Product Group Safety

Independent High Integrity (HI)

Technical Overview
Table of Contents

 Independent HI Offering
 AC800M High Integrity
 Control Builder Safe
 Certification
 Diversity vs. Architecture
 Use of Redundancy
 Security
 Connectivity & Interfacing
 Systematic Capabilities
 Engineering
 Maintenance

© ABB Group
10/17/21 | Slide 2
Independent High Integrity
Safety Product Offering

 Independent HI has the exact same certified components

as the System 800xA High Integrity safety system
 Does not include functionality related specifically to process
control (i.e. HMI or Operations)
 Control Builder Safe includes those items required for
certified safe operations

 Perfect solution for many  Great for industrial

industries: applications:
 Oil & Gas  Emergency Shutdown
 Petrochemical  Relay Interlock
 Chemical  Remote Terminal Units
 Pulp & Paper  Burner Management
 Power  High Integrity Pressure
© ABB Group
10/17/21 | Slide 3
Protection
Independent High Integrity
Safety Product Offering

 HI Hardware
 TUV certified SIL 3
controller (PM865/SM811)
 24 VDC DC I/O and 4-20
ma Analog inputs
 Control Builder Safe
 Engineering
 IEC1131 languages
 Access control and override
control
 Certified Libraries
 Connectivity and Interfacing
 ABB Control systems
 3rd party software and
control systems
Small Independent HI system with engineering and DCS
 Diagnostics
© ABB Group
10/17/21 | Slide 4
Certificates
High Integrity ABB Safety Certificates

Product Safety Development Department Safety Manual

Certificate Safety Certificate
 TÜV certification for the hardware, software and
development organization
© ABB Group
10/17/21 | Slide 5
Certificates
AC800M High Integrity – Meets Industry Standards

 AC800M HI Controller – SIL 1-

3 / CAT PLe 1-4 certified
 S800 Safety I/O (AI, DI, DO) –
SIL 1-3 / CAT PLe 1-4 certified
 I/O Communication – SIL 1-3 /
CAT PLe 1-4 certified
 System certified to IEC61508,
IEC61511 / ISA84,
EN54/NFPA72, NFPA85,
NFPA86
 Additional I/O and
communication modules –
certified as interference-free*
(*Listed in safety manual)

© ABB Group
10/17/21 | Slide 6
Diversity vs. Architecture
1st Generation Logic Solver Architectures

Duplex  Triplex  Quad (Bi-

1oo2D
 2oo3 Duplex)
 2oo4D
Independent HI – Standalone Architecture
Diverse Architecture, Diverse Implementation

CB PM AC800M HI  The SIL 3 High Integrity controller has

SIL3 SIL3 parallel processing paths based on
diverse technology
 Integrity voting between paths
compliments the built in active
SM Safety I/O SIL3 diagnostics
HFT
SFF (%) 0 1
 Controller (PM) and Safety Module
< 60 HFTSIL 1 (SM) developed by diverse (different)
60 - SFF
90 (%)SIL 1 0 SIL 2 1 teams (Vasteras and Malmo, Sweden)
< 60 SIL 2
90 - 99 SIL 3SIL 1 and tested by a third team (Oslo,
> 9960 - 90 SIL 3SIL 1 SIL 4SIL 2
Norway) by people with different
90 - 99 SIL 2 SIL 3
> 99 SIL 3 SIL 4 backgrounds
1oo1D 1oo2D
 The two channel architecture meets
SIL3 requirements for hardware fault
1oo1D 1oo2D detection and reaction
IEC61508-2 Table 3
© ABB Group
10/17/21 | Slide 9
Independent High Integrity
Application Execution

CEX Bus ModuleBus Parallel diverse execution

I/O-Data+CRC I/O-Data+CRC
allows a hardware fault
I/O-Data I/O-Data I/O-Data tolerance of 1 for SIL3
applications
1131 1131

Diverse Exec.

Diverse Exec.
SIL3 SIL3 HFT = 1 (SIL 3 Execution)

Superv. Logic Superv. Logic SFF Hardware fault tolerance

0 1 2
Safety Module Processing Module
SM PM Safety I/O < 60 % Not allowed SIL 1 SIL 2

60 % - < 90 % SIL 1 SIL 2 SIL 3

90 % - < 99 % SIL 2 SIL 3 SIL 4

≥ 99 % SIL 3 SIL 4 SIL 4

IEC 61508-2, Table 3

© ABB Group
10/17/21 | Slide 10
Independent High Integrity
Safe Failure Fraction (SFF)

 Modern design techniques allows the AC800M HI achieve near

100% diagnostics coverage without needing to resort to use HFT
factors to reduce PFD

SFF Hardware fault tolerance

0 1 2

< 60 % Not allowed SIL 1 SIL 2

60 % - < 90 % SIL 1 SIL 2 SIL 3

90 % - < 99 % SIL 2 SIL 3 SIL 4

≥ 99 % SIL 3 SIL 4 SIL 4

IEC 61508-2, Table 3

 AC800M HI controller does not rely on voting schemes like TMR
to increase the safety integrity

© ABB Group
10/17/21 | Slide 11
S880 High Integrity I/O Family
Features with Embedded Diversity

 Single and Redundant  Embedded Diversity

configuration
 Hot Insertion and Hot Swap
in redundant configuration
 G3 Coating
 EX certified – Zone 2, Class
1 according to US standard
© ABB Group
10/17/21 | Slide 13
 Two diverse execution
paths based on different
hardware technology
 Both MCU and FPGA
 Each individual single IO
module has an internal
1oo2 architecture
Use of Redundancy
Meet SIL 3 Criteria without Redundancy
Single Configuration

SM811 PM865 TB840 Single I/O AI8880, DI880 and DO880

© ABB Group
10/17/21 | Slide 15
AC800M High Integrity
Redundant Controller Configuration for Availability

 AC800M High Integrity offers

availability figures comparable to or
better than typical TMR systems
 Availability up to 99.9999%
 Redundancy and switch-over to
stand-by unit allow continuous
operation without time restriction upon
failure of one of the redundant
4 CPUs modules

© ABB Group
10/17/21 | Slide 16
Security
Security
Safety Module Security and Indication

 Reset All Forces – Enable a quick reset of all

forces in the controller
 Access Enable – Activates the access enable
function
 Hot insert – Initiates hot insertion of SM811
(in redundant configuration)
 Force Indicator – Active if one or more
signals are in force
 System Alarm Indicator – Active if there are
one or more system alarms

C C

P P

“Reset all forces” Hot Insert Force System

Indicator Alarm
© ABB Group
10/17/21 | Slide 18
Independent High Integrity
System Security And Embedded Firewalls

*  Based Windows security model with:

 Configurable restrictions per user
 Auditing
 Authentication and Digital signature
 Functions for protection of SIL classified
applications in AC800M HI Controllers
 SIL Access Control and Authorization
 Force Control / Override Control / Bypass
Management
 Confirmed Online Write / Confirmed
Operation
 Embedded firewalls and confirmation
procedures protect the SIL application from
inadvertent / accidental control actions

* Possible via Remote Desktop to Engineering Station

© ABB Group
10/17/21 | Slide 19
Security
Roles & Responsabilities

 Users can be assigned with

different permissions
according to their
responsabilities
 Restriction of access to the
SIS (engineering and
operation from Engineering
Station)
 High flexibility

© ABB Group
10/17/21 | Slide 20
Security
Audit Trail
 Enables audit of all operator
and engineering actions
 Possible to disabled during
commissioning
 Audit actions examples
 Configuration changed
 Signal forced
 Download
 Reserved/Released
© ABB Group
10/17/21 | Slide 21
 Audit log contains:
 Date and time for the operation
 Node from which the operation
was performed
 User name of the individual
performing the operation
 Type of operation
 Object, property or aspect
affected by the operation
Connectivity & Interfacing
Independent High Integrity
Connectivity and Interfacing

 Available protocols…
 Safety Peer to Peer
 OPC
 ABB protocols
 Modbus TCP *
 RS232 *
 ..to connect to..
 AC800M HI controllers
 Process panels
 ABB or 3rd party DCS &
PLC
 3rd party HMI software
* Planned for a future release

© ABB Group
10/17/21 | Slide 23
Independent High Integrity
Communication Interfaces

 Communication certified

CI854A – PROFIBUS DP/V1

“interference free”

CI855 – MasterBus 300

CI867 – ModBus TCP

 Not intended for a

CI868 – IEC 61850

CI856 – S100 I/O
safety critical functions
CI853 – RS-232

CI857 - INSUM
 All certified interference
free modules listed in
the ABB Safety Manual

© ABB Group
10/17/21 | Slide 24
Freelance and Independent High Integrity (HI)
Solution Example

 Essential Automation Freelance System:

 One AC 900F controller to process
approximately 400 I/O signals,
 One engineer station combined with
operator station
 S700 I/O or S800 remote I/O or S900 I/O
contact main controller via Profibus DP
Modbus  Redundant Ethernet (Optional)
 Independent High Integrity (HI) SIL3/SIL2
Application
 1 AC 800M HI controller to process 350 I/O
signals
 S800 HI I/O
 One Control Builder Engineering Station
 Redundant Ethernet (Optional)
 Connectivity and Interfacing
 OPC (preferred for SIS supervision)
 Alternative communication module CI853
(RS-232) via Modbus to interface to
Freelance AC 900F Controller
Systematic Capabilities: Engineering
Engineering
SIL Compliant Application Environment

 Engineering tool automatically limits

user configuration choices to ensure
integrity
 Safety functions protect and control
download to the process and runtime
environment
 Download is prevented unless all
SIL requirements are met
 Embedded firewall mechanisms
include:
 CRC protection on different levels
 Double code generation with
comparison
 Compiler with revalidation
© ABB Group
10/17/21 | Slide 27
Engineering
Compiler Restrictions

 The compiler warns and / or prevents the engineer from designing

dangerous code
 For example complex code structures, loops etc
 The compiler checks that all restrictions and rules necessary to
achieve the intended SIL of the application are adhered to
 An error is reported when a rule is violated and the attempted
download to the controller is blocked
© ABB Group
10/17/21 | Slide 28
Engineering
On-line changes

 Online changes can be

downloaded to the
controller without interfering
with the running process
 FB/CM parameters
(e.g. trip limit)
 Hardware settings (e.g.
ISP value)
 Logic
 Downloads are protected by
the “Access enable”
function
 Re-authentication can be
configured to ensure that
the user is authorized
 This is also recorded in
© ABB Group
10/17/21 | Slide 29 the audit trail
Engineering
Difference Report

 Reports the differences between the project running in the

controller and the project in the Control Builder M
 Presented before download to the controller
 Changes may be rejected (in which case the download is
cancelled)
 Each difference report is saved and stored automatically
and can be reviewed at any time
 This, together with audit trail functionality and more,
provides a well documented and traceable history

© ABB Group
10/17/21 | Slide 30
Engineering
Certified Libraries

 System
 AlarmEventLib
 BasicLib
 FireGasLib
 MMSCommLib
 ProcessObjBasicLib
 ProcessObjExtLib
 SerialCommLib
 SignalBasicLib
 SignalLib
 SignalSupportLib
 SupervisionBasicLib
 SupervisionLib

© ABB Group
10/17/21 | Slide 31
Engineering
SIL Applications

Supported Languages

SIL2

SIL3
Function Block X X
Structured Text X X
Sequential Function
X
Chart

 SIL level can be configured

independently by application
 Supported languages
 Control Modules
 IEC 61131-3

© ABB Group
10/17/21 | Slide 32
Systematic Capabilities: Maintenance
Maintenance
Force Control

 The AC 800M HI supports supervision and

control over the forces in SIL classified
applications
 Each SIL application has a configurable
maximum number of allowed forces (0 by
default)
 Offers easy overview of the current status of the
SIS and the ability to quickly restore all safety
functions to full functionality
 Hardware signals
 Reset All Forces (Input)
 Any Force Active (Output)
 ForcedSignals FB
 Force supervision and reset
 SIL3 certified
© ABB Group
10/17/21 | Slide 34
Maintenance
Inhibit

 Avoid spurious trips during

maintenance procedures
 Inhibit action limits
 Alarms will be shown to the operator
but no safety action will be taken
 Configurable automatic reset of all
overrides with the Maintenance
Engineer confirmation

© ABB Group
10/17/21 | Slide 35
Safety Product Offering
Independent High Integrity

 HI Hardware
 TUV certified SIL 3
controller (PM865/SM811)
 24 VDC DC I/O and 4-20
ma Analog inputs
 Control Builder Safe
 Engineering
 IEC1131 languages
 Access control and override
control
 Certified Libraries
 Connectivity and Interfacing
 ABB Control systems
 3rd party software and
control systems
Small Independent HI system with engineering and DCS
 Diagnostics
© ABB Group
10/17/21 | Slide 36
Safety Product Offering
Conclusion

 ABB’s High Integrity safety offerings are TUV certified to

the most recent version of the standards (IEC61508
Edition 2)
 We rely on diversity, not architecture, to meet SIL
 i.e. you aren’t paying for unnecessary redundancy
 Our architecture is very flexible, you can have:
 Integrated (same hardware, network etc.)
 Combined (same controller)
 Single or redundant controller configuration
 Interfaced with any HMI or DCS (Independent HI)
 High Integrity is accepted (approved) by most major Oil &
Gas companies
 ABB has expertise, support and partners all over the
world
© ABB Group
10/17/21 | Slide 38