3BSE034876 System 800xa Safety AC800M High Integrity Reliability and Availability Manual PDF

System 800xA Safety
AC 800M High Integrity

Reliability and Availability
Power and productivity

for a better world TM
System 800xA Safety
AC 800M High Integrity
Reliability and Availability
System Version 5.1
NOTICE
This document contains information about one or more ABB products and may include a description of or a refer-
ence to one or more standards that may be generally relevant to the ABB products. The presence of any such de-
scription of a standard or reference to a standard is not a representation that all of the ABB products referenced in
this document support all of the features of the described or referenced standard. In order to determine the specific
features supported by a particular ABB product, the reader should consult the product specifications for the partic-
ular ABB product.
ABB may have one or more patents or pending patent applications protecting the intellectual property in the ABB
products described in this document.
The information in this document is subject to change without notice and should not be construed as a commitment
by ABB. ABB assumes no responsibility for any errors that may appear in this document.
Products described or referenced in this document are designed to be connected, and to communicate information
and data via a secure network. It is the sole responsibility of the system/product owner to provide and continuously
ensure a secure connection between the product and the system network and/or any other networks that may be
connected.
The system/product owners must establish and maintain appropriate measures, including, but not limited to, the
installation of firewalls, application of authentication measures, encryption of data, installation of antivirus pro-
grams, and so on, to protect the system, its products and networks, against security breaches, unauthorized access,
interference, intrusion, leakage, and/or theft of data or information.
ABB verifies the function of released products and updates. However system/product owners are ultimately re-
sponsible to ensure that any system update (including but not limited to code changes, configuration file changes,
third-party software updates or patches, hardware change out, and so on) is compatible with the security measures
implemented. The system/product owners must verify that the system and associated products function as expected
in the environment they are deployed.
In no event shall ABB be liable for direct, indirect, special, incidental or consequential damages of any nature or
kind arising from the use of this document, nor shall ABB be liable for incidental or consequential damages arising
from use of any software or hardware described in this document.
This document and parts thereof must not be reproduced or copied without written permission from ABB, and the
contents thereof must not be imparted to a third party nor used for any unauthorized purpose.
The software or hardware described in this document is furnished under a license and may be used, copied, or dis-
closed only in accordance with the terms of such license. This product meets the requirements specified in EMC
Directive 2014/30/EU and in Low Voltage Directive 2014/35/EU.
TRADEMARKS
All rights to copyrights, registered trademarks, and trademarks reside with their respective owners.
Copyright © 2004-2016 by ABB.

All rights reserved
Release: Apr 2016

Document number: 3BSE034876
TABLE OF CONTENTS
About This Book

General ..............................................................................................................................7
Document Conventions .....................................................................................................7
Warning, Caution, Information, and Tip Icons..................................................................7
Terminology.......................................................................................................................8
Related Documentation ...................................................................................................11
Section 1 - Introduction
Introduction .....................................................................................................................13
Calculation Methods........................................................................................................13
Environment ....................................................................................................................15
Nomenclature ..................................................................................................................15
AC 800M HI Safety Integrity..........................................................................................19
General .............................................................................................................19
BPCS Risk Reduction with AC 800M HI............................................................20
Safety Reliability Block Diagrams.......................................................................21
Safety Reliability Calculations.............................................................................23
Calculations with Respect to Maintenance Effort................................................23
AC 800M HI Typical Configurations..............................................................................24
Section 2 - Safety Reliability Calculations

General ............................................................................................................................27
Configuration...................................................................................................................27
AC 800M HI Safety Reliability Data ..............................................................................29
Calculating Probability of Dangerous Failure on Demand (PFD) ..................................33
Calculating Probability of Dangerous Failure per Hour (PFH) ...........................35
3BSE034876 5
Table of Contents
Section 3 - Availability Calculations

Single AC 800M HI PU .................................................................................................. 38
Single AC 800M HI PU (with redundant Supervisory module).......................... 40
Redundant AC 800M HI PU (with redundant Supervisory module)................... 42
AC 800M HI Redundant PU ........................................................................................... 44
Redundant AC 800M HI and Single I/O ............................................................. 44
Redundant AC 800M HI and Redundant I/O ...................................................... 48
AC 800M HI Power Supply 24V .................................................................................... 52
AC 800M HI, Single S800 I/O........................................................................................ 55
AC 800M HI, Redundant S800 I/O................................................................................. 56
AC 800M HI Single Optical Modulebus ........................................................................ 57
AC 800M HI Redundant Optical Modulebus ................................................................. 59
Control Network Communication................................................................................... 60
Appendix A - Component Reliability Data

Revision History.............................................................................................................. 67
Internal Revision History ................................................................................................ 69
6 3BSE034876
About This Book
General
This book contains information necessary to support dependability studies and
availability and reliability calculations related to the use of AC 800M HI controller
in Safety Instrumented Systems (SIS).
A brief introduction to ABB reliability data methodology is given together with an
overview of definitions and nomenclature.
The main parts of the book addresses safety reliability and system availability
calculations.
Document Conventions
Microsoft Windows conventions are normally used for the standard presentation of
material when entering text, key sequences, prompts, messages, menu items, screen
elements, etc.
Warning, Caution, Information, and Tip Icons

This publication includes Warning, Caution, and Information where appropriate
to point out safety related or other important information. It also includes Tip to
point out useful hints to the reader. The corresponding symbols should be
interpreted as follows:
Electrical warning icon indicates the presence of a hazard which could result in
electrical shock.
3BSE034876 7
Terminology About This Book
Warning icon indicates the presence of a hazard which could result in personal
injury.
Caution icon indicates important information or warning related to the concept

discussed in the text. It might indicate the presence of a hazard which could
result in corruption of software or damage to equipment/property.
Information icon alerts the reader to pertinent facts and conditions.
Tip icon indicates advice on, for example, how to design your project or how to
use a certain function
Although Warning hazards are related to personal injury, and Caution hazards are
associated with equipment or property damage, it should be understood that
operation of damaged equipment could, under certain operational conditions, result
in degraded process performance leading to personal injury or death. Therefore,
fully comply with all Warning and Caution notices.
Terminology
A complete and comprehensive list of terms is included in System 800xA System
Guide Functional Description (3BSE038018*). The listing included in Engineering
Concepts includes terms and definitions as they apply to the 800xA system where
the usage is different from commonly accepted industry standard definitions and
definitions given in standard dictionaries such as Webster’s Dictionary of Computer
Terms.
Term/Acronym Description
AC 800M HI AC 800M High Integrity
AI Analog Input
Application User defined logic. Used in Control Builder M Professional to
denote a “container” for executable programs and data that are
grouped together.
8 3BSE034876
About This Book Terminology
BPCS Basic Process Control System
Channel Element or group of elements that independently perform(s) a
function
CM Cluster Modem
Common cause failure Failure which is the result of one or more events, causing
coincident failures of two or more separate channels in a
multiple channel system, leading to system failure
CPU Central Processing Unit
DC Diagnostic Coverage
DI Digital Input
DO Digital Output
ESD Emergency Shutdown
F&G Fire and Gas (protection system)
FMEDA Failure Mode, Effect and Diagnostic Analysis
HFT Hardware Fault Tolerance
Interference free Hardware and software functions certified to be used in AC
800M HI for non safety related functions. This hardware and
software will not interfere undetected with the safety functions
or the safety integrity of the AC800M HI.
Logic Solver That portion of either a BPCS or SIS that performs one or
more logic function(s). Logic Solver consists of Input Board,
PU and Out Board.
Note. Sensors and final elements are not part of the logic
solver.
3BSE034876 9
Terminology About This Book
Mode of operation - Low demand: where the frequency of demands for operation
on a safety-related system is no greater than one per year and
no greater than twice the proof-test frequency
- High demand or continuous: where the frequency of
demands for operation on a safety-related system is greater
than one per year or greater than twice the proof-test
frequency.
MCB Miniature Circuit Breaker
NC Normally closed
ND Normally de-energized
NE Normally energized
NO Normally open
PCB Printed Circuit Board
PFD Probability of Dangerous Failure on Demand
PFDG Average Probability of Dangerous Failure on Demand
PFH Average Frequency of Dangerous Failure per Hour
Proof Test Test performed to reveal undetected faults in a safety
instrumented system so that, if necessary, the system can be
restored to its designed functionality
PST Process Safety Time
PU Processor Unit. In this document PU refers to assembly of
Processor and Supervisory Modules. This is a part of the logic
solver as defined in IEC61508.
RCU Redundant Control Unit
RRF Risk Reduction Factor
SFF Safe Failure Fraction
SIF Safety Instrumented Function
SIS Safety Instrumented System
10 3BSE034876
About This Book Related Documentation
SD Bulk power supply (main power supply)
SPOF Single Point Of Failure
SS Power voting unit
TB Cluster Modem
TP Base plate
TU Connection unit
1oo1D 1 out of 1 Channel Architecture with Diagnostics
1oo2D 1 out of 2 Channel Architecture with Diagnostics
Related Documentation
Whenever a reference to a specific instruction is made, the instruction number is
included in the reference.
Category Title Description

Hardware 3BSE047571 Reliability Data Sheet
Controller Platform AC 800
3BSE047572 Reliability Data Sheet
S800 I/O System
3BSE036352* AC 800M - Controller Hardware Product
Guide
Formulas IEC61508 part 2 and 6 Second Edition 2010 Functional Safety, international standard
IEC/TR 62380 First Edition Reliability data handbook
Universal model for reliability prediction
of electronics components, PCBs
and equipment
3BSE034876 11
Related Documentation About This Book
12 3BSE034876
Section 1 Introduction
Introduction
This document includes methods and data to be used in the calculations of system
reliability both from an availability as well as from a safety reliability viewpoint.
Dependencies from a safety reliability viewpoint are illustrated in reliability block
diagrams.
Calculation Methods
The dependability calculation methods used within ABB for the calculation of
reliability complies with IEC/TR 62380 and Part 6 of IEC61508.
Quite conservative predictions can be expected from the very beginning of product
life cycle. Field observations of failure rates in typical industrial applications will
influence the module data given and make the data compatible to real life
experiences. Improvements of the quality of the data will then be achieved
gradually.
The failure rates for all circuit boards and units are calculated by a computer
program. Parts count method is used. When needed, considerations are taken to
actual loads. Certain components, measurement points etc. not essential for
continuos operation are not included in the calculations.
The reliability data for a circuit board or a system component is stated outgoing
from statistical calculation methods.
Failure rates are calculated and documented through failure mode effect and
diagnostics analysis (FMEDA) and approved by TÜV.
3BSE034876 13
Calculation Methods Section 1 Introduction
Defined Failure Types

In this document the failure rates are divided into different types; the total failure
rate TOT, the functional failure rate , the dangerous undetected failure rate DU,
the dangerous detected failure rate DD, the safe undetected failure rate SU and the
safe detected failure rate SD. The failure rate is noted in failures per hours (1/h) in
this document unless noted.
Total failure rate TOT :A general failure in a circuit board or a system

component. No considerations is given to the consequences of the failure. The
failure rate for the failure type is referred to as the “Total failure rate”. It is the sum
of the failure rates of virtually all of the electronic components in the unit, (parts
count method). It is used for maintenance predictions (spare part calculations).
Functional failure rate Failure within a system component which disables
complete or important parts of a system function concerned but does not affect
associated system functions. Only failures which affect functions necessary for
required operation are normally included.
Example: A communication is lost due to an interface error. However, the superior
system function which include the communication interface is not affected. It all
depends on how vital the actual communication is for the total system function.
Safe failures (S): Failure within a system component which does not affect the
safety integrity of the system function concerned.
Safe Detectable failures (SD): The portion of “Safe failures” that is detected
automatically by the internal diagnostics.
Safe Undetectable failures (SU): The portion of the “Safe failures” that is not
detected automatically by the internal diagnostics.
Dangerous failures (D): Failure within a system component which affect the
safety integrity of the system function concerned.
Dangerous Detectable failures (DD): The portion of “Dangerous failures” that
is detected and reacted upon automatically by the internal diagnostics.
Dangerous Undetectable failures (DU): The portion of the “Dangerous
failures” that is not detected automatically by the internal diagnostics.These are the
most critical failures in safety related systems.
14 3BSE034876
Section 1 Introduction Environment
No Effect failure (#): Failure of an element that plays a part in implementing the
safety function but has no direct effect on the safety function.
No Part failure ( -): Failure of a component that plays no part in implementing
the safety function.
Environment
The failure rates are calculated for industrial environment. The requirement for
industrial data is stated in 3BSE036352 Appendix E. The ambient temperature
outside an electronic assembly/enclosure in these calculation is assumed to be 30°C.
Nomenclature
Failure rate;  states the mean number of failures per hour.
1
Mean Time to Failure; MTTF = --- [hours]
Mean Time Between Failures; MTBF = MTTF + MTTR [hours] [1]
MTTF 1
-  100 = --------------------------------------
Availability; A = -------------------------------------- [%] [2]
MTTF + MTTR 1 +  xMTTR
MTTR, Mean Time To Restoration, is the average time required to move from
unsuccessful operation to successful operation. The definition includes the time
required to detect that a failure has occurred, and has been detected and identified,
as well as the time required to make the repair.
MTTR used in the calculation of redundant functions is 8 hours and alternatively 72
hours.
3BSE034876 15
Nomenclature Section 1 Introduction
Safety Integrity is the average probability of a safety instrumented system

satisfactorily performing the required safety instrumented functions under all the
stated conditions within a stated period of time.
Safety Integrity Level (SIL) is the discrete level (one out of four) for specifying the
safety integrity requirements of the safety instrumented functions to be allocated to
the safety instrumented systems. SIL 4 has the highest level of safety integrity; SIL
1 has the lowest.
Safe Failure Fraction (SFF) is the fraction of the overall random hardware failure
rate of a device that results in either a safe failure or a dangerous detected failure.
 S +  DD
SFF = -------------------------- [4]
D + S
Safe State. State of the equipment under control when safety is achieved.
Diagnostic Coverage (DC)[%] and Safe Failure Fraction (SFF)[%] is calculated
according to the methods given in Part 2 and the user guidelines given in Part 6 of
the IEC 61508.
 DD
DC = ------------ [5]
D
Common cause failure (CCF) is a failure, which is the result of one or more events,
causing failures of two or more separate channels in a multiple channel system,
leading to system failure.
Quantification of hardware-related common cause failures, expressed as a -factor,
is described in Annex D in Part 6 of IEC 61508. A -factor of 1% is used in relevant
calculations in this document.
16 3BSE034876
Section 1 Introduction Nomenclature
Hardware Fault Tolerance is the ability of a functional unit to continue to perform

a required function in the presence of faults or errors. Hardware fault tolerance with
respect to dangerous failures is the ability of a functional unit to achieve safe state in
the presence of a dangerous failure or error.
Proof Tests (T) are required to reveal hidden dangerous failures. The interval
between such tests is of a certain importance when calculating safety reliability
(PFD). The proof test interval for the logic solver is 20 years, that value is used in
this document, unless specifically noted. A shorter Proof test interval can be used
but the the calculations will have to be remade. A Proof test interval of 20 year is the
upper limit.
Probability of Dangerous Failure on Demand (PFD) and Probability of
Dangerous Failure per Hour (PFH) is used for reliability calculations that reflect
potential effect from system failures on functional safety.
Probability of Dangerous Failure on Demand (PFD) is calculated according to
the formula for an architecture in low demand mode of operation as defined in
Annex B of Part 6 in the IEC 61508.
The built-in diagnostics in the AC 800M HI controller ensures that the portion of
dangerous failures that is detected by the diagnostics will not prevent any safety
function within the logic solver from maintaining or achieving safe state. The
formula in IEC61508-6 Annex B, for 1oo1. As the system reacts on detected
failures within FDRT by bringing the EUC to the safe state the time after fault
detection and reaction can not contribute to the PFD value. Therefore the formula
in IEC61508-6 Annex B is modified accordingly [6]. This will result in a more
conservative value compared to the formula in the standard
PFD =  DU  T [6]
PFD is used for functions in “Low demand mode of operation”.
3BSE034876 17
Nomenclature Section 1 Introduction
Probability of dangerous Failure per Hour (PFH) is calculated according to

formulas for an architecture in high demand/continuous mode of operation as
defined in Annex B of Part 6 of the IEC 61508.
PFH =  DU [7]
18 3BSE034876
Section 1 Introduction AC 800M HI Safety Integrity
AC 800M HI Safety Integrity

General
AC 800M HI controller has a basic system design that complies with IEC61508 in a
1oo1D architecture for SIL2 and in a 1oo2D architecture for SIL3. Individual
system modules are designed in compliance with IEC61508 SIL 2 and SIL 3
hardware integrity requirements as defined in Table 1 below. The S800 I/O HI
modules are internally designed with a 1oo2D architecture.
AI880A can be configured as a loop monitored DI. Even though it is used as a DI
the Reliability numbers for AI880A module applies.
AC 800M HI is certified for use in up to SIL 3 applications.
Table 1. AC 800M HI Safety Integrity
HW Fault
Sub-unit SIL
Tolerance
AC 800M HI PU SIL 2 0
- PM865/TP830
- SM810/SM811/TP855/TP868
- PM867/TP830
- SM812/TP868
- PM865/TP830
- SM811/TP868
- PM867/TP830
- SM812/TP868
Analog Input module SIL 3 1
- AI880A
3BSE034876 19
BPCS Risk Reduction with AC 800M HI Section 1 Introduction
Table 1. AC 800M HI Safety Integrity
HW Fault
Sub-unit SIL
Tolerance
Digital Input module SIL 3 1
- DI880
Digital Output module SIL 3 1
- DO880 NE
Digital Output module SIL 3 1
- DO880 ND
BPCS Risk Reduction with AC 800M HI

AC 800M HI is certified for use in safety applications requiring up to SIL3
compliance. AC 800M HI application software for Safety Instrumented Functions
shall be allocated and implemented in SIL marked Applications (Control Builder M
SIL applications).
However, AC 800M HI offers the opportunity to implement BPCS control and
supervision functions for processes in non-SIL marked Applications, (Control
Builder M Standard Applications) with the potential of creating Risk Reduction
functions in the BPCS with a Risk Reduction factor up to 10 corresponding to the
higher limit of Safety Integrity Level 1.
20 3BSE034876
Section 1 Introduction Safety Reliability Block Diagrams
Safety Reliability Block Diagrams
AC 800M HI SIL2 1oo1D Single Controller

Reliability block diagram for the SIL2 AC 800M HI 1oo1D controller without any
redundancy (single controller) is shown below.
Figure 1. Reliability block diagram, SIL2 AC 800M HI 1oo1D Single Controller

x: indicates that the PM is not supervised to 100% by the SM. There are very small
portions of the PM where a DU failures could occur.
: this is the common cause factor for the PM and SM.
Corresponding safety reliability formulas are shown in [8], [9] and [10].
PFD equation
PFD  λ DU  I T  x * λ DU  PM T  1  β λ DU  SM T * 1  β 1  x λ DU  PM T  [8]
β * min λ DU  PM ; λ DU  SM T  λ DU  DO T
The term containing “ (1-)DU-SMT*(1-)(1-x)DU-PMT “ is much smaller than the

rest and can be neglected. Resulting in Equation [8] is simplified into Equation [9].
The factor “x” is defined to be 1%.
3BSE034876 21
Safety Reliability Block Diagrams Section 1 Introduction
Simplified PFD Equation

PFD  λ DUI T  x * λ DUPM T  β * minλ DU PM ; λ DUSM T  λ DUDO T [9]
The corresponding PFH equation:
PFH  λ DUI  x * λ DUPM  β * minλ DUPM ; λ DUSM   λ DUDO [10]
AC 800M HI SIL3 1oo2D Single Controller

Reliability block diagram for the SIL3 AC 800M HI 1oo2D controller is shown
below. The SIL3 architecture is different from the SIL2 because the application is
now executing in both the PM and SM.
Like in the formulas of the SIL2 system, the part that models the redundancy of the
application execution can be reduced to the part that models the Common Cause
Failure.
Figure 2. Reliability block diagram, SIL3 AC 800M HI 1oo2D Single Controller

Therefore the formulas are as shown in equations [11]and [12].
PFDPFD  DU
 λ= DU  I T–  max λDU
I +β* min M ;
DU–PPM  +
; λDUDU–SMSM  –λDO
TDU DU  T T
 DO [11]
22 3BSE034876
Section 1 Introduction Safety Reliability Calculations
PFH  DU
PFH=λDU I –  maxλDU
I β+ * min P M;;
DU–PM λDU M  +
DU–SSM λDUDU– DO
DO [12]
AC 800M HI 1oo1D and 1oo2D Redundant Controller

Redundancy can be added on all levels in the controller architecture, both for
processor module and supervisory module individually in the PU and on I/O module
level to achieve required system availability without jeopardizing safety integrity.
Both for SIL2 1oo1D and SIL3 1oo2D the redundant configuration contribute to
better availability numbers. The PFD and PFH number are the same for single and
redundant systems. The same equations given over can also be used for the
redundant AC 800M HI controller.
Safety Reliability Calculations

The total PFD or PFH figures for a safety function can be calculated as the sum of
the individual sub-system component PFD or PFH figures.
PFD = PFD1+PFD2+PFD3..........PFDi
PFH = PFH1+PFH2+PFH3..........PFHi
Calculations with Respect to Maintenance Effort

For calculation of maintenance effort, the total failure rate of the individual modules
is used.
3BSE034876 23
AC 800M HI Typical Configurations Section 1 Introduction
AC 800M HI Typical Configurations
Figure 3. AC 800M HI Single System Configuration
24 3BSE034876
Section 1 Introduction AC 800M HI Typical Configurations
Figure 4. AC 800M HI Redundant System Configuration
3BSE034876 25
AC 800M HI Typical Configurations Section 1 Introduction
26 3BSE034876
Section 2 Safety Reliability Calculations
General
The calculation methodology for probability of dangerous failure on demand (PFD)
and probability of dangerous failure per hour (PFH) is based on formulas in IEC
61508.
AC 800M HI SIL2 has a 1oo1D system architecture. AC 800M HI SIL2 1oo1D
design implies the ability to always accomplish safe state or safe mode of operation
upon detection of a dangerous failure (That is fail-to-safe shutdown of equipment
under control or continue in safe operation with redundant component or unit).
AC 800M HI SIL3 has a 1oo2D system architecture.S800 I/O HI (AI880A, DI880,
DO880) is certified for SIL3 applications.
AC 800M I/O HI communication system is certified for SIL3 applications. A safety
layer is made on top of platform specific protocols and communication devices, thus
excluding safety critical aspects of such components from the safety reliability
calculations.
The AC 800M HI Controller has been designed for easy adoption and scalability
with respect to availability.
Configuration
AC 800M HI is certified for up to SIL3 applications in single configuration
comprising of single PU, communication and single I/O modules.
Redundancy can be implemented individually for all types of sub-modules on a
modular basis without influencing the safety integrity:
• AC 800M HI PU:
3BSE034876 27
Configuration Section 2 Safety Reliability Calculations
– PM865/PM867 Processor Module

– BC810 CEX bus interconnection Module
– SM810/SM811/SM812 Supervisory Module
• TB840(A) Cluster modems and cables
• TB825 Media converter
• TB826 Media converter
• AI880A, DI880 and DO880 I/O modules, for loop supervised DI use AI880A
• Power Voter SS823
• Power supply*
*
These components do not contribute to dangerous undetected failures at system
level because only SELV power supplies are allowed according to Safety Manual
3BNP004865*.
28 3BSE034876
Section 2 Safety Reliability Calculations AC 800M HI Safety Reliability Data
AC 800M HI Safety Reliability Data

For comparison of products from different manufacturers it is important to use
comparable data.
In projects with multidiscipline engineering it is often necessary to distribute a PFD
budget for the different subsystems. The following distribution is widely used:
• Initiator subsystem: 35%
• Logic Solver subsystem: 15%
• Final Element subsystem: 50%
3BSE034876 29
AC 800M HI Safety Reliability Data Section 2 Safety Reliability Calculations
Table 2. AC 800M HI Safety reliability data
Variant Including du PFD PFH

PM865 Single PU (SIL2) 5.68E-9 1.99E-5 1.14E-10
Processor Module 1 x PM865 SIL2 SIL2
Termination Plate 1 x TP830
Supervisory module 1 x SM810/SM811
Termination Plate 1 x TP855/TP868

Supervisory Module 1 x SM811

Supervisory module 1 x SM812

Supervisory Module 1 x SM812
I/O
Digital Input module DI880 DI880 common 3.52E-11 6.16E-6 3.52E-11
Module Termination Unit(MTU**) 1 channel
TU842/843
Additional Digital Input channel 1 additional 1.66E-12 2.91E-7 1.66E-12

DI880, per extra channel to add, max DI880 channel
15per board
Analog Input AI880A*** AI880A common 5.26E-11 9.21E-6 5.26E-11

Module Termination Unit (MTU**) 1 channel
TU844/845
30 3BSE034876
Section 2 Safety Reliability Calculations AC 800M HI Safety Reliability Data

Additional Analog Input channel 1 additional 2.23E-12 3.91E-7 2.23E-12
AI880A***, per extra channel to add, AI880A channel
max 7 per board.
Digital Output DO880 NE DO880 common 1.75E-10 3.06E-5 1.75E-10

TU842/843
Additional Digital Output channel 1 additional 0 0 0

DO880 NE, per extra channel to add, DO880 channel
max 15 per board
Digital Output DO880 ND DO880 common 1.56E-10 2.73E-5 1.56E-10

TU842/843
Additional Digital Output channel 1 additional 5.10E-13 8.94E-8 5.10E-13

DO880 ND, per extra channel to add, DO880 channel
max15 per board.
Digital Output DO880 NE Degraded DO880 common 4.83E-9 8.47E-4 4.83E-9

mode 1 channel SIL2 SIL2
Module Termination Unit (MTU**) TU842/843
Additional Digital Output channel 1 additional 4.17E-9 7.31E-4 4.17E-9

DO880 NE Degraded mode, per extra DO880 channel SIL2 SIL2
channel to add, max15 per board.
Modulebus, NE/ND applications 5.43E-11 9.52E-6 5.43E-11

Cluster Modem, optical TB840A
Module Termination Unit (MTU**) TU840 or TU841 or
TU848 or TU849

Cluster Modem, optical TB840
Module Termination Unit (MTU**) TU840 or TU841 or
TU848 or TU849

Media Converter, optical TB825
3BSE034876 31
AC 800M HI Safety Reliability Data Section 2 Safety Reliability Calculations

Media Converter, optical TB826
Power Supply, NE/ND applications 0 0 0

Power supply*
Power voter SD83x
SS823
*The SD83x is included for completeness but do not have any dangerous failures.
** The calculations in Table 2 uses the data for MTU:s from Appendix A
*** The data is also valid when using AI880A as Loop supervised DI, Each channel AI880A includes
1*TY801 or 1*TY805 shunt stick.
32 3BSE034876
Section 2 Safety Reliability Calculations Calculating Probability of Dangerous Failure on Demand (PFD)
Calculating Probability of Dangerous Failure on Demand (PFD)

Probability of dangerous failure on demand calculations are made with respect to
individual safety functions in low demand systems to have a quantitative measure
on safety integrity. The calculation shall include the whole control function, initiator
subsystem (sensors), logic solver subsystem (processor and I/O) and the final
element subsystem (actuators).
IEC 61508 states the range and maximum figures for probability of dangerous
failure on demand (PFDTOTAL) in safety instrumented functions for different Safety
Integrity Levels (SIL). See Table 3 below.
Table 3. Target failure measures for safety instrumented functions

in low demand mode of operation
IEC61508 Initiator Logic Solver Final Element

requirements subsystem subsystem subsystem
SIL PFD 35% 15% 50%
4 10-4 - 10-5 3.5E-5 - 3.5E-6 1.5E-5 - 1.5E-6 5.0E-5 - 5.0E-6
3 10-3 - 10-4 3.5E-4 - 3.5E-5 1.5E-4 - 1.5E-5 5.0E-4 - 5.0E-5
2 10-2 - 10-3 3.5E-3 - 3.5E-4 1.5E-3 - 1.5E-4 5.0E-3 - 5.0E-4
1 10-1 - 10-2 3.5E-2 - 3.5E-3 1.5E-2 - 1.5E-3 5.0E-2 - 5.0E-3
PFD figures for the most common AC 800M HI logic solver loop (I/O)
configurations are shown in Table 4, below.
3BSE034876 33
Calculating Probability of Dangerous Failure on Demand (PFD) Section 2 Safety Reliability Calculations
Table 4. AC 800M HI Logic Solver safety integrity in low demand mode of operation
SIL failure measure
IEC/TR 62380
SIF Architecture
SIL2 SIL3
PFD PFD
1DI-PU-1DO_NE (PM865) 5.67E-5 4.67E-5
1AI-PU-1DO_NE (PM865) 5.97E-5 4.97E-5
1DI-PU-1DO_ND (PM865) 5.34E-5 4.34E-5
1AI-PU-1DO_ND (PM865) 5.64E-5 4.63E-5
1DI-PU-1DO_NE (PM867) 6.50E-5 5.09E-5
1AI-PU-1DO_NE (PM867) 6.80E-5 5.39E-5
1DI-PU-1DO_ND (PM867) 6.17E-5 4.76E-5
1AI-PU-1DO_ND (PM867) 6.47E-5 5.06E-5
Note: AI, DI = Analog/Digital inputs

PU = Processing Unit (PM and SM)
DO_NE = Digital output, normally energized
DO_ND = Digital output, normally de-energized
34 3BSE034876
Section 2 Safety Reliability Calculations Calculating Probability of Dangerous Failure per Hour (PFH)
Calculating Probability of Dangerous Failure per Hour (PFH)

In the process industry very few safety functions are normally classified to be in
high demand or continuous mode of operation. In the manufacturing industry it
tends to be a higher number of applications with safety functions in high demand or
continuous mode of operation.
Target failure measure for safety integrity of safety functions operating in high
demand or continuous mode of operation is defined as the probability of dangerous
failures per hour (PFH).
IEC 61508 states the range and maximum figures for probability of dangerous
failure per hour (PFH) in safety instrumented functions for different Safety Integrity
Levels (SIL). See Table 5 below.
Table 5. Target failure measures for safety instrumented functions

in high demand or continuous mode of operation
Initiator Logic Solver Final Element

SIL PFH subsystem subsystem subsystem
35% 15% 50%
4 10-8 - 10-9 3.5E-9 - 3.5E-10 1.5E-9 - 1.5E-10 5.0E-9 - 5.0E-10
3 10-7 - 10-8 3.5E-8 - 3.5E-9 1.5E-8 - 1.5E-9 5.0E-8 - 5.0E-9
2 10-6 - 10-7 3.5E-7 - 3.5E-8 1.5E-7 - 1.5E-8 5.0E-7 - 5.0E-8
-5 -6
1 10 - 10 3.5E-6 - 3.5E-7 1.5E-6 - 1.5E-7 5.0E-6 - 5.0E-7
3BSE034876 35
Calculating Probability of Dangerous Failure per Hour (PFH) Section 2 Safety Reliability Calculations
PFH figures for the most common AC 800M HI logic solver loop (I/O)
configurations are shown in Table 6 below.
Table 6. AC 800M HI Logic Solver safety integrity in high demand mode of operation
SIL reliability data
IEC/TR 62380
SIF Architecture
SIL2 SIL3
PFH PFH
1DI-PU-1DO_NE (PM865) 3.23E-10 2.67E-10
1AI-PU-1DO_NE (PM865) 3.40E-10 2.84E-10
1DI-PU-1DO_ND (PM865) 3.05E-10 2.48E-10
1AI-PU-1DO_ND (PM865) 3.22E-10 2.65E-10
1DI-PU-1DO_NE (PM867) 3.71E-10 2.91E-10
1AI-PU-1DO_NE (PM867) 3.88E-10 3.08E-10
1DI-PU-1DO_ND (PM867) 3.52E-10 2.72E-10
1AI-PU-1DO_ND (PM867) 3.69E-10 2.89E-10
Note: AI, DI = Analog/Digital inputs

PU = Processing Unit (PM and SM)
DO_NE = Digital output, normally energized
DO_ND = Digital output, normally de-energized
36 3BSE034876
Section 3 Availability Calculations
The total system failure rate can be calculated as the sum of the individual
subsystem failure rates.
 = 1 +  2 +  3  i  1  hour 
It is possible, if required, to adapt the calculation of reliability data of I/O modules

to the special requirements of a particular application. This can be done in a
standardized manner giving good approximated data. The calculation is based on
the total failure rate, and certain rules of thumb.
All tables in this document are based on MTTR = 8h unless otherwise

indicated.
Total failure rate safety function: is defined as all parts of the unit that have a
contribution to the Safety function.
Total failure rate safety function=sd+su+dd+du
Total failure rate: includes all components on the boards and total failure rate
safety function is a subset of the total failure rate.
Total failure rate=sd+su+dd+du+#+ -
Functional failure rate safety function: is the failures that will result in controller
entering safe state.
3BSE034876 37
Single AC 800M HI PU Section 3 Availability Calculations
Single AC 800M HI PU
Single AC 800M HI PU
Table 7. Failure rates, Single AC 800M HI PU (PM865)
Functional
Total failure
failure rate Total
rate safety
Variant Including safety failure rate
function
function
  
Single Processor and 3.46E-6 3.46E-6 4.42E-6
Supervisory module (PU)
Processor Module 1xPM865 1.71E-6 1.71E-6 2.56E-6

1xTP830
Supervisory module 1xSM810/SM811 1.20E-6 1.20E-6 1.65E-6

1xTP855/1xTP868
Options included:
- CEX interface
- COM 4 Tool port
COM 3 RS232 3.0 E-9 3.0 E-9

Add for use of internal
communication RS232
Note: Functional options like control network interface, electrical and optical
ModuleBuses are considered from a functional failure rate viewpoint only.
38 3BSE034876
Section 3 Availability Calculations Single AC 800M HI PU
Table 8. Failure rates, Single AC 800M HI PU (PM867)
Functional
Total failure
failure rate Total
rate safety
Variant Including safety failure rate
function
function
  
Single Processor and 4.51E-6 4.51E-6 6.84E-6
Supervisory module (PU)
Processor Module 1xPM867 2.58E-6 2.58E-6 3.36E-6

1xTP830
Supervisory module 1xSM812 1.93E-6 1.93E-6 3.48E-6

1xTP868
Options included:
- CEX interface
- COM 4 Tool port
COM 3 RS232 3.0 E-9 3.0 E-9
communication RS232
Note: Functional options like control network interface, electrical and optical
ModuleBuses are considered from a functional failure rate viewpoint only.
3BSE034876 39
Single AC 800M HI PU (with redundant Supervisory module) Section 3 Availability Calculations
Single AC 800M HI PU (with redundant Supervisory module)

Table 9. Failure rates, Single AC 800M HI PU (PM865) with redundant Supervisory module
Functional failure
Total failure rate safety function Total
rate safety failure
Variant Including function MTTR MTTR rate
8h 72h
  
Single Processor Module 4.46E-6 2.05E-6 2.05E-6 7.20E-6
with redundant
Supervisory module
Processor Module 1xPM865 1.71E-6 1.71E-6 1.71E-6 2.56E-6

1xTP830
CEX-Bus BC810 connected 3.36E-7 3.36E-7 3.36E-7 6.69E-7

Interconnection Unit TP857
Supervisory Module SM811/TP868 1.20E-6 3.58E-10 5.42E-10 1.65E-6

SIL3
Supervisory Module SM811/TP868 1.54E-6 3.73E-10 6,74E-10 2.32E-6

SIL3
CEX-Bus BC810 remote
Options included:
- COM 4 Tool port
- CEX interface
COM 3 RS232 3.0 E-9 3.0 E-9

communication RS232
Note: Functional options like control network interface, electrical and optical Modulebuses
are considered from a functional failure type viewpoint only.
40 3BSE034876
Section 3 Availability Calculations Single AC 800M HI PU (with redundant Supervisory module)
Table 10. Failure rates, Single AC 800M HI PU (PM867) with redundant Supervisory module
Functional failure
rate safety failure
8h 72h
  
Single Processor Module 6.78E-6 2.91E-6 2.92E-6 1.17E-5
with redundant
Supervisory module

1xTP830
CEX-Bus BC810 connected 3.36E-7 3.36E-7 3.36E-7 6.69E-7


SIL3

SIL3
CEX-Bus BC810 remote
Options included:
- COM 4 Tool port
- CEX interface
COM 3 RS232 3.0 E-9 3.0 E-9

communication RS232
3BSE034876 41
Redundant AC 800M HI PU (with redundant Supervisory module) Section 3 Availability Calculations
Redundant AC 800M HI PU (with redundant Supervisory module)

Table 11. Failure rates, Redundant AC 800M HI PU (PM865) with redundant Supervisory module
Functional failure
rate safety failure
8h 72h
  
Redundant Processor 6.51E-6 1.17E-9 1.85E-9 9.57E-6
Module with redundant
Supervisory module

2xTP830
Supervisory module and SM810/SM811 1.54E-6 3.73E-10 6.74E-10 2.32E-6

CEX-Bus TP855/TP868
interconnection Unit BC810/TP857

CEX-Bus TP855/TP868
Options included:
- COM 4 Tool port
- CEX interface
COM 3 RS232 3.0 E-9 3.0 E-9
communication RS232
42 3BSE034876
Section 3 Availability Calculations Redundant AC 800M HI PU (with redundant Supervisory module)
Table 12. Failure rates, Redundant AC 800M HI PU (PM867) with redundant Supervisory module
Functional failure
rate safety failure
8h 72h
  
Redundant Processor 9.69E-6 1.27E-9 2.77E-9 1.51E-5
Module with redundant
Supervisory module

2xTP830
Supervisory module and SM812 2.27E-6 4.17E-10 1.07E-09 4.17E-6

CEX-Bus interconnection TP868
Unit BC810/TP857
Supervisory module and SM812 2.27E-6 4.17E-10 1.07E-09 4.15E-6

CEX-Bus interconnection TP868
Unit BC810/TP857
Options included:
- COM 4 Tool port
- CEX interface
COM 3 RS232 3.0 E-9 3.0 E-9
communication RS232
3BSE034876 43
AC 800M HI Redundant PU Section 3 Availability Calculations
AC 800M HI Redundant PU
Redundant AC 800M HI and Single I/O
Table 13. Failure rates, Redundant AC 800M HI PU (PM865) and Single I/O
Functional failure rate

Total failure safety function Total failure
rate safety
Variant Including MTTR rate
function MTTR 8h
72h
   
Redundant 1.04E-5 2.85E-6 2.85E-6 1.76E-5
PU
2xTP830
Options included:
- Electrical/optical
modulebus
- Control Network, 2
ports
- COM 4 Tool port
- CEX bus interface
44 3BSE034876
Section 3 Availability Calculations Redundant AC 800M HI and Single I/O

rate safety
function MTTR 8h
72h
   
Supervisory module SM810/SM811 1.54E-6 3.73E-10 6.74E-10 2.32E-6
and CEX-Bus TP855/TP868
Supervisory module SM810/SM811 1.54E-6 3.73E-10 6.74E-10 2.32E-6

and CEX-Bus TP855/TP868
S800 I/O HI Single

Configuration
Cluster Modem 2xTB840A 1.01E-6 3.84E-10 5.57E-10 1.79E-6
TU840
Analog Input Module AI880A 1.01E-6 1.01E-6 1.01E-6 1.38E-6

TU844/845
8xTY801/TY805
Digital Input Module DI880 8.96E-7 8.96E-7 8.96E-7 1.22E-6

TU842/843
Digital Output Module DO880 9.83E-7 9.83E-7 9.83E-7 3.55E-6

TU842/843
3BSE034876 45
Redundant AC 800M HI and Single I/O Section 3 Availability Calculations

rate safety
function MTTR 8h
72h
   
Redundant 1.36E-5 2.85E-6 2.85E-6 2.29E-5
PU
2xTP830
Options included:
modulebus
ports
- COM 4 Tool port
- CEX bus interface
46 3BSE034876
Section 3 Availability Calculations Redundant AC 800M HI and Single I/O

rate safety
function MTTR 8h
72h
   
Supervisory module SM812/TP868 2.27E-6 4.17E-10 1.07E-09 4.17E-6
and CEX-Bus BC810/TP857
interconnection Unit
Supervisory module SM812/TP868 2.27E-6 4.17E-10 1.07E-09 4.17E-6

and CEX-Bus BC810/TP857
S800 I/O HI Single

Configuration
TU840
Analog Input Module AI880A 1.01E-6 1.01E-6 1.01E-6 1.38E-6

TU844/845
8xTY801/TY805
Digital Input Module DI880 8.96E-7 8.96E-7 8.96E-7 1.22E-6

TU842/843
Digital Output Module DO880 9.83E-7 9.83E-7 9.83E-7 3.55E-6

TU842/843
3BSE034876 47
Redundant AC 800M HI and Redundant I/O Section 3 Availability Calculations
Redundant AC 800M HI and Redundant I/O

Table 15. Failure rates, Redundant AC 800M HI PU (PM865) and Redundant I/O

Total failure safety function Total
rate safety failure
Variant Including function MTTR rate
MTTR 8h
72h
   
RedundantPU 1.61E-5 1.47E-8 1.66E-8 2.33E-5

2xTP830
Options included:
modulebus
ports
- COM 4 Tool port
- CEX bus interface
48 3BSE034876
Section 3 Availability Calculations Redundant AC 800M HI and Redundant I/O

rate safety failure
MTTR 8h
72h
   
CEX-Bus TP855/TP868

CEX-Bus TP855/TP868
S800 I/O HI Redundant

Configuration
TU848
Analog Input Module
2xAI880A 1.93E-6 9.70E-9 9.82E-9 2.63E-6
TU844/845
8xTY801/TY805
Digital Input Module
2xDI880 1.71E-6 1.60E-9 1.69E-9 2.33E-6
TU842/843
Digital Output Module
2xDO880 5.02E-6 1.80E-9 2.59E-9 6.97E-6
TU842/843
3BSE034876 49
Redundant AC 800M HI and Redundant I/O Section 3 Availability Calculations

rate safety failure
MTTR 8h
72h
   
RedundantPU 1.93E-5 1.48E-8 1.79E-8 2.86E-5

2xTP830
Options included:
modulebus
ports
- COM 4 Tool port
- CEX bus interface
50 3BSE034876
Section 3 Availability Calculations Redundant AC 800M HI and Redundant I/O

rate safety failure
MTTR 8h
72h
   
Supervisory module and SM812/TP868 2.27E-6 4.17E-10 1.07E-09 4.17E-6
CEX-Bus BC810/TP857
Supervisory module and SM812/TP868 2.27E-6 4.17E-10 1.07E-09 4.17E-6

CEX-Bus BC810/TP857
S800 I/O HI Redundant
Configuration
TU848
Analog Input Module
2xAI880A 1.93E-6 9.70E-9 9.82E-9 2.63E-6
TU844/845
8xTY801/TY805
Digital Input Module
2xDI880 1.71E-6 1.60E-9 1.69E-9 2.33E-6
TU842/843
Digital Output Module
2xDO880 5.02E-6 1.80E-9 2.59E-9 6.97E-6
TU842/843
3BSE034876 51
AC 800M HI Power Supply 24V Section 3 Availability Calculations
AC 800M HI Power Supply 24V

The failure rates are given in Table 17 for both SD82x and SD83x series power
supply.
Table 17. Failure rates, AC 800M HI Power Supply 24V:
Total failure Functional

Total
rate safety failure rate
Variant Including failure rate
function safety function
  
120V/230V a.c. mains supply 1.48E-6 1.48E-6 1.63E-6
Single system
Power supply unit 1xSD821
Power voting unit 1xSS823
Miniature circuit breaker 1xMCB
Redundant system
Power switch 2xMCB
Miniature circuit breaker
Single system
Redundant system
Power switch 2xMCB
52 3BSE034876
Section 3 Availability Calculations AC 800M HI Power Supply 24V

Total
  
Single system
Redundant system
Power switch 2xMCB
Single system
Redundant system
Power switch 2xMCB
Single system
Redundant system
Power switch 2xMCB
3BSE034876 53
AC 800M HI Power Supply 24V Section 3 Availability Calculations

Total
  
Single system
Redundant system
Power switch 2xMCB
Single system
Redundant system
Power switch 2xMCB
54 3BSE034876
Section 3 Availability Calculations AC 800M HI, Single S800 I/O
AC 800M HI, Single S800 I/O
Table 18. Failure rates, AC 800M HI Single Electrical Modulebus
Functional
Total Functional
failure rate Total
failure failure rate
(loosing one failure
Variant Including rate safety (locking
channel only rate
function modulebus)
including MTU)
   
S800 I/O HI Single
modules
Analog Input AI880A 1.01E-6 9.16E-9 2.76E-8 1.38E-6

module TU844/845
TY801/
TY805
Digital Input 8.96E-7 3.88E-9 2.73E-8 1.22E-6
Module DI880
TU842/843
Digital Output 2.55E-6 9.16E-9 1.04E-7 3.55E-6
Module NE DO880
TU842/843
Digital Output 2.55E-6 9.16E-9 3.55E-6
Module ND 1.04E-7
DO880
TU842/843
S800 I/O (see Note)
Single modules I/O module 3.0E-6 1.5E-8 1.5E-8 3.0E-6
MTU
Note: Typical values per set of I/O module and module termination unit. See separate document
for reliability data on individual modules according to MIL HBK217.
3BSE034876 55
AC 800M HI, Redundant S800 I/O Section 3 Availability Calculations
AC 800M HI, Redundant S800 I/O
Table 19. Failure rates, AC 800M HI Redundant Electrical Modulebus
Functional
failure rate
Total Functional
(loosing one Total
failure failure rate
channel only failure
Variant Including rate safety (locking both including rate
function modulebuses)
MTU)
   
S800 I/O HI
Redundant modules
Analog Input module 2xAI880A 1.93E-6 5.22E-12 9.68E-9 2.63E-6

TU844/845
TY801/
TY805
Digital Input Module 1.71E-6 5.29E-12 1.58E-9 2.33E-6
2xDI880
TU842/843
Digital Output Module 5.02E-6 1.68E-11 1.68E-9 6.97E-6
NE 2xDO880
TU842/843
Digital Output Module 5.02E-6 1.68E-11 1.68E-9 6.97E-6
ND 2xDO880
TU842/843
S800 I/O (see Note)
Single modules I/O module 6,00E-6 3.0E-6 1.50E-6 6,00E-6
MTU
Note: Typical values per set of I/O module and module termination unit. See separate
document for reliability data on individual modules according to MIL HBK217.
56 3BSE034876
Section 3 Availability Calculations AC 800M HI Single Optical Modulebus
AC 800M HI Single Optical Modulebus

Table 20. Failure rates, AC 800M HI, Single Optical Modulebus
Total Functional Functional

failure rate failure rate failure rate
Total failure
Variant Including safety affecting the affecting the
rate
function optical electrical
modulebus modulebus
Application of the
expandable optical I/O    
link
Cluster Modem 1x TB840A 5.84E-7 3.62E-10 5.84E-7 1.05E-6
Termination Plate 1 x TU841
Single electrical
Modulebus
Cluster Modem 1xTB840A

6.13E-7 3.62E-10 6.13E-7 1.11E-6
Single electrical
Modulebus

Redundant
electrical Modulebus

Redundant electrical
Modulebus
Media Converter, optical 1xTB825 5.28E-7 5.28E-7 NA 7.81E-7

(optional)
Media Converter, optical 1xTB826 5.41E-7 5.41E-7 NA 7.81E-7
(optional)
3BSE034876 57
AC 800M HI Single Optical Modulebus Section 3 Availability Calculations
Table 20. Failure rates, AC 800M HI, Single Optical Modulebus
Total Functional Functional

failure rate failure rate failure rate
Total failure
Variant Including safety affecting the affecting the
rate
function optical electrical
modulebus modulebus
S800 I/O HI For single modules, see Table 18 above.
For redundant modules see Table 19 above
Note: Typical values per set of I/O module and module termination unit.
Does not apply to S800 I/O HI. See Table 19 above for S800 I/O HI single modules.
See separate document for individual reliability data for S800 I/O modules.
58 3BSE034876
Section 3 Availability Calculations AC 800M HI Redundant Optical Modulebus
AC 800M HI Redundant Optical Modulebus

Table 21. Failure rates, AC 800M HI, Redundant Optical Modulebus
Functional Functional
Total failure
failure rate failure rate
rate safety Total failure
Variant Including affecting both affecting both
function rate
optical electrical
modulebuses modulebuses
Redundant optical
   
modulebus
Single electrical
Modulebus
Cluster Modem 2x TB840A

1.04E-6 1.72E-11 3.80E-10 1.84E-6
Single electrical
Modulebus

Redundant
electrical Modulebus

Redundant electrical
Modulebus
Media Converter, 2xTB825 1.06E-6 2.32E-12 NA 1.56E-6

optical (optional)
Media Converter, 2xTB826 1.08E-6 2.34E-12 NA 1.56E-6
optical (optional)
3BSE034876 59
Control Network Communication Section 3 Availability Calculations
Table 21. Failure rates, AC 800M HI, Redundant Optical Modulebus
Functional Functional
Total failure
failure rate failure rate
rate safety Total failure
Variant Including affecting both affecting both
function rate
optical electrical
modulebuses modulebuses
S800 I/O HI For single modules, see Table 18 above.
For redundant modules see Table 19 above.
Note: Typical values per set of I/O module and module termination unit.
Does not apply to S800 I/O HI. See Table 18 and Table 19 above for S800 I/O HI single
modules.
See separate document for individual reliability data for S800 I/O modules.
Control Network Communication

Table 22. Failure rates, AC 800M HI, Control Network Communication
Total failure rate Functional failure rate

Variant Including
 
Comm. interface AC 800M HI, Internal built- 2.5E-7 2.5E-7
singular application in port
Comm. interface AC 800M HI, Internal built- 2.5E-7 7E-8
Redundant application in port
(Off-line replacement when port fails
reflected)
HUB (typical value for industrial type See Note 8.5E-7 8.5E-7
of network component)
Switch (typical value for industrial See Note 2.2E-6 2.2E-6
type of network component)
Router (typical value for industrial See Note -- --
type of network component)
Note regarding External Network Components (HUBs, Switches and Routers):
60 3BSE034876
Section 3 Availability Calculations Control Network Communication
In a singular network all components will contribute to the probability of

communication failure. Add the failure rates obtained from the manufacturer or use
the given typical values in the Table 22.
In a fully redundant network, individual component failures may be disregarded.
Correct installed, with respect to rules valid for the actual environment, the network
may be regarded practically free from serious failures which could prevent
communication. Important installation keywords include: EMC, cable location,
common ground, best suitable fibre optical or electrical media, bandwidth
3BSE034876 61
Control Network Communication Section 3 Availability Calculations
62 3BSE034876
Appendix A Component Reliability Data
The following Table 23 and Table 24 give detailed figures for safety certified and
safety relevant HW components. It is not always possible to use the numbers found
in this appendix to calculate the values in the System Availability calculation
section. The calculated numbers are based on additional documented assumptions in
each configuration.
3BSE034876 63
Table 23. Safety certified HW component reliability data.
Module Description sd su dd du # -

SM810 (SIL2) Supervisory
2.10E-7 3.53E-7 5,62E-7 9.32E-9 1.49E-7 3.50E-7
TP855 module
2.25E-7 3.53E-7 5,62E-7 9.32E-9 1.51E-7 3.50E-7
TP868 module
2.41E-7 3.73E-7 5,82E-7 9.34E-9 1.76E-7 2.70E-7
TP868 module
6.97E-7 1.89E-7 1.00E-6 7.45E-9 2.45E-7 1.34E-6
TP868 module
6.98E-7 2.04E-7 1.02E-6 7.47E-9 2.53E-7 1.29E-6
TP868 module
PM865 Processor
3.43E-7 3.13E-7 1.29E-6 5.68E-9 2.83E-7 5.60E-7
TP830 module
PM867 Processor
9.68E-7 4.90E-7 8.76E-7 8.07E-9 3.88E-7 3.96E-7
TP830 module
AI880A Analog input 3.45E-7 1.43E-10 5.69E-7 6.51E-11 2.92E-7 4,04E-8
DO880 NE Digital output 1.75E-6 3.30E-7 3.83E-7 1.68E-10 2.52E-7 0
DO880 NE Digital output 1,49E-6 3,29E-7 5.84E-7 6.74E-8 9.60E-7 0
degraded mode
DO880 ND Digital output 1.48E-6 3.29E-7 6.56E-7 1,64E-10 9.60E-7 0
DI880 Digital input 3.01E-7 6.43E-8 4.50E-7 5.29E-11 2.91E-7 0
SS823 Power voter 5.88E-8 2.29E-8 0 0 1.47E-7 0
64 3BSE034876
Table 24. Safety relevant HW component reliability data.
Module Description sd su dd du # -

TP830 Termination Plate 2.03E-9 5.58E-8 3.85E-7 3.85E-11 4.21E-8 3.30E-7
TP855 Termination Plate 3.45E-9 3.45E-9 1.02E-8 1.02E-12 1.00E-9 0
TP857 Termination Plate 0 1.17E-8 1.37E-7 1.37E-11 1.28E-8 1.70E-8
TP868 Termination Plate 1.77E-8 3.45E-9 1.02E-8 1.02E-12 2.42E-9 0
TB840 Cluster Modem 3.77E-8 1.36E-8 3.79E-7 4.20E-11 1.19E-7 1.60E-7
TB840A Cluster Modem 7.97E-8 2.59E-8 3.19E-7 3.94E-11 1.42E-7 1.60E-7
TB825 Media Converter 3.60E-7 1.09E-8 1.57E-7 1.57E-11 6.51E-8 3.96E-8
TB826 Media Converter 3.75E-7 9.49E-9 1.57E-7 1.57E-11 5.98E-8 3.96E-8
BC810 CEX-Bus Intercon. 3.98E-8 4.25E-8 1.05E-7 5.71E-11 1.44E-7 1.60E-7
TP857 Unit
TU842/843 Module Termination 8.24E-9 8.24E-13 7.20E-8 7.20E-12 3.76E-8 0

Unit
TU844/845 Module Termination 6.67E-8 6.67E-12 3.17E-8 3.17E-12 3.76E-8 0
Unit
TU834 Module Termination 8.24E-9 3.25E-8 4.68E-8 4.68E-12 2.06E-9 0
Unit
TU807 Module Termination 0 1.01E-8 1.65E-7 1.65E-11 2.48E-8 4.67E-9
Unit
Unit
Unit
TU848 Module Termination 5.53E-9 1.65E-8 1.58E-7 1.58E-11 3.77E-8 1.50E-7
Unit
TU849 Module Termination 5.01E-9 1.77E-8 1.66E-7 2.13E-11 4.32E-8 1.49E-7
Unit
3BSE034876 65
Note: Not all TU8xx modules are listed in this Table 24. For Digital I/O modules
other relevant MTU:s can be used. As an example TU810 have approximately the
same value asTU844/845. Values for AI880A includes 8*TY801 or 8*TY805 shunt
stick.
66 3BSE034876
Revision History
The following table lists the revision history of this User Manual.
Revision
Description Date
Index
- First version April 2016
3BSE034876 67
Revision History
68 3BSE034876
Contact us
www.abb.com/800xA Copyright © 2004 - 2016 by ABB.

www.abb.com/controlsystems All rights reserved.
www.abb.com/highintegritysafety
3BSE034876
Power and productivity

for a better worldTM

3BSE034876 System 800xa Safety AC800M High Integrity Reliability and Availability Manual PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

3BSE034876 System 800xa Safety AC800M High Integrity Reliability and Availability Manual PDF

Hochgeladen von

Copyright:

Verfügbare Formate

System 800xA Safety

AC 800M High Integrity

Power and productivity

Copyright © 2004-2016 by ABB.

Release: Apr 2016

About This Book

Section 2 - Safety Reliability Calculations

Section 3 - Availability Calculations

Appendix A - Component Reliability Data

Warning, Caution, Information, and Tip Icons

Caution icon indicates important information or warning related to the concept

Information icon alerts the reader to pertinent facts and conditions.

Category Title Description

Defined Failure Types

Total failure rate TOT :A general failure in a circuit board or a system

Mean Time Between Failures; MTBF = MTTF + MTTR [hours] [1]

Safety Integrity is the average probability of a safety instrumented system

Hardware Fault Tolerance is the ability of a functional unit to continue to perform

PFD is used for functions in “Low demand mode of operation”.

Probability of dangerous Failure per Hour (PFH) is calculated according to

AC 800M HI Safety Integrity

Table 1. AC 800M HI Safety Integrity

Table 1. AC 800M HI Safety Integrity

BPCS Risk Reduction with AC 800M HI

Safety Reliability Block Diagrams

AC 800M HI SIL2 1oo1D Single Controller

Figure 1. Reliability block diagram, SIL2 AC 800M HI 1oo1D Single Controller

The term containing “ (1-)DU-SMT*(1-)(1-x)DU-PMT “ is much smaller than the

Simplified PFD Equation

The corresponding PFH equation:

PFH  λ DUI  x * λ DUPM  β * minλ DUPM ; λ DUSM   λ DUDO [10]

AC 800M HI SIL3 1oo2D Single Controller

Figure 2. Reliability block diagram, SIL3 AC 800M HI 1oo2D Single Controller

AC 800M HI 1oo1D and 1oo2D Redundant Controller

Safety Reliability Calculations

Calculations with Respect to Maintenance Effort

AC 800M HI Typical Configurations

Figure 3. AC 800M HI Single System Configuration

Figure 4. AC 800M HI Redundant System Configuration

– PM865/PM867 Processor Module

AC 800M HI Safety Reliability Data

Table 2. AC 800M HI Safety reliability data

Variant Including du PFD PFH

PM865 Single PU (SIL3) 5.68E-9 9.94E-6 5.68E-11

PM867 Single PU (SIL2) 8.07E-9 2.83E-5 1.61E-10

PM867 Single PU (SIL3) 8.07E-9 1.41E-5 8.07E-11

Additional Digital Input channel 1 additional 1.66E-12 2.91E-7 1.66E-12

Analog Input AI880A*** AI880A common 5.26E-11 9.21E-6 5.26E-11

Table 2. AC 800M HI Safety reliability data

Variant Including du PFD PFH

Digital Output DO880 NE DO880 common 1.75E-10 3.06E-5 1.75E-10

Additional Digital Output channel 1 additional 0 0 0

Digital Output DO880 ND DO880 common 1.56E-10 2.73E-5 1.56E-10

Additional Digital Output channel 1 additional 5.10E-13 8.94E-8 5.10E-13

Digital Output DO880 NE Degraded DO880 common 4.83E-9 8.47E-4 4.83E-9

Additional Digital Output channel 1 additional 4.17E-9 7.31E-4 4.17E-9

Modulebus, NE/ND applications 5.43E-11 9.52E-6 5.43E-11

Modulebus, NE/ND applications 5.69E-11 9.97E-6 5.69E-11

Modulebus, NE/ND applications 1.57E-11 2.75E-6 1.57E-11

Table 2. AC 800M HI Safety reliability data

Variant Including du PFD PFH

Power Supply, NE/ND applications 0 0 0

Calculating Probability of Dangerous Failure on Demand (PFD)