ABB AC 800M Controller Hardware PM866

If the primary unit fails because of an error, the backup unit resumes execution from the last rollback point, which means the last execution unit is partially re-executed by the backup unit. In order to re-execute a portion of the execution unit without affecting the peripheral units (communication units on the CEX-Bus), the peripheral units' references are also logged between rollback points. During re-execution, the results of the peripheral units' references, which have already been executed, are used, rather than re-executing them. The results of read operations are retrieved from the log, and write operations pass without execution, since they have already been executed. The peripheral units' statuses, then, are not affected by the re execution in any way, except for the time delay which occurs.

The RAM included in the processor unit provides an automatic double inverted memory function for detection of arbitrary bit errors in the memory.

• All memory updates are written to both the primary memory and to the inverted memory in parallel. 

 • At every memory read cycle, the data from tho two memories is compared. 

 • If there is a mismatch in the data a changeover is forced. The double inverted memory handling is done in hardware and without any delay to the memory cycle time.

MAC and IP Address Handling in Redundant Configuration

In order to provide for a bumpless changeover with respect to the control network, both the MAC and IP addresses are swapped between the initial primary and backup CPUs. The addresses of the initial primary CPU are stored and kept as the addresses used by the acting primary CPU. Similarly the addresses of the initial backup CPU are stored to be used by the acting backup CPU. This means that a redundant controller will be always identified and recognized by the same addresses regardless of which CPU module actually acting as primary.

The following characteristics of the MAC and IP address handling should be considered in order to avoid network problems while reusing previously used CPU modules within the same plant: 

 • The stored swap addresses will be remembered until erased by an IP-config session (Restore factory settings) or until started up as a backup CPU in new context (in this case a new swap will take place). 

 • A CPU running in standalone mode (with RCU terminator fitted) will always use its own native addresses

AC 800M High Integrity

AC 800M can easily be configured for usage in safety critical applications. The main components of such a system are PM865, SM810/SM811, SS823 and the S800 I/O High Integrity, running a High Integrity version of Control Software. The PM865 processor unit has increased internal diagnostics, compared to PM864. The added functionality on PM865 includes: 

 • Double over voltage protection on internal voltages 

 • A additional watchdog timer updated with data from SM810/SM811 

 • Increased oscillator supervision 

 • Support for S800 I/O High Integrity 

 • Support for SM810/SM811

 • Increased system diagnostic and online self tests.

The following CEX modules cannot be used in a High Integrity controller: CI851, CI852, CI858, CI860, CI862 and CI865.

The main function of the SM810 is to act as a monitor for the HW and SW execution of PM865 and these two modules together are a SIL2 compliant system according to IEC61508, certified by TÜV. The SM810 is running a SIL3 certified operating system and have a high degree of self-diagnostic including, for example: 

 • Double and inverted memory 

 • Double over voltage protection on internal voltages 

 • Two independent watchdog timers

• Oscillator supervision 

 • CRC on firmware and data storage An SM811 operates like an SM810 for SIL2 but can also together with the PM865 form a controller compliant with SIL3 according to IEC61508, certified by TÜV. The ModuleBus telegrams used in a High Integrity system with the S800 High Integrity modules use the concept of long frames. Long frames are ModuleBus telegrams that are extended with a safety header, comprising additional diagnostics data and CRC32. S800 ModuleBus telegrams sent to the S800 I/O High Integrity modules uses data from the PM865 and an inverted CRC32 from the SM810/SM811. The I/O module checks that the safety header is correct. Data received from the S800 I/O High Integrity modules over the ModuleBus have the safety header independently verified by both SM810/SM811 and PM865. Any CRC32 or other faults in the safety header will result in a retry transmission and, if repeated, a shutdown of the faulty S800 I/O High Integrity module.

Control Software

The software used by the AC 800M Controller is named Control Software. This name does not stand for a specific software package; is merely a generic name for the scope of functions used in a controller. These functions are provided by: 

 • Hardware functions (supervision, communication buses, I/O buses) 

 • Firmware functions loaded into the controller (real time executive system, real time clock, redundant communication)