage therefore decreases until it is shut off.