A Methodology of Sensor Fault-Tolerant Control on a Hierarchical Control for Hybrid Microgrids

This study develops a new Sensor Fault-Tolerant methodology for two-level Centralized Hierarchical Control of isolated microgrids based on a modified Kalman filter algorithm. The main objective is to increase the reliability and safety margins of isolated smart microgrids in the presence of different sensor faults on the secondary control. Consequently, Sensor Fault-Tolerant control reduces the costs because costly redundant hardware is not required. Because of its low computing effort, speed, ease of implementation, and tuning, this method can be used in more complex control configurations, multiple sensor faults, and different hierarchical control levels. The designed Sensor Fault-Tolerant Hierarchical Control System was initially proposed for a grid-forming topology of single-phase BESSs systems connected in cascade to the microgrid. The implemented fault tolerance methodology can maintain control objectives with sensor faults. Consequently, the MG’s voltage at the time of the fault does not exceed 5%, and the voltage unbalance at the common coupling point or on the critical bus is compensated to a quality reference value of less than 2%. The performance of the proposed algorithm is tested using the MATLAB/Simulink simulation platform.


I. INTRODUCTION
In recent times, microgrids (MG) have earned the interest of society, the scientific community, and companies, not only for integrating distributed generation in the main grid in a reliable and clean (reducing emissions) manner but also due to its: reliability, operation capability in the presence of natural phenomena, supply of active distribution grids, more minor energy losses in transmission and distribution (T&D), and shorter implementation and investment times [1], [2], [3], [4], [5].
When faults occur in the sensing system, they propagate through feedback into the closed-loop control systems, causing them to malfunction. Therefore, due to the closed-loop feedback relationship, identifying sensing system faults and designing fault management strategies takes much work. The presence of redundancy increases system reliability, but at the The associate editor coordinating the review of this manuscript and approving it for publication was Ravindra Singh. same time, it introduces additional costs and challenges for diagnosing and handling faults [6].
In recent years, the scientific community has sought to motivate research not only in aspects such as fault detection and isolation but also to improve the design of control strategies in the presence of faults in electric distribution grids, energy generation units, and MGs [2], [7], [8], [9], [10], [11], [12]. Different research studies address the problem of fault detection in microgrids (MGs) and Fault Tolerant Control (FTC) [13], [14], [15]. However, the focus of the FTC on MG sensor faults is minimal, especially in the hierarchical control of MGs [9]. Even high-impact journals, such as the ''International Journal of Robust and Nonlinear Control'' [16], have addressed the subject with particular issues in the fault-tolerant control of Smart Electric Grids and MGs.
Some authors have considered fault-tolerant strategies as the primary mechanism for providing resilience and reliability to MGs [10], [11], [12], [17], [18], [19], [20], [21], [22], [23]. Publications such as [24] address the detection and fault diagnosis problem through a solution based on using multiple the authors propose to use the estimated attacks to compensate for the corrupted data in the local controller. On the contrary, other authors use logic to design this fault-tolerant strategy [27]. In this case, two fault-tolerant schemes are designed using Fuzzy Logic and model predictive control. The schemes shown in the research focus on the fault effects of energy losses in Photovoltaic (PV) systems in the presence of uncertainty and disturbances in the MG [27].
The upper levels of the MG hierarchical control system are neither exempt from the occurrence of faults. Research studies such as [30] seek to establish fault-tolerant energy management methods in MGs. Management policy proposed in [30] guarantees the fulfillment of the demands at each sampling instant, even in the presence of faults. To achieve this, the authors propose a control law derived from the solution of an optimization problem that combines the formalism of a Moving Horizon Estimation (MHE) scheme and a Model Predictive Control (MPC). The latter is based on a time-varying linear model of the process programmed concerning the fault estimation generated by the MHE.
The diagnosis of transient and intermittent faults in sophisticated electrical systems is complicated. Because the performance of electronic equipment decreases with time, fault diagnostic findings may change at various periods for the same defect symptoms. Reference [31] proposes a dynamic Bayesian network (DBN)-based fault diagnostic approach for electronic systems in the presence of TF and IF. The fault diagnosis approach can find problematic components and discriminate between different types of faults.
This research mainly focuses on the problem of detection and fault tolerance of two-level (primary/secondary) centralized hierarchical control systems. The authors seek to operate the DG of isolated MGs in the presence of fault events produced by a line voltage sensor of the secondary controller going partially or totally offline. The proposed method is focused on reducing the effect of this type of failure due to malicious and non-malicious causes, thus avoiding a sudden change in the problem and the designed control law. In addition, this avoids instabilities or the outage of the distributed generation sources of the MG that operate in isolated mode.
Based on the above, it is necessary to develop fault-tolerant strategies that increase the reliability/safety margins of isolated HMGs (hospital MGs and military MGs). The present study proposes a new sensor fault-tolerant method to design centralized secondary hierarchical controllers. This method can contribute to mitigation actions in the event of loss in the secondary control feedback, thus avoiding unstable or dangerous operating regions while regulating voltage profile and compensating voltage unbalance (VU) due to unbalanced loads. In other words, this method can maintain the operating point within the performance region required by the MG.
The precision and effectiveness of the proposed approach were verified using different fault sensitivities for the unbalance low voltage (LV) section of a typical model of an AC/DC HMG isolate [32]. However, it can be emphasized that the VOLUME 11, 2023 58079 Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply. method proposed in this research can be applied in any MG scheme or control level. The more significant impact of the proposal would be on the side of the final user or consumer, giving them a considerable increase in quality (control of reactive power and voltage, consideration of critical subsystems / CCP / loads). This paper is distributed as follows: Sections II and III describe the estimation of online parameters and the representation of the fault models, such as sensibilities. Section IV shows the description of the study problem. Section V shows the details of the Fault-tolerant system, and subsections V-A, V-B, and V-C are devoted to Sensor Fault Detection Architecture, Sensor Fault Tolerant Control: Reconfigurable estimator, and Sensor Fault Tolerant Control: Post failure control recovery system, respectively. Section VI analyses the fault tolerant control system for the fault scenarios. Finally, the conclusions are found in section VII.

II. ONLINE ESTIMATION OF MODEL PARAMETERS
Research results have been reported in recent years regarding parameter estimation techniques for the design of fault tolerant control for MGs [21], [24], [33], [34]. For example, an online estimation approach based on the SMO technique was adopted in [21] as a robust approach capable of detecting and reconstructing sensor faults that can occur at the output of the measurement system. Another approach was presented in [24], where authors provide a solution using multiple Linear Parameter Varying (LPV) extended-state observers in conjunction with a simple search algorithm. The proposed Fault Detection and Diagnosis system (FDS) estimates faults using the proposed LPV observers derived from the computational calculation of Linear Matrix Inequalities (LMIs) for minimizing the mixed H2 / H∞ norm.
An FTC scheme based on an SMO for an MG was presented in [34]. The scheme consisted of a central FTC used at the outputs of the MG to estimate all the states. The effect of the estimated fault is used for the rejection in the fault signal of the MG. A voltage control scheme is used in [33] for the FTC design, which employs the state estimation method based on a large-signal dynamic model of the MG and a linear parameter varying (LPV) state estimator of each DG.

A. KALMAN FILTER
The Kalman filter (KF) is an optimal estimator called the linear quadratic problem. The KF is a statistical characterization of an estimation problem [35], [36]. The linear quadratic problem estimates the instantaneous ''state'' of a linear dynamic system subjected to a white noise disturbance through techniques linearly related to the state and corrupted by the noise.
The first thing that should be known for controlling a feedback system is its state. The KF is implemented in electronic devices such as computers, PLCs, and smart cards. Considering that it is not always possible to measure all the variables to be controlled, the KF provides a means for estimating the information from measurements that are indirect and contaminated by noise [36]. This code uses a finite representation of the estimation problem based on a finite number of variables with infinite precision [37].
In practice, the KF is much more than an optimal estimator. It propagates all the probability distribution of the variables for estimating the states, i.e., it is a complete characterization of the current state of the system, with the influence of all past measurements, which makes it the preferred method for the predictive design of sensor systems [35], [36], [37].
Observational Update Problem: let us assume that a measurement has been taken at the time (t k ) and that this information will be used for updating the estimate of state x of a stochastic system at time tk. It is assumed that the measured variable is linearly related to the state through the following equation [36]: (1) where: H is the measurement sensitivity matrix; v k is the measurement noise. Estimator in Linear Form: The optimal linear estimation is equivalent to the general optimal estimator (nonlinear) if the variables x and z are Gaussian. Then, through the observation of z k (−), which is a linear function of the a priori estimation and measurement z, it is possible to find an updated estimate (x k (+)) [36]:x where: x k (−) is a priori estimate of x k ; x k (+) is a posteriori value of the estimation. Optimization Problem: for now, matrices K 1 k and K k are unknown. Therefore, the idea is to search for the values of K 1 k and K k such that the estimationx k (+) satisfies the orthogonality principle [36]: where: i is 1, 2, 3. . . . k-1.
Considering the noise (w k ∼ N (0, Q k ) and v k ∼ N (0, R k )) and carrying out the corresponding substitutions and mathematical reductions to the equation, the following relation can be obtained: where: the equation must be satisfied for any value of I is the identity matrix. The selection of K 1 k causes that equation (2) to satisfy a part of the condition given by equation (3). Therefore, the selection of K k should satisfy equation (4). The rest of the demonstration can be found in [36]. If the state-space model and the noise covariance matrices are all time-invariant, a steady-state KF can be implemented. Otherwise, a time-varying KF is implemented. Hereunder, the main equations of the KF for discrete (6)-(10) or continuous (11)-(15) estimation problems are summarized [36], [37]: where: u are known inputs; L k is the gain calculated through the discrete Riccati equation; A k , B k , C k , D k are the space matrices of the discrete states; x k is the estimation of the system state vector; y k is the estimation of the actual plant output; R k is the measurement noise covariance matrix; P k is the state estimation of the covariance error.
where: Q (t) , R (t) and N(t) are the noise covariance matrices.
It should be emphasized that other representations of the KF, such as the Extended Kalman Filter (EKF) and the Unscented Kalman Filter (UKF) that can be combined with the Particle Filter (PK) can be found in the literature [38]. However, a more robust control and fault tolerance method will involve a higher computational cost and a slower response.

III. SENSOR MALFUNCTION
A measurement system consists of sensors which are mostly power transformers (PTs), Hall effect sensors for measuring voltages, current transformers (CTs) for measuring currents, an interface that handles the instrumentation (DAQ), a transmission medium up to the digital modules of controller inputs. The faults and errors in this system are typically measured as a function of the error in magnitude, the error in phase, and the partial or total loss of the signal that can appear in any of the chain elements [18]. These voltage and current measurement errors at the PCC or critical bus (in the case of the SC) can be a potential source of a sensor fault.
In addition, faults in the sensor systems can occur in one or various blocks and at different control levels ( Fig.1). Most of these faults interrupt normal operations of an MG, both in the isolated mode and connected to the main grid. The faults compromise the stability in the MG, causing the DG sources to go out of operation or even a blackout of the whole MG. Since the MG operates in the mode connected to the network, or even worse, in the isolated mode, those affected are the end users, such as critical facilities (hospitals, military bases, isolated communities, among others) or other subsystems installed throughout the network.

A. NON-MALICIOUS FAULTS
This section describes the non-malicious faults modes of voltage sensing proposed as sensitivity for this study [39]. An additive sensor fault can be generally modeled as follows [39]: where: y s (t) is the value of the controlled variable produced by the sensor at time t; y (t) is the current actual value of the controlled variable at time t; f s (t) is the sensor fault value at time t.

1) PARTIAL OUTPUT (PO)
The sensor shows a measurement that contains a certain offset level denoted by equation (17). where: ν s (t) is the voltage (pu) variable delivered by the sensor at time t; ν (t) is the current actual value of voltage; f offset (t) is the error offset value at time t.

2) FIXED OUTPUT (FO)
The sensor is at a state in which it only shows one or two states. The following equation represents the fixed fault: where:

3) FAULT OF SENSOR WITHOUT OUTPUT (WO)
There is no signal at the output of the sensor, and its mathematical model can be represented according to the following equation: The feedback signal (ν s (t)) used by the different hierarchical control levels, especially the remote ones (secondary, tertiary), is highly vulnerable to cyberattacks, also known as data integrity faults [21], [40]. The ν sen (t) measurement manipulated through these malicious attacks is sent from the primary levels up to higher hierarchy levels with the main effect of providing erroneous information to the control system. In turn, this effect triggers a set of incorrect decisions that lead to unstable energy generation and power quality and even cause one or various DG sources in the MG to go out of service.
The cyber-attacks can be generally described according to the following equation [40], [41]: where: f attack (t) represents the sensor data manipulation for the measured output value ν s (t), according to the type of cyber-attack.
Hereunder, some particular cases of this type of malicious fault are described: The sensor output is affected by a ramp function added to the actual measurement: 2) SCALING ATTACK (SA) The sensor output is changed to lower or higher values related to a scale attack parameter known as λ .

3) RANDOM ATTACK (RNA)
In this case, the actual output of the sensor system is replaced by random data within a particular interval.
C. FAULT SET OF THE SENSORS Table 1 summarizes the real cause-effect of sensor faults [42].

IV. PROBLEM FORMULATION
The dynamic problems generated by secondary control systems regarding voltage and power regulation, in conjunction with the high nonlinearity exhibited by the MGs, have become a challenge to be handled with new secondary control strategies. In addition, the Hierarchical Control System (HCS) should be designed to manage and regulate the distributed generation sources connected in parallel and coupled to isolated MGs.
The HCS system should consider the uncertainty of the existing model, linear or nonlinear loads disturbances, and the abrupt decoupling of loads that cause voltage instabilities, thereby altering the power quality in the MG. The problem of resilience and fault tolerance for MGs is added. In recent years, the issue of designing fault-tolerant controllers has become a study and research topic for the scientific and academic community, mainly in cyberattacks topics. Significant contributions have been proposed for this challenging problem based on multiple methodologies [2], [25], [27], [43]. Some existing approaches assume that the measurement or communication between the DGs is ideal or satisfies only some assumptions. The present research seeks a fault-tolerant or resilient methodology for secondary control of an isolated MG in case of sensor or communication system faults due to malicious attacks or non-malicious phenomena. It is crucial to design a fault-tolerant control approach with features such as simplicity of design, ease of adjusting, ease of implementation, low processing load, fast real-time response, and robustness. When proposing the scheme, it was considered to meet all the features mentioned above while guaranteeing the closed-loop stability of the DGs. It is also considered to ensure voltage restoration in the event of different sensor or communication system faults with unknown behavior. The hierarchical control system for MGs must control variables such as voltage, current, frequency, and active and reactive power that exhibit high-speed and highly nonlinear dynamics [44] and [45]. Based on this, the implementation of the KF was selected as the primary parameter estimation strategy thanks to its low computational cost and fast response. The EKF was not chosen for this work due to the high computational cost and difficulty finding the Jacobian analytically. In addition, the EKF only gives good results if the system model is differentiable and is not optimum if the system is highly nonlinear.
The linearized model used as the process model was selected from the model bank using the method developed in [44] and [45]. In addition, the KF helps filter the information of all sensors naturally contaminated with noise, thus enabling the estimated information to be closer to the actual value of the controlled variable for the SC. Fig.2 shows the proposed general methodology, establishing guidelines for designing and developing Sensor Fault Tolerant Control (SFTC) strategies.
This methodology seeks to show a clear and straightforward path to design a research scheme at other hierarchical control levels for MGs or even in practical implementation topics. For the proposed methodology, it is necessary to have a good identified model available, measure the variables related to electric power (voltage, current, frequency, among others); synthesize the secondary control laws; and implement online observers with low computational cost.

V. SENSOR FAULT TOLERANT CONTROL DESIGN
The methodology proposed for SFTC design on the second level of a centralized control hierarchy for MGs (Fig.3) uses a robust approach for reconstructing the secondary control feedback. The effect of the signals that cause the malfunction of the measuring system and the control is used for detecting the faults. Then the controlled variable is reconstructed through a robust state estimation approach in the presence of system uncertainties and sensor faults. The secondary control (SC) is fed by the estimated variable from the estimation system (ES), which uses all the different sensors' information, including erroneous measurement information. Figure 3 shows that the fault detection system (FDS) detects the fault and sends a signal to the estimation system (ES) to reconfigure itself to cope with the fault. Then the Post Failure Control Recovery System (PFCRS) reconfigures the secondary control (SC) as an open-loop control system while the estimation system converges.
This scheme ensures tracking the controlled variable and the PC reference coming from the SC, thus generating the converters' pulse-width modulated (PWM) signals in the event of different sensor faults. Consequently, the fault-tolerant hierarchical control system precisely tracks the reference powers and voltage control. Fig.4 shows the fault detection system (FDS) block diagram for the positive sequence active and reactive power signals, P + and Q + (y), which reflect the voltage and current sensor faults [46]. The faults are detected based on these signals' residual error (r). The residual errors are obtained as the difference between the estimated values of P + and Q + (ŷ) and the signal obtained by calculating the positive sequence of powers (y (P + , Q + )) based on the sensor measurements. A low-pass filter filters the value of r with the transfer function given in equation (25) to obtain its mean value (r). Then the absolute value of r is calculated (|r|), and comparing this value with a threshold allows us to detect the fault.r can be thought of as the convolution of r with an exponential function that is the impulse response of the transfer function of the low-pass filter. This action enables obtaining average values of the signal giving more weight to the more recent values of the residual signal.

A. SENSOR FAULT DETECTION ARCHITECTURE
For a correct operation, the value of the residual signal must be within its standard deviation values (±σ r ). The standard deviation signal, σ r , is calculated as the square root of the mean of the square of the difference between the residual and its mean value (σ r = (r −r) 2 ). A filter with a bandwidth Bw r is used to obtain this value (equation (26)). The standard deviation, σ r , is multiplied by a gain value K th (which is a tuning parameter) to define the thresholds (T th ) that enable recognizing normal and faulty operations (T th = K th σ r ). If the value of |r| remains within T th (|r| < T th or −T th <r < T th ), the system is said to be in a normal operation state, so the fault flag is reset (fault = ''0''). Otherwise, the fault is detected, and the fault flag is set (fault = ''1'').
The parameters Bw m and Bw r are considered as tuning parameters of the fault detection system. The bandwidth Bw r should be much smaller than Bw m , and the gain K th of the threshold should be low enough so that it varies slower than the mean of the residue, and its value keeps greater than the residual when there is no fault. The transfer functions corresponding to the low-pass filters used in the FDS are now shown: where: G d (s), G m (s) and G r (s) are transfer functions of low-pass filters; Bw data is the bandwidth of the filter of measured signals; Bw m is the bandwidth of the filter that obtains the mean value of the residue; Bw r is the bandwidth of the filter that obtains the value of variance; s is Laplace's complex variable. As shown in Figure 4, the fault detection model presented is simple and very effective. When this method is combined with the scheme proposed in section B for estimating the actual value of the controlled variable, the feedback system carries out fault detection, isolation, and accommodation in an integrated manner.
To avoid intermittent fault detection in case of random faults (as shown in Fig.21), the detection system is complemented with a logic that maintains the fault flag set for an established time (s) before being reset. The fault flag is reset only if the residual stays within the thresholds long enough. If |r| remains within T th for a time longer than the one established, the fault flag will switch to state ''0'', indicating that the system has returned to its normal operation.
In summary, the FDS detects the fault based on the difference between the estimate and the sensor measurement, the residual (r), and then handles it to determine the fault state. The fault is detected when the mean value of the ''residual'' (the approximate value of the mean value estimated by a first-order low-pass filter that gives greater weight to the last values of the residual) exceeds a threshold. The threshold is calculated based on the value of the standard deviation of  the residual, which is estimated by another low-pass filter, giving more weight to the last measurements. The key for detecting the faults and avoiding false positive detections is that the bandwidth of the low-pass filter used for the variance is smaller (longer time constant) than that of the low-pass filter of the mean value of the residual (which has a shorter time constant).

B. SENSOR FAULT TOLERANT CONTROL: RECONFIGURABLE ESTIMATOR
There is a problem in practice, given that different sensors can fail. Many sensor fault-tolerant algorithms develop the mitigation scheme based on alternate signals without considering the signal of the faulty sensor. These methods obtain an estimation used for fault detection but not for control. VOLUME 11, 2023 58085 Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply. Once the fault is detected, a commutation mechanism stops using the defective sensor and switches to the estimate to feedback the control system.
In contrast, the idea of the proposed scheme is not carrying out a commutation of the estimate but using all variables (including the one from the faulty sensor) to estimate the feedback variable of the SC. Fig.5 shows the general scheme of the sensor fault tolerant control system (FTCS). There is an estimation system (ES) based on an KF optimal estimator that takes the most information coming from the MG and the primary control system even under sensor fault conditions, a fault detection system (FDS), and a post-fault control recovery system (PFCRS).
The ES provides feedback to the secondary control through the estimates of the controlled variables (P andQ) and not directly with the variable calculated from the measurements (P and Q). The estimator I used as an optimization algorithm based on linear and nonlinear models of the MG and sensor measurements that looks for the best estimate of the feedback variable (ŷ) for the SC through its reconfiguration at the moment of the fault. In addition, since the measurements will always be contaminated by noise and errors, the ES would filter all the information from the sensors, removing noise and minimizing the effect of sensor errors.
At the moment of the fault, the ES adjusts the cost function giving less credibility to the faulty sensor. For the case of the KK, the measurement noise covariance matrix (R) of the estimation algorithm is modified, reassigning a new value for the covariance of the faulty sensor. This way, less credit is given to the information from the faulty sensors, and a mechanism for fault isolation is established. The ES will estimate the controlled variable as a function of the data coming from all sensors of the MG without requiring a commutation. The covariance matrix of the process noise is used as a tuning parameter of the ES. Table 2 and Table 3 show the table of variables and the design proposed for the ES main algorithm. Table 4 and Table 5 show the table of variables and the design proposed for the Int_step_KF function used in the   ES main algorithm. Table 6 and Table 7 show the table of variables and the design proposed for the Sens_upd_KF function used in the ES main algorithm. 58086 VOLUME 11, 2023 Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply.

C. SENSOR FAULT-TOLERANT CONTROL: POST FAULT CONTROL RECOVERY SYSTEM
As shown in Fig.5 and Fig.6, the SC is being feedback directly with the ES estimated variable. During the period between the occurrence of the fault and its detection, the  ES estimation error of the feedback variableQ(t) or Q sen (t) of the SC increases. At the moment of detecting the fault, the covariance of the sensor in the ES system is changed, and it recovers its estimate. However, this change is not instantaneous and takes a short time, depending on the MG dynamics and the fault. Therefore, until the approximate estimate value is recovered, it is feedback to the SC. This erroneous estimation can cause problematic dynamics for the secondary control (SC) and produce a cascade effect for the primary control (PC).
At this point, it is vital to consider the time taken by the FDS to detect the fault and the ES to recover the correct estimate after the fault. The idea of the Controller and Post Failure Control Recovery System (PFCRS) is to open the control loop during the time it takes to recover the ES and use the last value of the control action applied to the PC. After the ES stabilizes with the estimated value of the variable, the PFCRS system closes the control loop and returns to the normal operating condition of the controller. Figure 6 shows the scheme proposed for PFCRS and the secondary control strategy. Figure 7 shows a detailed schematic diagram of the PFCRS. This scheme consists of a monostable, a memory, a delay, and a couple of commutation systems. The monostable generates a signal that opens the control loop during the time the ES requires to recover after the fault. The delay and the memory take the control action or the output of the controller a time t d before the fault occurrence and fixes it to the controller's output during the period where the control operates in open loop. This action is carried out until the time t m passes, and the control loop is closed again, guaranteeing that the ES has recovered the variable estimate. The times t m and t d are considered tuning parameters of the PFCRS. The  times t m and t d should be greater than the time it takes for the ES to recover the value of the estimate and the time the FDS takes to detect the fault, respectively.
The scheme presented here can be easily adapted to many other power plants. In addition, this scheme can be easily adapted to hybrid energy systems in the presence of faults to preserve the stability of the MGs, reliability, and the main performance objectives, thus guaranteeing power quality for the users.

VI. CASE STUDY AND SIMULATION RESULTS
The performance of the proposed scheme was tested for different case studies of malicious and non-malicious faults through digital simulation in the MATLAB/Simulink/Sim Power Systems environment. For this purpose, a simple double-loop LC was implemented, requiring a smaller control and processing effort. The DG units have a double loop (current and voltage) architecture.
The primary and secondary levels are based on PI and PID controllers. In contrast, secondary control was established with a power control loop as a centralized control protocol. The hierarchical control system, just like the FTCS scheme, was implemented for its validation in the 220 V low voltage network of the MG proposed in [32] in an isolated manner (Table 8 and Fig.8). For this purpose, it was complemented with distributed generation sources in cascade topology configured for a master/slave control system. The Grid-forming VSC connected in cascade consists of three single-phase inverters (in wye connection) synchronized 58088 VOLUME 11, 2023 Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply.   to establish the three-phase voltage conversion of the isolated MG.
If the proposed fault-tolerant method cannot operate under a specific type of fault occurring in the secondary control VOLUME 11, 2023 58089 Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply. measurement system, it would set up a fixed reference on the LC, changing the hierarchical configuration to a local structure. The hierarchical control objective would be lost with this mode of operation, but at least the MG would remain in operation.
For this study, the FTCS is designed based on the Q + estimation for voltage control. The FTCS design is validated in this section by estimating the variable controlled by the SC using all the information from the MG and the PC as voltage and current. This case is one of the most dynamically sensitive, where the effect of the voltage and current sensor fault associated with secondary control is reflected in this variable. However, it should be emphasized that the scheme proposed and subject to validation in this case of study can be implemented on the voltage or current measurement estimation, independently of the secondary or primary control system implemented.
The A nxn , B nxr , C mxn , D mxr state matrices necessary for the FDS and ES design were obtained using the dynamic identification method developed in [44] and [45]. Table 9 shows the parameters of the FDS, ES, and PFCRS systems: Events According to the sequence of events shown in the previous paragraph, the following sections will test the fault tolerance proposal for different case studies based on non-malicious and malicious faults on the measurements of the voltage sensor corresponding to the SC.
As seen in the following sub-sections, the FTCS operates in normal operating and fault conditions, and in the worst case, with performance degradation. A good system model is crucial in designing such a strategy. After automatically reconfiguring the estimator based on the KF, due to the proposed fault-tolerant structure and its low computational cost, this model may be implemented in realistic environments for any level of primary, secondary, or tertiary closed-loop control. The KF chosen for the design of the ES enabled reducing the effect of measurement noise, additive disturbances, and uncertainty of the identified model, thus achieving an acceptable estimation for variable Q + .

A. RESPONSE OF PROPOSED FTCS TO NON-MALICIOUS FAULTS
In this section, the proposed FTCS strategy was subject to non-malicious fault events described in section III to validate the proposed method's effectiveness. First, the system was subject to a fault of type ''partial output'' (abrupt). In the second case, it was subject to a fault of type ''fixed output,'' and in the third case, the system was subject to a fault of type ''sensor with no output'' (abrupt). Fig.9 shows the dynamic behavior of the FDS for a fault event of type partial output. The figure shows dynamic signals such as the mean, the residual generated, the thresholds, and the fault flag. When the waveform of the mean exceeds one of the thresholds generated, it automatically raises the fault flag at 0.607 s. The fault flag is raised after a short time instant of 0.007 s obtained between the fault event's occurrence and its detection. Fig.10 (a) and (b) represent the comparison between actual and estimated values of Q + and the dynamic effect produced on the Voltage Unbalance Factor (VUF) together with the control action of the SC, respectively. In addition, the behavior of the estimate of variable Q + is compared with the actual and measured values ( Fig.10 (a)). It can be seen in this figure the response time (0.072 s) of the estimator (ES stabilization time) until recovering a value approximately equal to the actual value of Q + . This is the time considered by the PFCRS scheme to maintain the open-loop control, and after a time larger than 0.072 s passes, the control loop is closed again ( Fig.10 (b)). The VUF value never exceeds 2.5%.
The MG voltage waveforms (actual and RMS value per phase) in the critical bus, before and after the compensation, are shown in Fig.11. As shown in this figure, the voltage unbalance is effectively compensated after the occurrence of the fault. The SFTC detects, isolates, reconfigures, and recovers the centralized SC of the MG and the distributed generation sources electronically coupled in cascade after the fault. Fig.12 shows the dynamic behavior of the same signals as the previous figures, but this time for a fault of the fixed output type. It is seen in this figure that when the waveform of the mean exceeds the thresholds, the fault flag is raised at 0.817 s. Given that the fault event was generated at 0.6 s, it seems the system takes 0.217 s to detect the fault, which is quite large compared with the previous case, which was 0.007 s. However, it has to be taken into account that this is a fault in which the measurement has a fixed value corresponding to the last instant before the occurrence of the fault event.
In this case, if the MG does not change its operation state until there is a load disturbance, the value of the faulty sensor is different from the actual state of the MG but not enough for the mean of the residue to exceed the thresholds. Therefore, the SC will maintain the correct control action ( Fig.13 (b)) until there is a load disturbance. This happens at 0.8s, where the value of the actual state of the MG (the remaining variables used for estimating Q + change) differs from the fixed value established by the fault, and the fault is detected. The fault flag is raised after a short time instant of 0.017 s, obtained between the moment the load event occurs and the fault detection. Fig.13 (a) and (b), like Fig.10, represent the comparison between actual and estimated values, the dynamic effect produced on the VUF, and the control action. The response time of the estimator until recovering a value approximately equal to the actual value of Q + is about 0.1 s. The VUF value is at most 2.5%. Fig.14 shows the MG voltage waveforms in the critical bus. As can be noted, the voltage unbalance is effectively compensated after the occurrence of the fault, as in the previous case. Now the FTCS scheme is subject to a sensitivity considering a fault of type ''sensor without output.'' Figures 15,16, and 17 similarly show the effectiveness of the scheme proposed in this work. It is seen that the fault flag is raised at 0.607s for a response time of the FDS of 0.007 s, a response time of the estimator of 0.09 s, and a transient peak value of the VUF (at the moment of the fault) below 3%. Fig.17 similarly shows the MG voltage waveforms in the critical bus and the voltage unbalance when the fault occurs.

B. RESPONSE OF PROPOSED FTCS TO MALICIOUS ATTACK
To continue evaluating the performance of the SFTC, the system was subject to the impact of malicious fault events, similarly described in section III. First, it is sought to show the performance of the SFTC for an attack of type ''ramp'' (Fig.18, Fig.19, and Fig.20) and of type ''random'' (Fig.21,  Fig.22, and Fig.23). As soon as the fault appears, the proposed control method quickly reestablishes the value of Q + , the secondary control action, and the voltage. The following table shows the numeric values of the variables under study corresponding to type ramp and random faults.
Finally, as can be seen in Fig.20 and Fig.23, the MG voltage waveforms in the critical bus effectively maintain the voltage unbalance after the occurrence of the fault, similar to all sensitivities of previous faults.
The proposed methodology for SFTC design presents excellent behavior regarding the detection, error management, isolation, and reconfiguration of the centralized HCS of the MG and the distributed generation sources coupled electronically in cascade. In addition, the performance of the  proposed SFTC control loop has an average stabilization time of 0.003 s. Table 11 summarizes the performance metrics and dynamics for the proposed fault tolerance methodology (unnormalized data). Fig.24 shows a bar chart with the normalized metrics (0-1): observer settling time (t e ), fault detection time (t d ), maximum (voltage) overshoot (M p ), hierarchical control settling (voltage) time (t s ), steady state error (e) and the VUF. On the other hand, Table 12 shows the performance indicators in comparison with different strategies. Finally, in Fig. 26, the performance of the proposed methodology is compared through three leading indicators equally normalized (0-1). It should be noted that most of the metrics of the proposals were taken based on the graphical results shown by the authors; therefore, they are referential values. VOLUME 11, 2023 58095 Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply.  The previous results were obtained on a Workstation with the following performance: CPU Intel(R) Xeon(R) E-2276M CPU@ 2.80GHz, memory EEC -64.0 GB to 2667 MHz, disk SAMSUNG MZVLB2T0HALB-000L7, and GPU NVIDIA Quadro T2000 with 4.0 GB and 35.9 GB GPU memory total.

VII. CONCLUSION
With the excellent performance of the two-level centralized, hierarchical control system, it was possible to establish a methodology with simplicity, low processing effort, fast response, and robustness. The proposed approach was able to reconstruct the voltage sensor signal to ensure the robustness of the control during voltage variations, voltage unbalances, and power variables under consideration. It isolated and handled the fault, reconfigured the control law, and operated the DGs under different malfunction conditions in the secondary control measurement system. This method enables the controller to automatically return to its nominal operating situation once the fault is corrected.
The FTCS ensures the continuity of the secondary P/Q control action for guaranteeing the precise generation of pulse-width modulated (PWM) signals in the PC. In this way, the FTCS control prevents the activation of the protection devices that can lead to the DGs or the isolated MG being turned off (blackout). In addition, it guarantees the safe and reliable operation of the hierarchical control system and the MG, mitigating the impact of faults and errors due to malicious cyberattacks on the sensor associated with the secondary control loop. Other fault events or attacks that involve multiple sensors can be considered. The proposed model will be replicated and implemented for various real case studies in future work.