ABB AC 800M Controller Hardware PM866

Product Overview

AC 800M – General

AC 800M is a hardware platform comprising individual hardware units, which can be configured and programmed to perform multiple functions.

Once configured and programmed, the AC 800M effectively becomes the AC 800M or AC 800M HI controller.

The hardware units that form the AC 800M and AC 800M HI Controllers are:

• Processor units (including baseplate)

 (PM851/PM851A/PM856/PM856A/PM860/PM860A/PM861/PM861A/ PM864/PM864A/PM865/PM866/PM891) 

 • High Integrity Processor Unit (consists of PM865 and SM810/SM811 with corresponding baseplates) 

 • Communication interfaces for different protocols (including baseplates) (CI851/CI852/CI853/CI854/CI854A/CI855/CI856/CI857/CI858/CI860/ CI862/CI865/CI867/CI868/CI869/CI871/CI872/CI873) 

 • CEX-Bus Interconnection Unit (BC810) 

 • Power supply units, providing various power output levels SD831/SD832/SD833/SD834/SS823/SS832) 

 • Battery back-up unit (SB821/SB822) The SB821 is not supported with PM891.

PM851 is equivalent with PM856 unless stated otherwise. 

 PM851A is equivalent with PM851 unless stated otherwise. 

 PM856A is equivalent with PM856 unless stated otherwise. 

 PM860A is equivalent with PM860 unless stated otherwise 

 PM861A is equivalent to PM861 unless stated otherwise. 

 PM864A is equivalent to PM864 unless stated otherwise.

When equipped with the specified Control Software, the AC 800M Controller acts either as a stand-alone process controller, or as a controller performing local control tasks in a control network consisting of many interconnected controllers, operator stations and servers.

Various I/O systems can be connected to the AC 800M Controller, either directly (S800 I/O) or via PROFIBUS DP or FOUNDATION Fieldbus.

The AC 800M is delivered without Control Software. To provide the controller with Control Software, first load the firmware and then create the application separately using the Control Builder M engineering tool.

The AC 800M Controller consists of a selection of units mounted on horizontal DIN-rails, which can be housed within an enclosure. The majority of units consist of a base mounting plate and removable cover attached with screws.

The baseplate, which is always mounted onto the DIN-rail, carries the majority of the connections to processor, power supplies and communication interfaces, as well as the connections to the external buses and systems.

The AC 800M Controller provides a cost-effective, low-maintenance solution for applications ranging from small Programmable Logic Controller (PLC) to advanced Distributed Control Systems (DCS) control applications and combined DCS, and High Integrity systems control applications.

In the AC 800M High Integrity Controller, it is possible to run both non-SIL and SIL classified applications. The AC 800M HI consist of PM865, SM810/SM811 and a High Integrity version of Control Software, and is also available in redundant configuration. AC 800M HI requires the use of SIL certified S800 I/O units in SIL 

PM8xx/TP830 Processor Unit – General

The topic does not apply to PM891. See PM891 Processor Unit – General on page 40. Physically the PM8xx/TP830 Processor Unit consists of two basic parts: 

 • Processor Unit (PM851/PM851A/PM856/PM856A/PM860/PM860A/PM861/PM861A/ PM864/PM864A/PM865/PM866) with processor and Power Supply boards. 

 • Baseplate (TP830), housing the unit termination board.

For the Functional Block Diagram, see Figure 4 on page 35 and Figure 5 on page 36. The CPU board contains the microprocessor and the RAM memory, controllers for all built-in communication interfaces, real-time clock, LED indicators, INIT push button and a Compact Flash interface.

The main function of the power supply board is to generate isolated, circuit-proof +5 V and +3.3 V supplies to the CPU and I/O units. The board also contains opto isolated RS-232C drivers/receivers for the service port, together with a back-up battery holder for memory/real time clock, (RTC).

The termination board, housed in the TP830 Baseplate, is where the majority of the external connections terminates. The board is grounded to the DIN-rail through of the metallic components of the housing. The termination board is provided with screw terminals for power supply and redundant power supply monitoring, with RJ45 connectors for the control network and serial port, a connector for the service port, the electrical ModuleBus and the CEX-Bus.

The 24 V DC supply, connected to the TP830 Baseplate, powers all the units on the CEX-Bus and the electrical ModuleBus.

In single CPU configuration, it is possible to connect an S800 I/O cluster directly to the built-in electrical ModuleBus plug located on the right hand side of the TP830 Baseplate. The processor unit has a communication expansion bus connector located on the left-hand side of the TP830 Baseplate. This CEX-Bus provides for extending the on-board communication ports with additional communication interfaces.

PROFIBUS DP, FOUNDATION Fieldbus H1, FOUNDATION Fieldbus High Speed Ethernet and dual RS-232C ports are some examples of unit types available for connection to the CEX-Bus. It is possible to use redundant communication interfaces, for example PROFIBUS DP. Figure 6 on page 38 provides examples of various ways to connect the S800 I/O units. It can be seen, at the top right-hand area of Figure 6 on page 38, that one cluster (or group) of units (maximum number of units per cluster is 12) is connected to the electrical ModuleBus of an AC 800M Controller. However, a further seven clusters (each comprising up to 12 units) can be added to the optical ModuleBus, thus achieving a total count of 96 units per AC 800M Controller when using only the ModuleBus. Connecting S800 I/O units (using the ModuleBus) to an AC 800M Controller mounted with a PM851/PM851A processor unit is restricted to, one electrical ModuleBus cluster and one optical ModuleBus cluster. To the left on Figure 6 on page 38, there is a PROFIBUS DP segment. This allows for a large increase in the numbers of units connected to each AC 800M Controller. Here the segment is shown as having an FCI unit (type CI801), connected to the PROFIBUS DP network. The use of FCI units allows the selection of units from several I/O families. Figure 7 on page 39 shows another example for I/O units based on a FOUNDATION Fieldbus High Speed Ethernet (FF HSE). For further examples refer to the relevant documentation for the I/O system in question.

PM891 Processor Unit – General

PM891 is a high performance controller, which is capable of handling applications with high requirements.

PM891 connects to the S800 I/O system through the optical Modulebus. It can act as a stand-alone Process Controller, or as a controller performing local control tasks in a control network.

Two PM891 controllers can function together as a redundant pair, with one PM891 acting as the primary controller and the other acting as the backup. The backup controller takes over the process controller tasks if any hardware error occurs in the primary controller.

The control network connectivity is obtained by two built in IEEE802.3 Ethernet channels on PM891.

PM891 also provides a communication expansion bus (CEX-Bus) to which a number of expansion modules can be connected. These modules offers connectivity to a wide range of field bus and I/O systems. In case of a redundant pair, both PM891s are connected to the same CEX-Bus and one of them can control the modules.

Physically, the PM891 Processor Unit consists of: 

 • Connector for power supply and status signals (L+, L-, SA, SB).

 • DB25 connector for Electrical CEX-Bus.

• External battery connector. 

 • RJ45 connectors for the two Ethernet channels. 

 • One C om p ort . 

 • Optical Modulebus connector for connection to a maximum of seven clusters, with 12 non-redundant or six redundant modules (that is, 7x12 = 84 modules). 

 • Connectors for Redundancy Link. 

 • SD (Secure Digital) memory connector. 

 • LEDs. 

 • Pushbutton reset switch.

PM891/PM86x/TP830 Processor Unit – Redundancy

Processor unit redundancy is available for PM861, PM864, PM865, PM866, and PM891. In this case, the controller contains two processor units, each including memory for system and application software. One unit is acting as primary, the other is backup (hot stand-by). The primary processor unit controls the process. The backup stands by, ready to take over in case of a fault in the primary. The changeover is done bumplessly and in less than 10 ms. During the changeover, the process outputs are frozen.

Following a changeover, the system operates as a system without redundancy with only one processor unit in operation. You can replace the malfunctioning processor unit while the system is running. After the replacement is carried out, the system once again has a redundant processor unit.

If an error arises in the backup unit, you can also replace the backup unit while the system is running.

Errors which occur in the backup unit can never affect the primary unit's operation. The primary unit and the backup unit are logically separated from one another. Hardware errors in the primary processor unit cause the system to perform a correct changeover. These hardware errors are single errors.

The application programming and the communication are totally unaffected by the redundancy.

PM86x/TP830 Redundancy

The serial port, COM3 on the baseplate TP830, cannot be used in redundant CPU configuration.

The PM861/PM864/PM865/PM866 has an RCU Link Connector for connecting the RCU Link Cable (see Figure 2 on page 32). In a redundant system the two processor units are linked together with the RCU Link Cable (max 1 m). Both processor units are also connected to the same CEX-Bus and either of the two can control the expansion units (see Figure 29 on page 93).

S800 I/O units are connected to the two CPUs via the optical ModuleBus and two TB840 cluster modems on each S800 I/O cluster (see Figure 55 on page 161). The built-in electrical ModuleBus on the TP830 baseplate cannot be used for connecting S800 I/O in a redundant system.

PM891 Redundancy

The Redundancy Link in PM891 consists of two physical links. These are the 

 RCU Data Link and the RCU Control Link. The RCU Data Link is a fast communication channel used to transfer the data required to keep the backup CPU synchronized with the primary CPU. 

 TK855 RCU Data Link Cable is used for the data link. The RCU Control Link is used for role selection and CPU identity assignment (UPPER/LOWER). 

 TK856 RCU Control Link Cable is used for the control link.

Fault Tolerance Principle

The principle of fault tolerance in the redundant processor units is based on continuous updating of the backup unit to the same status as the primary unit. This enables the backup unit to assume control without affecting surrounding systems in a bumpless manner. This principle involves dynamic division of the program execution into execution units and the creation of rollback points at which the processor unit's status is completely defined. In this context, the processor unit's total status is defined as the processor unit's internal status, that is, the contents of the processor registers, plus the contents of the data memory. The backup unit's status is updated each time the primary unit passes a rollback point, enabling the backup unit to resume program execution from the last rollback point passed, should the primary unit fail due to error. In order to minimize the amount of information involved in the update, the backup unit is updated only with the changes taking place since the latest rollback point. Between rollback points, these changes that writes in the data memory, are stored in a log buffer in the backup unit. At a rollback point, the processor's total register contents are also written into the data memory, so that this information is also logged. Once the rollback point is established, the logged write operations are transferred to the backup unit's data memory.

If the primary unit fails because of an error, the backup unit resumes execution from the last rollback point, which means the last execution unit is partially re-executed by the backup unit. In order to re-execute a portion of the execution unit without affecting the peripheral units (communication units on the CEX-Bus), the peripheral units' references are also logged between rollback points. During re-execution, the results of the peripheral units' references, which have already been executed, are used, rather than re-executing them. The results of read operations are retrieved from the log, and write operations pass without execution, since they have already been executed. The peripheral units' statuses, then, are not affected by the re execution in any way, except for the time delay which occurs.

The RAM included in the processor unit provides an automatic double inverted memory function for detection of arbitrary bit errors in the memory.

• All memory updates are written to both the primary memory and to the inverted memory in parallel. 

 • At every memory read cycle, the data from tho two memories is compared. 

 • If there is a mismatch in the data a changeover is forced. The double inverted memory handling is done in hardware and without any delay to the memory cycle time.

MAC and IP Address Handling in Redundant Configuration

In order to provide for a bumpless changeover with respect to the control network, both the MAC and IP addresses are swapped between the initial primary and backup CPUs. The addresses of the initial primary CPU are stored and kept as the addresses used by the acting primary CPU. Similarly the addresses of the initial backup CPU are stored to be used by the acting backup CPU. This means that a redundant controller will be always identified and recognized by the same addresses regardless of which CPU module actually acting as primary.

The following characteristics of the MAC and IP address handling should be considered in order to avoid network problems while reusing previously used CPU modules within the same plant: 

 • The stored swap addresses will be remembered until erased by an IP-config session (Restore factory settings) or until started up as a backup CPU in new context (in this case a new swap will take place). 

 • A CPU running in standalone mode (with RCU terminator fitted) will always use its own native addresses

AC 800M High Integrity

AC 800M can easily be configured for usage in safety critical applications. The main components of such a system are PM865, SM810/SM811, SS823 and the S800 I/O High Integrity, running a High Integrity version of Control Software. The PM865 processor unit has increased internal diagnostics, compared to PM864. The added functionality on PM865 includes: 

 • Double over voltage protection on internal voltages 

 • A additional watchdog timer updated with data from SM810/SM811 

 • Increased oscillator supervision 

 • Support for S800 I/O High Integrity 

 • Support for SM810/SM811

 • Increased system diagnostic and online self tests.

The following CEX modules cannot be used in a High Integrity controller: CI851, CI852, CI858, CI860, CI862 and CI865.

The main function of the SM810 is to act as a monitor for the HW and SW execution of PM865 and these two modules together are a SIL2 compliant system according to IEC61508, certified by TÜV. The SM810 is running a SIL3 certified operating system and have a high degree of self-diagnostic including, for example: 

 • Double and inverted memory 

 • Double over voltage protection on internal voltages 

 • Two independent watchdog timers

• Oscillator supervision 

 • CRC on firmware and data storage An SM811 operates like an SM810 for SIL2 but can also together with the PM865 form a controller compliant with SIL3 according to IEC61508, certified by TÜV. The ModuleBus telegrams used in a High Integrity system with the S800 High Integrity modules use the concept of long frames. Long frames are ModuleBus telegrams that are extended with a safety header, comprising additional diagnostics data and CRC32. S800 ModuleBus telegrams sent to the S800 I/O High Integrity modules uses data from the PM865 and an inverted CRC32 from the SM810/SM811. The I/O module checks that the safety header is correct. Data received from the S800 I/O High Integrity modules over the ModuleBus have the safety header independently verified by both SM810/SM811 and PM865. Any CRC32 or other faults in the safety header will result in a retry transmission and, if repeated, a shutdown of the faulty S800 I/O High Integrity module.

Control Software

The software used by the AC 800M Controller is named Control Software. This name does not stand for a specific software package; is merely a generic name for the scope of functions used in a controller. These functions are provided by: 

 • Hardware functions (supervision, communication buses, I/O buses) 

 • Firmware functions loaded into the controller (real time executive system, real time clock, redundant communication) 

 • Application programs loaded into the controller (library functions, communication protocols).

To produce an application, it is necessary to use the Control Builder M tool. This tool is extremely versatile, having many useful functions in addition to system configuration.

Ethernet Address for PM8xx (Except PM891)

Each TP830 Baseplate is provided with a unique Ethernet address that provides every CPU with a hardware identity. This functionality takes the form of two identification addresses residing in the  non-volatile memory of the TP830 Baseplate. The lowest address (a 12 character Hex code) is located on an adhesive label attached to the TP830 Baseplate. The remaining address is the lowest +1. See Figure 14 on page 53 for label location details. See software documentation for details on loading the software and using Ethernet address.

Ethernet Address for PM891

Each PM891 unit is provided with a unique Ethernet address that provides hardware identity to the unit. This functionality takes the form of two identification addresses residing in the  non-volatile memory of PM891. The lowest address (a 12 character Hex code) is located on an adhesive label attached to the cover of PM891 unit. The remaining address is the lowest +1. See Figure 15 on page 55 for label location details of PM891. See software documentation for details on loading the software and using Ethernet address.

AC 800M Controller – Key Features

• Modularity, allowing for step-by-step expansion. 

 • Simple DIN-rail attachment/detachment procedures, using a unique slide and lock mechanism. 

 • Fast, simple troubleshooting procedures available via unit/channel LEDs. 

 • IP20 Class protection with no requirement for enclosures. 

 • Allows for the use of low-cost, sealed enclosures due to extremely low unit heat dissipation, even at an ambient temperature of 40 C (104 F) outside the enclosure. 

 • All units are fully EMC certified. 

 • Connection of up to 192 I/O signals, via Electrical ModuleBus, is available. 

 • Connection of up to 1344 I/O signals, via Optical ModuleBus, is available. 

 • Connection of S100 I/O is available. 

 • Connection of Satt I/O is available. 

 • Allows connecting a large number of I/Os, via PROFIBUS DP. 

 • Connection to FOUNDATION Fieldbus High Speed Ethernet (FF HSE). 

 • Connection to Modbus TCP. • Connection to IEC 61850. 

 • Connection to Advant Fieldbus 100. 

 • Connection to MOD5-to-MOD5. 

 • Connection to PROFINET IO. 

 • Connection to EtherNet/IP. 

 • Allows connecting custom protocols of a large amount of Serial communication RS-232C ports. 

 • Connection to MasterBus 300 Networks. 

 • Connection to INSUM via Gateway (Ethernet/LON). 

 • Connection to ABB Drives is available, over DriveBus and ModuleBus.

• Built-in battery backup of memory (except for PM891 that uses external battery backup only). 

 • External battery backup. 

 • CPU Redundancy (PM861/PM864/PM865/PM866/PM891). 

 • Redundant/sectioned CEX-Bus using a pair of BC810. 

 • Safety Integrity Level 2 certified controller using PM865/SM810/SM811. 

 • Safety Integrity Level 3 certified controller using PM865/SM811 

 • Support for hot swap of CEX-Bus units.

ABB AI610

ABB AI625

ABB AI835

ABB AO610

ABB AX411/50001

ABB BB510(DC5256)

ABB BRC300

ABB CI520V1

ABB CI610

ABB CI615

ABB CI626

ABB CI626V1

ABB CI627

ABB CI810B

ABB CP450-T-ETH

ABB CR-M4LS

ABB D-20-0-1102

ABB DAI03

ABB DAO01

ABB DCP02

ABB DCP10

ABB DDI01

ABB DDI03

ABB DDO01

ABB DDO02

ABB DI610

ABB DI620

ABB DI814

ABB DLM01