1. Independent High Integrity (HI) Technical Overview
Product Group Safety
Independent High Integrity (HI) Technical Overview 1

2. Table of Contents Independent HI Offering AC800M High Integrity
Control Builder Safe
Certification
Diversity vs. Architecture
Use of Redundancy
Security
Connectivity & Interfacing
Systematic Capabilities
Engineering
Maintenance
© ABB Group
September 17, 2018 | Slide 2

3. Independent High Integrity Safety Product Offering
Independent HI has the exact same certified components as the System 800xA High Integrity safety system
Does not include functionality related specifically to process control (i.e. HMI or Operations)
Control Builder Safe includes those items required for certified safe operations
Perfect solution for many industries:
Oil & Gas
Petrochemical
Chemical
Pulp & Paper
Power
Great for industrial applications:
Emergency Shutdown
Relay Interlock
Remote Terminal Units
Burner Management
High Integrity Pressure Protection
© ABB Group
September 17, 2018 | Slide 3

4. Independent High Integrity Safety Product Offering
HI Hardware
TUV certified SIL 3 controller (PM865/SM811)
24 VDC DC I/O and ma Analog inputs
Control Builder Safe
Engineering
IEC1131 languages
Access control and override control
Certified Libraries
Connectivity and Interfacing
ABB Control systems
3rd party software and control systems
Diagnostics
Small Independent HI system with engineering and DCS
© ABB Group
September 17, 2018 | Slide 4

5. Certificates High Integrity ABB Safety Certificates
Product Safety Certificate
Development Department Safety Certificate
Safety Manual
TÜV certification for the hardware, software and development organization
© ABB Group
September 17, 2018 | Slide 5

6. Certificates AC800M High Integrity – Meets Industry Standards
AC800M HI Controller – SIL 1- 3 / CAT PLe 1-4 certified
S800 Safety I/O (AI, DI, DO) – SIL 1-3 / CAT PLe 1-4 certified
I/O Communication – SIL 1-3 / CAT PLe 1-4 certified
System certified to IEC61508, IEC61511 / ISA84, EN54/NFPA72, NFPA85, NFPA86
Additional I/O and communication modules – certified as interference-free* (*Listed in safety manual)
© ABB Group
September 17, 2018 | Slide 6

7. Diversity vs. Architecture

8. 1st Generation Logic Solver Architectures
Duplex
1oo2D
Triplex
2oo3
Quad (Bi-Duplex)
2oo4D

9. Independent HI – Standalone Architecture Diverse Architecture, Diverse ImplementationPM SM
Safety I/O SIL3
CB SIL3
AC800M HI SIL3
The SIL 3 High Integrity controller has parallel processing paths based on diverse technology
Integrity voting between paths compliments the built in active diagnostics
Controller (PM) and Safety Module (SM) developed by diverse (different) teams (Vasteras and Malmo, Sweden) and tested by a third team (Oslo, Norway) by people with different backgrounds
The two channel architecture meets SIL3 requirements for hardware fault detection and reaction
1oo1D
1oo2D
< 60
SFF (%)
SIL 3
SIL 2
SIL 1 1
SIL 4
HFT
> 99
IEC Table 3
Safety I/O will go to safe state if PM and SM ends up with different result from 1131 application execution
Non-SIL and SIL1-2 applications still only execute in PM (no changes from previous SIL2 version)
Safety Measures: Source Code Report, Difference Report, Latency supervision, VMT, CTA, MMU, RAM test, CPU test, Modulebus telegram storage in FPGA, System software integrity, Sequence verification, …
Highlight the extensive use of diversity of technoglogy, design teams and validation teams as a powerful and effective way to reduce the potential of common cause failures and maintain an integrated environment
© ABB Group
September 17, 2018 | Slide 9

10. Independent High Integrity Application Execution
Safety Module SM
I/O-Data
Superv. Logic
CEX Bus
ModuleBus
I/O-Data+CRC
1131 SIL3
Processing Module PM
Safety I/O
Diverse Exec.
Parallel diverse execution allows a hardware fault tolerance of 1 for SIL3 applications
HFT = 1 (SIL 3 Execution)
SFF
Hardware fault tolerance 1 2
< 60 %
Not allowed
SIL 1
SIL 2
60 % - < 90 %
SIL 3
90 % - < 99 %
SIL 4
≥ 99 %
IEC , Table 3
© ABB Group
September 17, 2018 | Slide 10

11. Independent High Integrity Safe Failure Fraction (SFF)
Modern design techniques allows the AC800M HI achieve near 100% diagnostics coverage without needing to resort to use HFT factors to reduce PFD
AC800M HI controller does not rely on voting schemes like TMR to increase the safety integrity
SFF
Hardware fault tolerance 1 2
< 60 %
Not allowed
SIL 1
SIL 2
60 % - < 90 %
SIL 3
90 % - < 99 %
SIL 4
≥ 99 %
A triple system that claims 100% diagnostic cover (and there are some that do) gains nothing by way of integrity from the triplicated architecture. In fact one might argue that the increased components necessary to build a triple system, reduces the systems reliability.
Systematic integrity of 800xA HI prevents us to get SIL 3 just based on SFF
IEC , Table 3
© ABB Group
September 17, 2018 | Slide 11

12. S880 High Integrity I/O Family Features with Embedded Diversity
Single and Redundant configuration
Hot Insertion and Hot Swap in redundant configuration
G3 Coating
EX certified – Zone 2, Class 1 according to US standard
Embedded Diversity
Two diverse execution paths based on different hardware technology
Both MCU and FPGA
Each individual single IO module has an internal 1oo2 architecture
© ABB Group
September 17, 2018 | Slide 13

13. Use of Redundancy

14. Meet SIL 3 Criteria without Redundancy Single Configuration
SM PM865
TB840
Single I/O AI8880, DI880 and DO880
© ABB Group
September 17, 2018 | Slide 15

15. AC800M High Integrity Redundant Controller Configuration for Availability
AC800M High Integrity offers availability figures comparable to or better than typical TMR systems
Availability up to %
Redundancy and switch-over to stand-by unit allow continuous operation without time restriction upon failure of one of the redundant modules
4 CPUs
Reliability = Safety Integrity = Likelihood of an SIS achieving safety functions under all the states conditions within a stated period of time (systematic failures)
Availability = Redundancy = Protects from random hardware failures
Note: Redundancy does not affect the reliability of the SIS
© ABB Group
September 17, 2018 | Slide 16

16. Security

17. Security Safety Module Security and Indication
Reset All Forces – Enable a quick reset of all forces in the controller
Access Enable – Activates the access enable function
Hot insert – Initiates hot insertion of SM811 (in redundant configuration)
Force Indicator – Active if one or more signals are in force
System Alarm Indicator – Active if there are one or more system alarms C P C P
“Reset all forces”
Hot Insert
Force Indicator
System Alarm
© ABB Group
September 17, 2018 | Slide 18

18. Independent High Integrity System Security And Embedded Firewalls*
Based Windows security model with:
Configurable restrictions per user
Auditing
Authentication and Digital signature
Functions for protection of SIL classified applications in AC800M HI Controllers
SIL Access Control and Authorization
Force Control / Override Control / Bypass Management
Confirmed Online Write / Confirmed Operation
Embedded firewalls and confirmation procedures protect the SIL application from inadvertent / accidental control actions
Access Management
Access Management is a set of functions that may be divided in the two following main branches: • Access Control, • Override Control
Access Control
AC 800M HI controller need to be able to communicate with other safety controllers and with process control systems on the same network. This enables use of common HSI facilities and introduces the possibility of connecting external equipment used in the process operation and production monitoring also to the safety system. Undesired access is therefore necessary to avoid, by implementing an access control function.
User Re-authentication and Double Authentication
Re-authentication can be optionally used for critical operations such as writes to the control system, batch operations, and configuration changes. This option forces the user to re-supply his/her user credentials before the operation is executed.
A double authentication may also be optionally used. In this case an additional person who has the respective secondary authentication authority has to give username and password in order to approve the operation.
(1. User re-authentication and double authentication are together with user log-over, see User log-over on page 42, called Advanced Access Control in price lists, etc.)
Override Control
The use of override functions in safety related equipment introduces a potential hazard to the installation and to the people it is designed to secure. Any force of a safety critical input or output represents a degradation of the safety level and a possibility for failure on demand. Nevertheless, such functions are necessary to gain a reasonable availability of the process. All field equipment needs maintenance or replacement at regular intervals and this is included in the design of the safety system regarding e.g. number, wiring and location of field instruments. In these cases the safety level may be maintained
by other measures, while necessary maintenance operations are carried out. Access management enable project/application specific configuration of the appropriate level of restrictions regarding operation of the AC 800M HI controllers
and have the following functionality:
• Setting forced I/O points in an application will be restricted by the access control mechanisms. The override control restricts the number of concurrent forced I/O points
• User configurable maximum number of forced I/O points in the application when programming a SIL application in the Control Builder M
• The Access Management system software will keep track of the number of forced I/O points for each application as well as make the figures visible
• If the maximum number of forced I/O points is reached, the user will be notified by a system event and the force will not be set
• System event or alarm upon force (operator write actions)
• Audit trail
//// Text from the overview.
Access Control to SIL applications includes functionality for configuration, operations and maintenance. When designing a SIL application, each safety object is given an applicable access level; Read Only, Confirm or Confirm and Access Enable. In Operations, these SIL access levels are automatically enabled. However for the highest access level, a physical input must be enabled to secure authorized access. When Access Enable is active, permission is given to make online changes in the SIL application.
Confirm Operation, together with Access Control, is the embedded firewall mechanism for safe access of object variables during operation and maintenance.
Force Control, Override Control, or Bypass Management functionality is necessary to maintain availability of the process in many situations, for example during automatic startup or maintenance of SIS related field equipment.
The Force Control in the AC 800xA HI follows the lifecycle of the SIS. During design of a SIL application, the safety engineer defines the maximum number of concurrent forced inputs and outputs. During operations and maintenance, the Access Management SW keeps track of the active number of forced I/O points. This information is presented via the safety operator's personalized workplace. To meet regulatory compliance, a Digital Input is embedded in the SIS for Reset of all forces. In case it is not possible to reset, the operator may reset all forces through the workplace. An output “Any Force Active” feedback signal is also available.
* Possible via Remote Desktop to Engineering Station
© ABB Group
September 17, 2018 | Slide 19

19. Security Roles & Responsabilities
Users can be assigned with different permissions according to their responsabilities
Restriction of access to the SIS (engineering and operation from Engineering Station)
High flexibility
© ABB Group
September 17, 2018 | Slide 20

20. Security Audit Trail
Enables audit of all operator and engineering actions
Possible to disabled during commissioning
Audit actions examples
Configuration changed
Signal forced
Download
Reserved/Released
Audit log contains:
Date and time for the operation
Node from which the operation was performed
User name of the individual performing the operation
Type of operation
Object, property or aspect affected by the operation
© ABB Group
September 17, 2018 | Slide 21

21. Connectivity & Interfacing

22. Independent High Integrity Connectivity and Interfacing
Available protocols…
Safety Peer to Peer
OPC
ABB protocols
Modbus TCP *
RS232 *
..to connect to..
AC800M HI controllers
Process panels
ABB or 3rd party DCS & PLC
3rd party HMI software
* Planned for a future release
© ABB Group
September 17, 2018 | Slide 23

23. Independent High Integrity Communication Interfaces
Communication certified “interference free”
Not intended for a safety critical functions
All certified interference free modules listed in the ABB Safety Manual
CI854A – PROFIBUS DP/V1
CI853 – RS-232
CI855 – MasterBus 300
CI856 – S100 I/O
CI857 - INSUM
CI867 – ModBus TCP
CI868 – IEC 61850
For information on available communication interfaces refer to the user manual
800xA - Control and I/O, Communication.
The communication interfaces CI851, CI852, CI858, CI860 and CI862 are not available in the AC 800M HI controller.
The SM811 occupies one of the twelve available slots
© ABB Group
September 17, 2018 | Slide 24

24. Freelance and Independent High Integrity (HI) Solution Example
Modbus
Essential Automation Freelance System:
One AC 900F controller to process approximately 400 I/O signals,
One engineer station combined with operator station
S700 I/O or S800 remote I/O or S900 I/O contact main controller via Profibus DP
Redundant Ethernet (Optional)
Independent High Integrity (HI) SIL3/SIL2 Application
1 AC 800M HI controller to process 350 I/O signals
S800 HI I/O
One Control Builder Engineering Station
Connectivity and Interfacing
OPC (preferred for SIS supervision)
Alternative communication module CI853 (RS-232) via Modbus to interface to Freelance AC 900F Controller
The Independent HI system is comes with all of the necessary communications options and connectivity required to connect to just about any system. The connectivity options include:
• AC 800M Connect for engineering and test
• OPC Client Connection for OPC DA connectivity
A Successful Case Study: In Oct 2013, ABB in China successfully executed the expansion project with Freelance and Independent High Integrity Safety System (SIS) for Zhongda China Petrol Company refinery (annual capacity 800K tons crude oil) located in the Kyrghyz Republic

25. Systematic Capabilities: Engineering

26. Engineering SIL Compliant Application Environment
Engineering tool automatically limits user configuration choices to ensure integrity
Safety functions protect and control download to the process and runtime environment
Download is prevented unless all SIL requirements are met
Embedded firewall mechanisms include:
CRC protection on different levels
Double code generation with comparison
Compiler with revalidation
© ABB Group
September 17, 2018 | Slide 27

27. Engineering Compiler Restrictions
The compiler warns and / or prevents the engineer from designing dangerous code
For example complex code structures, loops etc
The compiler checks that all restrictions and rules necessary to achieve the intended SIL of the application are adhered to
An error is reported when a rule is violated and the attempted download to the controller is blocked
© ABB Group
September 17, 2018 | Slide 28

28. Engineering On-line changes
Online changes can be downloaded to the controller without interfering with the running process
FB/CM parameters (e.g. trip limit)
Hardware settings (e.g. ISP value)
Logic
Downloads are protected by the “Access enable” function
Re-authentication can be configured to ensure that the user is authorized
This is also recorded in the audit trail
© ABB Group
September 17, 2018 | Slide 29

29. Engineering Difference Report
Reports the differences between the project running in the controller and the project in the Control Builder M
Presented before download to the controller
Changes may be rejected (in which case the download is cancelled)
Each difference report is saved and stored automatically and can be reviewed at any time
This, together with audit trail functionality and more, provides a well documented and traceable history
© ABB Group
September 17, 2018 | Slide 30

30. Engineering Certified Libraries
System
AlarmEventLib
BasicLib
FireGasLib
MMSCommLib
ProcessObjBasicLib
ProcessObjExtLib
SerialCommLib
SignalBasicLib
SignalLib
SignalSupportLib
SupervisionBasicLib
SupervisionLib
© ABB Group
September 17, 2018 | Slide 31

31. Engineering SIL Applications
Supported Languages
SIL2
SIL3
Function Block X
Structured Text
Sequential Function Chart
SIL level can be configured independently by application
Supported languages
Control Modules
IEC
© ABB Group
September 17, 2018 | Slide 32

32. Systematic Capabilities: Maintenance

33. Maintenance Force Control
The AC 800M HI supports supervision and control over the forces in SIL classified applications
Each SIL application has a configurable maximum number of allowed forces (0 by default)
Offers easy overview of the current status of the SIS and the ability to quickly restore all safety functions to full functionality
Hardware signals
Reset All Forces (Input)
Any Force Active (Output)
ForcedSignals FB
Force supervision and reset
SIL3 certified
© ABB Group
September 17, 2018 | Slide 34

34. Maintenance Inhibit Avoid spurious trips during maintenance procedures
Inhibit action limits
Alarms will be shown to the operator but no safety action will be taken
Configurable automatic reset of all overrides with the Maintenance Engineer confirmation
© ABB Group
September 17, 2018 | Slide 35

35. Safety Product Offering Independent High Integrity
HI Hardware
TUV certified SIL 3 controller (PM865/SM811)
24 VDC DC I/O and ma Analog inputs
Control Builder Safe
Engineering
IEC1131 languages
Access control and override control
Certified Libraries
Connectivity and Interfacing
ABB Control systems
3rd party software and control systems
Diagnostics
Small Independent HI system with engineering and DCS
© ABB Group
September 17, 2018 | Slide 36

36. Safety Product Offering
Conclusion
ABB’s High Integrity safety offerings are TUV certified to the most recent version of the standards (IEC Edition 2)
We rely on diversity, not architecture, to meet SIL
i.e. you aren’t paying for unnecessary redundancy
Our architecture is very flexible, you can have:
Integrated (same hardware, network etc.)
Combined (same controller)
Single or redundant controller configuration
Interfaced with any HMI or DCS (Independent HI)
High Integrity is accepted (approved) by most major Oil & Gas companies
ABB has expertise, support and partners all over the world
ABB‘s High Integrity safety system is certified by TUV for SIL3 operations in a single configuration. This makes it possible to implement almost any type of network architecture that a customer specifies. With the market focus on safety instead of architecture, HI is now suitable for many projects where TMR was previously preferred. We have many examples throughout the world where we have been able to win over TMR technology (see team space for applicable white paper).
In many competitive situations, our modern technology, integration with 800xA and end user acceptance have enabled us to win projects. An emerging trend for some end users is to focus more on long term lifecycle costs rather than specific technical features, this also provides an advantage for HI due to the inherent value of our integrated control and safety system.

37. © ABB Group
September 17, 2018 | Slide 38