3500/62 Process Variable Monitor

SIL2 Safety Manual

Bently Nevada* Asset Condition Monitoring

Document : 124M9848
Rev. -
3500/62 Process Variable Monitor
SIL2 Safety Manual
Copyright 2018   Baker Hughes, a GE company, LLC ("BHGE")
All rights reserved.
The information contained in this document is the property of BHGE and its affiliates; and is
subject to change without prior notice. It is being supplied as a service to our customers and
may not be altered or its content repackaged without the express written consent of BHGE.
* Denotes a trademark of Bently Nevada, LLC, a wholly owned subsidiary of Baker Hughes, a GE
company.
Bently Nevada
All product and company names are trademarks of their respective holders. Use of the
trademark does not imply any affiliation with or endorsement by the respective holders.
The information published in this document is offered to you by BHGE in consideration of its ongoing sales
and service relationship with your organization. However, since the operation of your plant involves many
factors not within our knowledge, and since operation of the plant is in your control, ultimate responsibility
for its continuing successful operation rests with you, BHGE specifically disclaims any responsibility for
liability based on claims for damage of any type, i.e., direct, consequential or special that may be alleged to
have been incurred as result of applying this information regardless of whether it is claimed that BHGE is
strictly liable, in breach of contract, in breach of warranty, negligent, or is in other respects responsible for
any alleged injury or damage sustained by your organization as a result of applying this information. This
document is furnished to customers solely to assist in the installation, testing, operation and/or
maintenance of the equipment described. BHGE retains all rights to any intellectual property that may be
contained in this document.

Contact Information
When you cannot reach your local representative, use the following contact information to
reach us:

1631 Bently Parkway South

Mailing Address
Minden, Nevada USA  89423
1.775.782.3611
Telephone
1.800.227.5514 (US only)
Internet www.GEmeasurement.com

124M9848 Rev. - ii
3500/62 Process Variable Monitor
SIL2 Safety Manual

Additional Information
NOTE

This manual does not contain all the information required to operate and maintain the product. Refer to the
following manuals for other required information.

Order the "Bently_Manuals" customer DVD to access all manuals, datasheets, application notes, and field
wiring diagrams for all available languages.

3500 Monitoring System Installation and Maintenance Manual (Document 129766)

3500 Monitoring System Rack Configuration and Utilities Guide (Document 129777)
3500 Field Wiring Diagram Package (Document 130432)
3500/62 Process Variable Operation Manual (Document 136973)
3500/62 Process Variable Monitor Product Datasheet (Document 141541)
3500 System Functional Safety Datasheet (Document 162242)
3500/22M Operation and Maintenance Manual (Document 161580)
3500/33 16 Channel Relay Module Operation and Maintenance Manual (Document 162291)

124M9848 Rev. - iii

3500/62 Process Variable Monitor
SIL2 Safety Manual

Contents
1. General Safety 1
1.1 Product Disposal Statement 1
2. Purpose 2
2.1 Abbreviations 2
2.2 IEC 61508-2 Annex D Requirements References 3
2.3 References 5
3. Hardware 6
3.1 Rack Interface Module 7
3.2 System Power Supplies 7
3.3 Monitors 7
3.4 Relay Modules 8
3.5 3500/62_SIL Setup and Hardware 8
4. Constraints and SIL Requirements 11
4.1 Skills Required to Commission and Maintain SIL Monitors 11
4.2 SIL Requirements 11
4.3 Recommendations 12
5. Functional Specifications 13
5.1 Systematic Capability 13
5.2 Architectural/Random Constraints 13
6. Failure Modes 16
6.1 Failure Modes of the Modules 16
6.2 Failure Modes Not Detected by Internal Diagnostics 16
6.3 Failure Modes Detected by Internal Diagnostics 16
6.4 Failure Modes of the Diagnostic System 17
6.5 External Diagnostics 17
7. Periodic Proof Test 19
7.1 How to Choose a Periodic Proof Test Interval 19
7.2 Periodic Proof Test Guide 19

124M9848 Rev. - iv
3500/62 Process Variable Monitor
SIL2 Safety Manual

1. General Safety

1.1 Product Disposal Statement

Customers and third parties, who are not member states of the European Union, who are in
control of the product at the end of its life or at the end of its use, are solely responsible for
the proper disposal of the product. No person, firm, corporation, association or agency that is
in control of product shall dispose of it in a manner that is in violation of any applicable
federal, state, local or international law. Baker Hughes, a GE company, LLC ("BHGE") is not
responsible for the disposal of the product at the end of its life or at the end of its use. Visit
www.weeerohsinfo.com for recycling information.

124M9848 Rev. - 1
3500/62 Process Variable Monitor
SIL2 Safety Manual

2. Purpose
This safety manual contains information related to the 3500/62_SIL Process Variable Monitor.
This monitor is a certified component that can be used in a functional safety system.
This safety manual is required for the integration of the 3500/62_SIL Process Variable Monitor
into a safety-related system in compliance with IEC 61508-2 Annex D.
This manual focuses on those details which specifically apply to the functional safety use case.
It augments the datasheets and user manuals of the 3500/62_SIL Process Variable Monitors.

2.1 Abbreviations
Abbreviation Description

1oo1 one out of one (single) channel architecture

American National Standard Institute or

ANSI/ISA
International Society of Automation

API American Petroleum Institute

Common cause failure factor for undetectable dangerous

β
faults

Common cause failure factor for detectable dangerous

βD
faults

CE Conformité Européenne (European Conformity)

DC Diagnostic coverage

FIT Failures in time

FMEA Failure modes and effects analysis

FMEDA Failure Modes, Effects and Diagnostic Analysis

FS Functional Safety

HFT Hardware fault tolerance

IEC International Electro-technical Commission

MRT Mean repair time

MTBF Mean time between failure

MTTF Mean time to failure

MTTR Mean time to restoration

NC Normally Closed

124M9848 Rev. - 2
3500/62 Process Variable Monitor
SIL2 Safety Manual
Abbreviation Description

NDE Normally De-energized

NE Normally Energized

NO Normally Open

PTC Proof test coverage

PFD Probability of failure on demand

SC Systematic coverage

SIL Safety Integrity Level

SFF Safe failure fraction

SIF Safety instrumented function

Technischer Überwachungsverein
TÜV
(Technical Inspection)

λS Safe failure rate

λSD Safe detected failure rate

λSU Safe undetected failure rate

λD Dangerous failure rate

λDD Dangerous detected failure rate

λDU Dangerous undetected failure rate

2.2 IEC 61508-2 Annex D Requirements References

The following table provides references to information that fulfills the 61508-2 Standard:

IEC 61508 requirements (part 2 annex D) Reference

D2.1 a) a functional specification of the functions capable of See "3500/62_SIL Setup and Hardware" on page
being performed 8

D2.1 b) identification of the hardware and/or software See "3500/62_SIL Setup and Hardware" on page
configuration of the compliant item 8

D2.1 c) constraints on the use of the compliant item and/or

See "Constraints and SIL Requirements" on page
assumptions on which analysis of the behavior or failure
11
rates of the item are based

D2.2 a) the failure modes of the compliant item due to See "Failure Modes Not Detected by Internal

124M9848 Rev. - 3
3500/62 Process Variable Monitor
SIL2 Safety Manual
IEC 61508 requirements (part 2 annex D) Reference

random hardware failures, that result in a failure of the

function and that are not detected by diagnostics internal to Diagnostics" on page 16
the compliant item;

D2.2 b) for every failure mode in a), an estimated failure rate; See "Functional Specifications" on page 13

D2.2 c) the failure modes of the compliant item due to

random hardware failures, that result in a failure of the See "Failure Modes Detected by Internal
function and that are detected by diagnostics internal to the Diagnostics" on page 16
compliant item;

D2.2 d) the failure modes of the diagnostics, internal to the

compliant item due to random hardware failures, that result See " Failure Modes of the Diagnostic System" on
in a failure of the diagnostics to detect failures of the page 17
function;

D2.2 e) for every failure mode in c) and d), the estimated

See " Architectural Constraints" on page 14
failure rate; 

D2.2 f) for every failure mode in c) that is detected by See " Diagnostic Test Interval" on page 17
diagnostics internal to the compliant item, the diagnostic test
interval;

D2.2 g) for every failure mode in c) the outputs of the See "Failure Modes Detected by Internal
compliant item initiated by the internal diagnostics; Diagnostics" on page 16

D2.2 h) any periodic proof test and/or maintenance

See "Periodic Proof Test" on page 19
requirements;

D2.2 i) for those failure modes, in respect of a specified

function, that are capable of being detected by external See "External Diagnostics" on page 17
diagnostics, sufficient information shall be provided to
facilitate the development of an external diagnostics
capability.

See "Architectural/Random Constraints" on page

D2.2 j) the hardware fault tolerance;
13

D2.2 k) the classification as Type A or Type B of that part of

See "Architectural/Random Constraints" on page
the compliant item that provides the function (see 7.4.4.1.2
13
and 7.4.4.1.3);

D.2.3 a) The systematic capability of the complaint item or

See "Systematic Capability" on page 13
that part of the element that provides the function

D.2.3 b)Any instructions or constraints relating to the

application of the compliant item, relevant to the function, See "Constraints and SIL Requirements" on page
that should be observed in order to prevent systematic 11
failures of the compliant item

124M9848 Rev. - 4
3500/62 Process Variable Monitor
SIL2 Safety Manual

2.3 References
l IEC 61508, Parts 1 - 7:2010: Functional safety of electrical/electronic/programmable
electronic safety-related systems
l API Standard 670, 5th edition, Nov. 2014 Machinery Protection Systems
l TÜV Certificate and Report: 968/EZ 624.01/17
l Schematic Diagram 3500/62, Dwg. No: 163180 for Legacy OR No: 190086 for 2017 and
later
l Schematic Diagram 3500/62 -10 to +10 Vdc I/O Module w/ Internal Terminations, Dwg.
No: 190188
l Schematic Diagram 3500/62 -10 to +10 Vdc I/O Module w/ External Terminations, Dwg.
No: 190188
l Schematic Diagram 3500/62 Isolated +4 to +20 mA I/O Module w/ Internal Terminations,
Dwg. No: 190004
l Schematic Diagram 3500/62 Isolated +4 to +20 mA I/O Module w/ Internal Terminations,
Dwg. No: 190004
l Schematic Diagram 3500/62 Non-Isolated +4 to +20 mA I/O Module w/ Internal Barriers
and Terminations, Dwg. No: 184854
l Statement of Compliance, BN26744C-18
l System test procedures, No: 158792, Rev. NC, 28 Nov 1995
l 3500 Monitoring System Computer Hardware and Software Manual, Document 128158
l 3500 Monitoring System, Rack Installation and Maintenance Manual, Document 129766)
l Copy of ISO 9001 certificate, issued by Det Norske Veritas, 06 June 2017.

124M9848 Rev. - 5
3500/62 Process Variable Monitor
SIL2 Safety Manual

3. Hardware
The 3500 system is a rack based machinery protection and condition monitoring platform that
provides information to assess and protect the mechanical condition of rotating and
reciprocating machinery. The system continuously measures and monitors various protection
and supervisory parameters. It provides important information for early identification of
machinery problems such as imbalance, misalignment, shaft crack and bearing failures.
The 3500 system has different slots where a system monitor and various other modules can
be installed. The monitor modules accept inputs from transducers, condition the signals to
provide various measurements, and compare the conditioned signals with user-programmable
alarms. Alarm statuses are generated and broadcast onto the system alarming networks.
In SIL-certified systems, the safety function is supported by one or more SIL-certified monitors.
These monitors supply alarm and status information to one or more relay modules. The relay
modules consume the information to resolve machine trip logic and drive their relay outputs.
The 3500 system also has relay modules that observe the alarming networks and drive relays
based on user programmable relay logic. The relay outputs are the monitoring system’s safety
output function. The relay outputs are used in the greater Safety Instrumented Function (SIF)
to bring the process to a safe state.
The core 3500 system consists of the following components:
l A rack chassis
l A backplane circuit board
l Redundant power supplies
l A rack interface module
The balance of the rack is made up of a series of monitoring slots. The minimum rack includes
seven slots. The full-size rack has 14 slots. The system performs machinery monitoring
including SIL-certified functionality.
The following diagram depicts the 3500 safety element architecture:

Figure 3 - 1: 3500 Safety Element Architecture

A SIL-certified 3500 system consists of one or more certified monitors interacting with one or
more certified relay modules. The monitors and relay modules function within the 3500
architecture and communicate with each other. The monitors and relay modules cannot be

124M9848 Rev. - 6
3500/62 Process Variable Monitor
SIL2 Safety Manual
directly interfaced to external devices except as depicted in the 3500 safety element
architecture.
The monitors and relay modules are certified individually. They can be used for many safety
instrumented function applications.

3.1 Rack Interface Module

The 3500/22M Transient Data Interface module (TDI) performs the interface functions for the
3500 system. The monitors and modules in the system must be configured using the TDI. The
TDI's Rack OK relay provides an output to indicate the overall system health.
The TDI includes the following physical and software mechanisms to prevent unauthorized
configuration changes:
l A configuration control keyswitch that locks system configuration
l A password required to modify system configuration

3.2 System Power Supplies

The 3500/15 System Power Supply accepts power from one of several possible power mains
sources. The system conditions the input into internal rack power supplies that support
internal power busses for the consumption of the installed monitors and modules.
Each 3500/15 Power Supply is capable of supporting all 3500 system functions. When two
supplies are installed in a rack, they provide fully redundant system power mains capability.
This feature automatically switches out the support of rack power load when one supply or its
power mains experiences a fault.
For 3500 systems supporting SIL-certified safety elements, redundant power supplies are
required.

3.3 Monitors
The 3500 monitors accept inputs from transducers in the field and condition signals into
measurements useful for machinery protection. The monitors constantly compare the
measurements against configured alarm setpoints to generate alarm and channel OK statuses.
These statuses are broadcast onto system alarming networks.
A monitor’s safety function is the broadcast alarm status and validity states on the alarming
network. All available software configuration options and logic parameters are valid for
supporting the safety function without restriction. These parameters can be selected and
arranged to suit application requirements.
The monitors are installed in any of the monitoring slots available in the system. Bently Nevada
offers numerous SIL-certified monitors for the 3500 system, each providing different
machinery protection capabilities. Different certified monitors can be combined and
duplicated to achieve the required safety instrumented functionality.

124M9848 Rev. - 7
3500/62 Process Variable Monitor
SIL2 Safety Manual
A 3500 monitor is composed of a main card and an I/O module. The I/O module interfaces with
the transducers producing the machinery-related signals and conditions the signals for the
monitor main card. The main card generates measurements from transducer information as
well as alarm and status messages.

3.4 Relay Modules

The 3500 system relay modules consume the alarm and status information broadcast onto the
system alarming networks. The relay modules constantly compare these messages against the
configured relay drive logic to provide machinery protection trip output capability.
A 3500 relay module is a multi-channel module composed of the following:
l A main card known as the relay controller
The relay controller interfaces with the 3500 system alarming network to process its
configured relay drive logic and generate relay channel drive signals.
l A relay output module
The relay I/O module accepts the relay drive signals from the controller. The module contains
the relay devices which provide the machinery trip contacts.
Each channel provides independent Alarm Drive Logic functionality. Complex logic strings can
be developed using Boolean (AND and OR) logic elements. The logic acts on the alarm states
(alert, danger) and validity states (Not OK) generated by monitors. The states are available
from the system alarming networks. Each channel’s logic string drives its own relay output
intended as a machinery trip output.

3.5 3500/62_SIL Setup and Hardware

The 3500/62_SIL Process Variable Monitor is a six-channel device. When a single channel is
applied in a one-out-of-one (1oo1) architecture, the monitor can be used to achieve a SIL 1 or
SIL 2 capable solution.
To properly configure the monitor using the 3500 Rack Configuration Software, refer to the
3500/62 Process Variable Monitor Operation Manual (Document 136973).
For proper field wiring setup to connect the transducer to the 3500/62_SIL I/O, refer to the
3500 System Field Wiring Diagram Package (Document 130432).

124M9848 Rev. - 8
3500/62 Process Variable Monitor
SIL2 Safety Manual

Figure 3 - 2: 3500/62_SIL  Process Variable Hardware

Table 3 - 1: SIL-Certified 3500/62_SIL2 Module Options
The following table lists the SIL-certified I/O module options for the 3500/62_SIL. 

I/O Descriptions Approvals Options

Part Numbers Notes
(AXX) (BXX)
3500/62_SIL1-AXX-BXX 01 - -10 to +10 Vdc with 00 - None A 3500 system with one
Internal Terminations or more barrier I/O
3500/62_SIL2-AXX-BXX
modules must include a
02 - -10 to +10 Vdc with

124M9848 Rev. - 9
3500/62 Process Variable Monitor
SIL2 Safety Manual

I/O Descriptions Approvals Options

Part Numbers Notes
(AXX) (BXX)
External Terminations 01 - CSA/NRTL/C (Class I, 3500/04 Earthing Module
Div 2)
03 - Isolated +4 to +20 mA
with Internal Terminations

04 - Isolated +4 to +20 mA 02 - ATEX/IECEx/CSA 

with External (Class I, Zone 2)
Terminations

05 - Non-isolated +4 to
+20 mA with Internal
Barriers and Internal
Terminations

Table 3 - 2: Spare Parts for the 3500/62_SIL 1 (approved) and the 3500/62_SIL 2
(approval pending)

Spare Part Hardware Firmware

Description
Number Revision Revision

167396 Rev. R;
163179-03 SIL 3500/62_SIL Process Variable Monitor L
167397 Rev. R

136491-01 SIL -10 to +10 Vdc with Internal Terminations D N/A

136499-01 SIL -10 to +10 Vdc with External Terminations C N/A

136294-01 SIL Isolated +4 to +20 mA with Internal Terminations E N/A

136483-01 SIL Isolated +4 to +20 mA with External Terminations D N/A

Non-isolated +4 to +20 mA with Internal Barriers and

137110-01 SIL K N/A
Internal Terminations

124M9848 Rev. - 10
3500/62 Process Variable Monitor
SIL2 Safety Manual

4. Constraints and SIL Requirements

This section lists the requirements and recommendations for the 3500/62_SIL Process
Variable Monitor, which must be considered for the product to be integrated into a safety-
related system.
l Follow the requirements and recommendations to ensure the product is integrated into
a safety-related system.
l Observe the requirements and recommendations to achieve the necessary performance
and prevent systematic failures of the compliant products.
For detailed information on conditions of use, refer to the certificates and test reports. Contact
Bently Nevada technical support, or visit http://www.GEmeasurement.com.

4.1 Skills Required to Commission and Maintain SIL

Monitors
The 3500 system is highly configurable and as such it can accommodate the needs of various
machinery monitoring and protection applications. Only qualified individuals with knowledge
of the 3500 platform should install, configure, operate, and maintain the system.

4.2 SIL Requirements

The requirements for SIL 1 are met by using a single Process Variable channel to support the
SIF. A single-channel, 1oo1, architecture may be used when the risk evaluation shows SIL 1
protection is a sufficient safeguard.
The requirements for SIL 2 are met by using a single Process Variable channel to support the
SIF. A single-channel, 1oo1, architecture may be used when the risk evaluation shows SIL 2
protection is a sufficient safeguard.
For the SIL 2 approval, these systems have been evaluated using specific components and
configuration. Adhere to the following requirements (Ordering, Hardware and Software) to
remain compliant.

Ordering Requirements
l For a SIL 1-certified 3500/62 monitor, order part number 3500/62_SIL1.
l For a SIL 2-certified 3500/62 monitor, order part number 3500/62_SIL2.
l Within a SIF, use only components contained within the SIL-certified configurations. See
"3500/62_SIL Setup and Hardware" on page 8

124M9848 Rev. - 11
3500/62 Process Variable Monitor
SIL2 Safety Manual
Hardware Requirements
l The 3500/62_SIL must be installed in a 3500 Rack with the following requirements:
l The rack must have a 3500/22M Transient Data Interface Module.

l The rack must contain at least one SIL-certified relay module.

l The 3500 System with the 3500/62_SIL must be supported by redundant 3500/15
power supplies.
l After configuring the 3500/62_SIL monitor and commissioning the system, the program
keyswitch on the 3500/22M TDI must be set to RUN.
l A thorough proof test of the SIL system must be performed after removing any
components that are part of the critical safety path in the 3500 system.
l An automated system must continuously monitor the System OK relay on the 3500/22M
TDI to detect system faults.
l The 3500/62_SIL monitor operates in low demand mode.

Software Requirements
l The relay card used with the 3500/62_SIL monitor must be configured per the
applicable relay card SIL safety manual.
l The monitors may be configured using the available options and parameters. These
values are valid for the safety function without restriction.
l The verification tests outlined in the following manual must be performed:
l Manual Document 136973

l The behavior of the safety system must be evaluated at the system level when the
monitor reports failure conditions such as a NOT OK status or no neuron
communication.
l After downloading the configuration to the 3500/62_SIL, the module configuration must
be uploaded back to the host computer. The settings must be compared to verify the
configuration was correctly received.
l A password must be used to protect the configuration of the 3500 system.

4.3 Recommendations
Bently Nevada, LLC recommends having Bently Nevada Services inspect the components and
system during validation/commissioning for proper installation, configuration and usage.

124M9848 Rev. - 12
3500/62 Process Variable Monitor
SIL2 Safety Manual

5. Functional Specifications
The 3500/62_SIL Process Variable Monitor conditions transducer inputs to create a measured
value and compare this measured value to the configured alarm setpoints. As a result of this
comparison, the monitor generates alarm statuses and broadcasts them onto the system
alarming networks. The safety function is the monitor's broadcasting of the alarm status and
validity states on the alarming network.
The test institute has assessed safety-related elements of system relay modules such as the
3500/32M_SIL and documented the results in test reports.

5.1 Systematic Capability

Techniques and measures to control and avoid systematic failures during the different phases
of the lifecycle have been evaluated by TÜV Rheinland and found to be sufficient to meet the
requirements of SIL 2 in accordance to IEC 61508, Parts 1 - 7:2010.

5.2 Architectural/Random Constraints

The basic architecture for the 3500/62_SIL Process Variable Monitor is the 1oo1 (one out of
one) architecture. This architecture is assigned the hardware fault tolerance (HFT) of zero.

SIL 2
To achieve SIL 2, the safety related parameters are as follows.
l Average Probability of Failure on Demand (PFD) < 10 -2.
l The 3500/62_SIL2 monitor operates in low demand mode.
l The 3500/62_SIL2 monitor has a hardware safety integrity route of 1H.
l The 3500/62_SIL2 monitor has a systematic safety integrity route of 1S.
l The rated lifetime of the 3500/62_SIL2 monitors is 10 years.
l The 3500/62_SIL2 monitor is a Type B safety-related element with the Safe Failure
Fraction (SFF) of 60% to < 90%.
l The 3500/62_SIL2 monitor has a Hardware Fault Tolerance (HFT) of 0 when used in a
1oo1 configuration.
l The MTTR and MRT for the 3500/62_SIL2 monitors are 168 hours or 1 week1.
1 MTTR and MRT were assigned as 168 hours for the purposes of generating PFDAVG
calculation. This figure may be adjusted to suit application specific considerations as long as
the same value is also used to adjust the PFDAVG calculation specific to the safety-related
installation.

124M9848 Rev. - 13
3500/62 Process Variable Monitor
SIL2 Safety Manual

Figure 5 - 1: 3500/62_SIL2 Monitor Safety Block Diagram

Architectural Constraints
The 3500/62_SIL-AXX-BXX consists of a 3500/62_SIL2 main card and an I/O. See SIL-Certified
3500/62_SIL I/O Modules in Ordering Information section for applicable –AXX and –BXX
options for these monitors.
The following table lists the 3500/62_SIL2-AXX-BXX failure rates per input channel.
Table 5 - 1: 3500/62_SIL-AXX-BXX Failure Rates per Input Channel(evaluated at +65°C).

3500/62_SIL2-A01-BXX
3500/62_SIL2-A02-BXX
Failure Modes Main Board and I/O 

Safe Failure Rate λS 862.1FIT

Dangerous Failure Rate λD 803.6 FIT

Dangerous Undetected Failure Rate λDU 182.4 FIT

PFD avg1 9.65E-04

3500/62_SIL2-A03-BXX
3500/62_SIL2-A04-BXX
Failure Modes Main Board and I/O 

Safe Failure Rate λS 899.9FIT

Dangerous Failure Rate λD 882.6 FIT

124M9848 Rev. - 14
3500/62 Process Variable Monitor
SIL2 Safety Manual

3500/62_SIL2-A03-BXX
3500/62_SIL2-A04-BXX
Dangerous Undetected Failure Rate λDU 187.0 FIT

PFD avg1 9.99E-04

3500/62_SIL2-A05-BXX

Failure Modes Main Board and I/O 

Safe Failure Rate λS 927.3FIT

Dangerous Failure Rate λD 852.7 FIT

Dangerous Undetected Failure Rate λDU 1812.4 FIT

PFD avg1 9.67E-04

1 The above PFDavg(average probability of failure on demad) values are calculated per the
standard with the listed failure rates and have the following assumptions.
l 1 year proof test interval (8760 hours)
l Mean time to repair (MTTR) is 168 hours (1 week)

124M9848 Rev. - 15
3500/62 Process Variable Monitor
SIL2 Safety Manual

6. Failure Modes
NOTE

When performing the FMEA on the 3500/62_SIL2, the failure modes of the input sensors and transducers were
not included in the FMEA calculation.

This section covers the failure modes of the 3500/62_SIL2 monitor and its internal diagnostics
system. Subsequent sections list the estimated failure rate for each failure mode.
The assumptions associated with these failure rates are as follows.
l Failure rates are based on Siemens standard SN 29500 and the maximum temperature
limit as stated in section 4.2.
l The failure rate is constant over time.
l The listed failure rates are in Failures in Time (FIT)
FIT = [10 -9 h-1].

For the failure rates of a relay or sensor, refer to the SIL manual of that component.
The 3500/62_SIL2 monitor is set up for a single monitor channel in a 1oo1 configuration. This
configuration provides a hardware fault tolerance of zero. The monitor consists of Type A I/O
and Type B main card safety related elements or subsystems.

6.1 Failure Modes of the Modules

A Failure Modes, Effects and Diagnostic Analysis (FMEDA) report is available from Bently
Nevada for 3500/62_SIL modules. For failure mode information refer to the SIL certification
report, which includes the required information from the FMEDA.

6.2 Failure Modes Not Detected by Internal Diagnostics

A failure mode may occur in the 3500/62_SIL2 monitor which is not detected by the internal
diagnostics of the monitor. The following is true for all such failures regardless of whether they
are safe or dangerous:
l The monitor does not report the failure mode.
l The monitor does not adjust the alarm output states.
l The Rack OK relay does not change state.

6.3 Failure Modes Detected by Internal Diagnostics

The 3500/62_SIL2 monitor has internal diagnostics capabilities. When any failure is detected
by the diagnostics, the monitor responds by annunciating the condition. The Rack OK relay on
the 3500/22M TDI changes state to Not OK.

124M9848 Rev. - 16
3500/62 Process Variable Monitor
SIL2 Safety Manual
If the detected fault affects the ability of the monitor to perform its alarming function, the
fault is a dangerous failure. Therefore, the following actions are taken:
l The monitor adjusts the broadcast message on the alarming network to indicate the
channel is invalid.
l The system relay module uses the invalid alarm status to adjust its alarm drive logic per
its application-specific logic configuration.
When a fault prevents the monitor from generating alarming messages, the system relay
module detects the loss of alarming communication and responds by adjusting its alarm drive
logic per its application-specific configuration.
When the monitor or the system relay module detects a fault, the 3500/22M TDI records the
failure in the 3500 System Event List. For a list of failure codes detected by the internal
diagnostic system, refer to the 3500/62 Process Variable Monitor Operation Manual
(Document 136973).

Diagnostic Test Interval

The cycle interval between the internal diagnostic tests is one hour maximum. The interval is
far less in most cases. Diagnostics checks may take up to one hour to complete under worst-
case conditions.

System Outputs
When the internal diagnostic system of the 3500/62_SIL2 monitor detects a failure mode, the
state of the Rack OK relay changes to Not OK.

LED Indicated Fault Conditions

For a list of the LED indicated fault conditions, refer to the 3500/62 Process Variable Monitor
Operation Manual (Document 136973).

6.4 Failure Modes of the Diagnostic System

A Failure Modes, Effects and Diagnostic Analysis (FMEDA) report is available from Bently
Nevada for 3500/62_SIL modules. For failure mode information refer to the SIL certification
report, which includes the required information from the FMEDA.

6.5 External Diagnostics

A 3500 system with the 3500/62_SIL2 monitor must include at least one of the SIL-certified
system relay modules. The relay module provides safety relay output functionality to the
system. It also functions as an external diagnostic device when the monitor cannot broadcast
alarming messages. The relay drive logic must be configured with at least one alarm.
To support the SIL-certified monitor, the 3500 system must have a 3500/22M TDI module. The
3500/22M performs diagnostics on the installed monitors and I/O modules. These diagnostics
are different from those performed by each monitor internally.

124M9848 Rev. - 17
3500/62 Process Variable Monitor
SIL2 Safety Manual
When the 3500/22M detects a failure mode for one of the monitors, it changes the status of
the Rack OK relay to Not OK.
A Failure Modes, Effects and Diagnostic Analysis (FMEDA) report is available from Bently
Nevada for 3500/62_SIL modules. For failure mode information refer to the SIL certification
report, which includes the required information from the FMEDA.

124M9848 Rev. - 18
3500/62 Process Variable Monitor
SIL2 Safety Manual

7. Periodic Proof Test

The circuit boards and components of the 3500 modules cannot be repaired in the field. To
maintain the 3500 rack, the monitors’ channels must be tested to verify their operation.
Monitors and modules that are not operating correctly must be replaced.
If the 3500 rack is not in a hazardous area, the 3500/62_SIL2 monitor may be installed into or
removed from the rack while the power is applied to it.
If the 3500 rack is in a hazardous area, refer to the 3500 Monitoring System Installation and
Maintenance Manual (Document 129766) for the proper installation and removal procedures.
Standard IEC/EN 60079-0 defines a hazardous environment as an area in which an explosive
atmosphere is present, or may be expected to be present, in quantities that require special
precautions for the construction, installation, and use of electrical apparatus.

7.1 How to Choose a Periodic Proof Test Interval

The proof test coverage provided by the internal diagnostic functionality of the 3500/62_SIL2
monitor is 76.6%. The dangerous failures that fall outside the monitors' diagnostic capabilities
are considered dangerous undetected failures. They must be detected as part of periodic proof
test activities.
A periodic proof test interval of 1 year is recommended, but by using the PFDavg equation from
61508-6, which is appropriate for the specific safety-related system, the effect on the PFDavg
value can be determined for longer or shorter periodic proof test intervals.

7.2 Periodic Proof Test Guide

The periodic proof test verifies the hardware and configuration integrity. The 3500/62 Process
Variable Monitor Operation Manual (Document 136973) describes the verification procedures
and the recommended test equipment.

124M9848 Rev. - 19