3500/25 SIL Enhanced Keyphasor Module

3500/25 SIL Enhanced Keyphasor Module
SIL Safety Manual

Bently Nevada* Asset Condition Monitoring
Document: 124M5527
Rev. -
SIL Safety Manual
Copyright 2017 Baker Hughes, a GE company, LLC ("BHGE")
All rights reserved.
The information contained in this document is the property of BHGE and its affiliates; and is
subject to change without prior notice. It is being supplied as a service to our customers and
may not be altered or its content repackaged without the express written consent of BHGE.
* Denotes a trademark of Bently Nevada, LLC, a wholly owned subsidiary of Baker Hughes,
a GE company.
Keyphasor, Proximitor
All product and company names are trademarks of their respective holders. Use of the
trademark does not imply any affiliation with or endorsement by the respective holders.
The information published in this document is offered to you by BHGE in consideration of its ongoing
sales and service relationship with your organization. However, since the operation of your plant
involves many factors not within our knowledge, and since operation of the plant is in your control,
ultimate responsibility for its continuing successful operation rests with you, BHGE specifically disclaims
any responsibility for liability based on claims for damage of any type, i.e., direct, consequential or
special that may be alleged to have been incurred as result of applying this information regardless of
whether it is claimed that BHGE is strictly liable, in breach of contract, in breach of warranty, negligent,
or is in other respects responsible for any alleged injury or damage sustained by your organization as a
result of applying this information. This document is furnished to customers solely to assist in the
installation, testing, operation and/or maintenance of the equipment described. BHGE retains all rights
to any intellectual property that may be contained in this document.
Contact Information
When you cannot reach your local representative, use the following contact information to
reach us:
1631 Bently Parkway South
Mailing Address
Minden, Nevada USA 89423
1.775.782.3611
Telephone
1.800.227.5514 (US only)
Internet www.GEmeasurement.com
124M5527 Rev. - ii
SIL Safety Manual
Additional Information
NOTE
This manual does not contain all the information required to operate and maintain
the monitoring system. Refer to the following manuals for other required
information.
Order the Bently_Manuals DVD to access all manuals, datasheets, application

notes, and field wiring diagrams in available languages.
l 3500 Monitoring System Installation and Maintenance Manual(Document129766)

l 3500 Monitoring System Rack Configuration and Utilities Guide(Document129777)
l 3500 Field Wiring Diagram Package(Document130432)
l 3500/25 Enhanced Keyphasor Module Operation and Maintenance Manual
(Document129770)
l 3500/25 Enhanced Keyphasor Module Datasheet(Document141532)
l 3500/42M Prox/Seismic Monitor Datasheet(Document143694)
l 3500 System Functional Safety Datasheet(Document162242)
l 3500/22M TDI Operation and Maintenance Manual(Document 161580)
l 3500/32M 4-Channel Relay Module Operation and Maintenance Manual
(Document129771)
l 3500/33 16-Channel Relay Module Operation and Maintenance Manual
(Document162291)
124M5527 Rev. - iii

SIL Safety Manual
Contents
1. General Safety 1
1.1 Receiving Inspection 1
1.2 Handling and Storing Considerations 1
1.3 Safe Disposal 2
2. Purpose 3
2.1 Abbreviations 3
2.2 IEC 61508-2 Annex D Requirements References 5
2.3 References 6
3. Hardware 8
3.1 Rack Interface Monitor 9
3.2 System Power Supplies 9
3.3 Monitors 10
3.4 Enhanced Keyphasor Module 10
3.5 Relay Modules 10
3.6 3500/25_SIL2 Setup and Hardware 11
4. Constraints and SIL Requirements 14
4.1 Who Should Commission and Maintain SIL Monitors? 14
4.2 SIL Requirements 14
4.3 Recommendations 15
5. Functional Specifications 16
5.1 Systematic Capability 16
5.2 Architectural and Random Constraints 16
6. Failure Modes 19
6.1 Failure Modes of the Module 19
6.2 Failure Modes Not Detected by Internal Diagnostics 19
6.3 Failure Modes Detected by Internal Diagnostics 20
6.4 Failure Modes of the Diagnostic System 20
6.5 External Diagnostics 20
7. Periodic Proof Test 22
7.1 How to Choose a Periodic Proof Test Interval 22
7.2 Periodic Proof Test Guide 22
124M5527 Rev. - iv
SIL Safety Manual
1. General Safety
Before using your 3500/25 SIL Enhanced Keyphasor Module , read and understand the
following precautions thoroughly. Pay attention to all warnings and recommendations to
prevent data loss or inaccuracy, damage to the device, and injury to yourself.
1.1 Receiving Inspection

Visually inspect the monitor for obvious shipping damage. If you detect any damage, file a
claim with the carrier and submit a copy to Baker Hughes, a GE company, LLC ("BHGE").
1.2 Handling and Storing Considerations

Circuit boards contain devices that are susceptible to damage when exposed to
electrostatic charges. Damage caused by obvious mishandling of the board voids the
warranty. To avoid damage to your device, observe the following precautions:
1. Do not discharge static electricity onto the circuit board. Avoid tools or procedures such as ungrounded
soldering irons and nonconductive plastics that cause static damage to the circuit board.
2. Personnel must be grounded with a suitable grounding strap before handling or maintaining a printed circuit
board.
3. Transport and store circuit boards in electrically conductive bags or foil.
4. Use extra caution during dry weather. Relative humidity less than 30 % multiplies the accumulation of
static charges on any surface.
124M5527 Rev. - 1
SIL Safety Manual
1.3 Safe Disposal

Product Disposal Statement
Customers or third parties who are not member states of the European Union are solely
responsible for diligent product disposal at the end of its useful life. No person, firm,
corporation, association, or agency shall dispose of the product in a way that is in violation
of any applicable international, federal, state, or local regulations. Baker Hughes, a GE
company, LLC ("BHGE") is not responsible for product disposal at the end of its useful life.
Visit www.weeerohsinfo.com for recycling information.
124M5527 Rev. - 2
SIL Safety Manual
2. Purpose
This safety manual contains information about the 3500/25_SIL2 Enhanced Keyphasor
Module. The Keyphasor module is a certified component that can be used in a functional
safety system.
This safety manual is required for the proper integration of the 3500/25_SIL2 into a safety
related system in compliance with IEC 61508-2 Annex D.
The manual focuses on the functional safety use case. It augments the datasheets and user
manual of 3500/25 Enhanced Keyphasor Module.
2.1 Abbreviations
Abbreviation Description
American National Standard Institute or

ANSI/ISA
International Society of Automation
API American Petroleum Institute
ARM Armature
CE Conformité Européenne (European Conformity)
DC Diagnostic coverage
FIT Failures in time
FMEA Failure modes and effects analysis
FS Functional Safety
HFT Hardware fault tolerance
IEC International Electro-technical Commission
MRT Mean repair time
MTBF Mean time between failure
MTTF Mean time to failure
MTTR Mean time to restoration
NC Normally Closed
NDE Normally De-energized
NE Normally Energized
NO Normally Open
124M5527 Rev. - 3
SIL Safety Manual
Abbreviation Description
PTC Proof test coverage
PFD Probability of failure on demand
RIM Rack Interface Module
SC Systematic coverage
SIL Safety Integrity Level
SFF Safe failure fraction
SIF Safety instrumented function
Technischer Überwachungsverein
TUV
(Technical Inspection)
λs Safe failure rate
λsd Safe detected failure rate
λsu Safe undetected failure rate
λd Dangerous failure rate
λdd Dangerous detected failure rate
λdu Dangerous undetected failure rate
124M5527 Rev. - 4
SIL Safety Manual
2.2 IEC 61508-2 Annex D Requirements References

The following table provides references to information that fulfills the 61508-2 Standard:
IEC 61508 Requirements (Part 2 Annex D) Reference
See "3500/25_SIL2
D2.1 a) Functional specification of the functions being performed Setup and Hardware"
on page 11.
See "3500/25_SIL2
D2.1 b) Identification of the hardware and software configuration of the
Setup and Hardware"
compliant item
on page 11.
See "Constraints and

D2.1 c) Constraints on the use of the compliant item and assumptions on
SIL Requirements" on
which analysis of the behavior or failure rates of the item are based
page 14.
See "Failure Modes

D2.2 a) The failure modes of the compliant item due to random hardware
Not Detected by
failures that result in a failure of the function and are not detected by
Internal Diagnostics"
diagnostics internal to the compliant item
on page 19.
See "Functional
D2.2 b) For every failure mode in a), an estimated failure rate Specifications" on
page 16.
See "Failure Modes

D2.2 c) The failure modes of the compliant item due to random hardware
Not Detected by
failures, that result in a failure of the function and that are detected by
Internal Diagnostics"
diagnostics internal to the compliant item
on page 19.
D2.2 d) The failure modes of the diagnostics, internal to the compliant item See "Failure Modes of
due to random hardware failures, that result in a failure of the diagnostics to the Diagnostic
detect failures of the function System" on page 20.
See "Functional
D2.2 e) For every failure mode in sections c) and d), the estimate failure rate Specifications" on
page 16.
See "How to Choose a

D2.2 f) For every failure mode in section c) detected by diagnostics internal
Periodic Proof Test
to the compliant item, the diagnostic test interval
Interval" on page 22.
See "Failure Modes

D2.2 g) For every failure mode in section c), the outputs of the compliant item Detected by Internal
initiated by the internal diagnostics Diagnostics" on page
20
D2.2 h) Any periodic proof test and maintenance requirements See "Periodic Proof
124M5527 Rev. - 5
SIL Safety Manual
IEC 61508 Requirements (Part 2 Annex D) Reference
Test Guide" on page

22.
D2.2 i) For those failure modes, in respect of a specified function, that are
See "External
capable of being detected by external diagnostics, sufficient information shall
Diagnostics" on page
be provided to facilitate the development of an external diagnostics capability
20.
See "Architectural and

D2.2 j) The hardware fault tolerance Random Constraints"
on page 16.
See "Architectural and

D2.2 k) The classification as type A or type B of that part of the compliant
Random Constraints"
item that provides the function
on page 16.
See "Systematic
D.2.3 a) The systematic capability of the complaint item or that part of the
Capability" on page
element that provides the function
16.
D.2.3 b) Any instructions or constraints relating to the application of the See "SIL
compliant item, relevant to the function, that should be observed in order to Requirements" on
prevent systematic failures of the compliant item page 14.
2.3 References
IEC 61508, Parts 1 - 7:2010
Functional safety of electrical, electronic and programmable electronic safety-related
systems
API Standard 670, 5th edition, December 2000 Machinery Protection Systems
TÜV Certificate and Report Number 968/EZ 557.00/12
Schematic Diagram 3500/25 Enhanced Keyphasor Module, Dwg. No: 184685
Schematic Diagram Keyphasor I/O with internal termination, Dwg. No: 184390
Schematic Diagram Keyphasor I/O with external termination, Dwg. No: 184390
Schematic Diagram Isolated Keyphasor I/O with internal termination, Dwg. No: 184390
Schematic Diagram Isolated Keyphasor I/O with external termination, Dwg. No: 184390
Schematic Diagram Keyphasor I/O with internal Barriers, Dwg. No: 184833
Statement of Compliance, BN26744C-18
System test procedures, No: 158792, Rev. NC, 28 Nov 1995
124M5527 Rev. - 6
SIL Safety Manual
3500 Monitoring System Computer Hardware and Software Manual, Document 128158
3500 Monitoring System, Rack Installation and Maintenance Manual, Document 129766
Copy of ISO 9001 certificate, issued by Det Norske Veritas, 06 June 2017
124M5527 Rev. - 7
SIL Safety Manual
3. Hardware
The 3500 system is a rack based machinery protection and condition monitoring platform
that provides information to assess and protect the mechanical condition of rotating and
reciprocating machinery. The system continuously measures and monitors various
protection and supervisory parameters. It provides important information for early
identification of machinery problems such as imbalance, misalignment, shaft crack and
bearing failures.
The 3500 system has different slots where you can install system monitors and modules.
The monitors accept inputs from transducers, condition the signals to provide various
measurements, and compare the conditioned signals with user-programmable alarms.
Alarm statuses are generated and broadcast onto the system alarming networks.
In SIL-certified systems, the safety function is supported by one or more SIL-certified

monitors. These monitors supply alarm and status information to one or more relay modules.
Where the application calls for alarm information based on measurements related to the
rotational phase of the machine, a conditioned Keyphasor signal must be provided to the
monitor. This signal is used by the monitor to generate the phase-related measurements
and their associated alarms to be generated. These applications require the use of a
Keyphasor module in the 3500 system.
The relay modules consume the information to resolve machine trip logic and drive their
relay outputs.
The 3500 system also has relay modules that observe the alarming networks and drive
relays based on user programmable relay logic. The relay outputs are the monitoring
system’s safety output function. The relay outputs are used in the greater Safety
Instrumented Function (SIF) to bring the process to a safe state.
The core 3500 system consists of the following components:

l A rack chassis
l A backplane circuit board
l Redundant power supplies
l A rack interface module
The balance of the rack is made up of a series of monitoring slots. The minimum rack
includes seven slots. The full-size rack has 14 slots. The system performs machinery
monitoring including SIL-certified functionality.
The following diagram depicts the 3500 safety element architecture for safety instrumented
functions that include phase-related measurements:
124M5527 Rev. - 8
SIL Safety Manual
A SIL-certified 3500 system consists of one or more certified monitors interacting with one or
more certified relay modules. The monitors and relay modules function within the 3500
architecture and communicate with each other. You cannot directly interface the monitors
and relay modules to external devices except as depicted in the 3500 safety element
architecture.
The monitors and relay modules are certified individually. You can use them for many safety
instrumented function applications.
3.1 Rack Interface Monitor

The 3500/22M Transient Data Interface module (TDI) performs the interface functions for the
3500 system. You must use the TDI to configure the monitors and modules in the system.
The TDI's Rack OK relay provides an output to indicate the overall system health.
The TDI includes the following physical and software mechanisms to prevent unauthorized
configuration changes:
l A configuration control keyswitch that locks system configuration
l A password required to modify system configuration
3.2 System Power Supplies

The 3500/15 System Power Supply accepts power from one of several possible power
mains sources. The system conditions the input into internal rack power supplies that
support internal power busses for the consumption of the installed monitors and modules.
Each 3500/15 Power Supply is capable of supporting all 3500 system functions. When two
supplies are installed in a rack, they provide fully redundant system power mains capability.
This feature automatically switches out the support of rack power load when one supply or
its power mains experiences a fault.
For 3500 systems supporting SIL-certified safety elements, redundant power supplies are
required.
124M5527 Rev. - 9
SIL Safety Manual
3.3 Monitors
The 3500 monitors accept inputs from transducers in the field and condition signals into
measurements useful for machinery protection. The monitors constantly compare the
measurements against configured alarm setpoints to generate alarm and channel OK
statuses. These statuses are broadcast onto system alarming networks.
A monitor’s safety function is the broadcast alarm status and validity states on the alarming
network. All available software configuration options and logic parameters are valid for
supporting the safety function without restriction. You can select and arrange these
parameters to suit your application requirements.
The monitors are installed in any of the monitoring slots available in the system. We offer
numerous SIL-certified monitors for the 3500 system, each providing different machinery
protection capabilities. You can combine different certified monitors and duplicate them to
achieve the required safety instrumented functionality.
A 3500 monitor is composed of a main card and an I/O module. The I/O module interfaces
with the transducers producing the machinery-related signals and conditions the signals for
the monitor main card. The main card generates measurements from transducer information
as well as alarm and status messages.
3.4 Enhanced Keyphasor Module

The 3500 system Keyphasor modules accept inputs from transducers in the field each
observing a single event per machine revolution feature. The module processes each
resulting input signal into a conditioned machine phase reference signal. Each conditioned
signal is broadcast onto its own system Keyphasor bus for use by the monitors installed in
the system.
The modules are installed in any of the monitoring slots available in the system to provide
the SIL-rated Keyphasor function needed to support one or more SIL-certified monitors to
create phase-related safety measurement and alarms.
The module’s fundamental safety function is the conditioned Keyphasor signal broadcast on
one of the internal rack Keyphasor buses
The module is configured using the 3500 Rack Configuration Software. The configuration
options available must be restricted per section 4.2.3 of this manual. These parameters can
be selected and arranged to suit the specific application requirements
3.5 Relay Modules

The 3500 system relay modules consume the alarm and status information broadcast onto
the system alarming networks. The relay modules constantly compare these messages
124M5527 Rev. - 10
SIL Safety Manual
against the configured relay drive logic to provide machinery protection trip output
capability.
A 3500 relay module is a multi-channel module composed of the following:
l A main card known as the relay controller
The relay controller interfaces with the 3500 system alarming network to process its
configured relay drive logic and generate relay channel drive signals.
l A relay output module
The relay I/O module accepts the relay drive signals from the controller. The module
contains the relay devices which provide the machinery trip contacts.
Each channel provides independent Alarm Drive Logic functionality. You can develop
complex logic strings using Boolean (AND and OR) logic elements. The logic acts on the
alarm states (alert, danger) and validity states (Not OK) generated by monitors. The states
are available from the system alarming networks. Each channel’s logic string drives its own
relay output intended as a machinery trip output.
3.6 3500/25_SIL2 Setup and Hardware

The 3500/25_SIL2 is a two-channel, half-height Keyphasor module. When a single channel
is applied in a one-out-of-one (1oo1) architecture, the module can be used to achieve a SIL
2 capable solution.
To properly configure the monitor using the 3500 Rack Configuration Software, refer to the
3500/25 Enhanced Keyphasor Module Operation and Maintenance Manual (document
129770).
For proper field wiring setup to connect transducers to the 3500/25_SIL2 I/O, refer to the
3500 System Field Wiring Diagram Package (document 130432).
124M5527 Rev. - 11
SIL Safety Manual
The following diagram depicts the hardware components of 3500/25_SIL2 Keyphasor
Module:
Figure 3 - 1: Keyphasor I/O Front and Rear Panels

1. 3500/25_SIL2 card front view, Buffered Transducer Outputs
2. I/O Module, Isolated Internal Termination
3. I/O Module, Isolated External Termination
4. I/O Module, Non-Isolated Internal Termination
5. I/O Module, Non-Isolated External Termination
6. Barrier I/O Module, Internal Termination
124M5527 Rev. - 12
SIL Safety Manual
SIL-Certified 3500/25_SIL2 I/O Modules
The following table lists SIL-certified 3500/25_SIL2 ordering options:
3500/25_SIL2- AXX-BXX-CXX Options
01: Single half-height 2-channel Keyphasor card

AXX Number of channels
02: Two half-height 2-channel Keyphasor cards
01: I/O module with Internal Terminations
02: I/O module with External Terminations
BXX Type of I/O Module 03: Internal Barrier I/O with Internal Terminations
04: Isolated I/O module with Internal Terminations*
05: Isolated I/O module with External Terminations*
01: CSA/NRTL/C (Class 1, Div 2)

CXX Agency Approvals
02: ATEX/CSA (Class 1 Zone 2)
*Designed for use with Magnetic Pickups

The following table lists the spare parts for 3500/25_SIL2:
Spare Part Hardware Firmware

Description
Number Revision Revision
149369-01 Enhanced Keyphasor Module R 3.51
125800-01 Keyphasor I/O Module with Internal Terminations F N/A
126648-01 Keyphasor I/O Module with External Terminations G N/A
Keyphasor I/O Module with Internal Barriers and

135473-01 M N/A
Internal Terminations
Isolated Keyphasor I/O Module with Internal

125800-02 D N/A
Terminations
Isolated Keyphasor I/O Module with External

126648-02 E N/A
Terminations
124M5527 Rev. - 13
SIL Safety Manual
4. Constraints and SIL Requirements

The following are requirements and recommendations for the 3500/25_SIL2 Functional
Safety Certified module which must be considered for the product to be integrated into a
safety-related system.
l Follow the requirements and recommendations to ensure the product is integrated into
a safety-related system.
l Observe the requirements and recommendations to achieve the necessary system
performance and prevent systematic failures of the compliant product.
For detailed information on conditions of use, refer to the certificates and test reports.
Contact Bently Nevada technical support, or visit http://www.GEmeasurement.com.
4.1 Who Should Commission and Maintain SIL Monitors?

The 3500 system is highly configurable such that it can accommodate the needs of various
machinery monitoring and protection applications. Only qualified individuals with the
knowledge of the 3500 platform should install, configure, operate and maintain the system.
4.2 SIL Requirements

The requirements for SIL 2 are met by using a single Keyphasor channel to support the SIF.
You can use a single-channel architecture for machinery protection when the risk evaluation
shows SIL 2 protection is a sufficient safeguard.
For the SIL 2 approval, we have evaluated these systems using specific components and
configurations. Adhere to the following requirements to remain compliant:
Ordering Requirements
l For a SIL-certified 3500/25 module, order part number 3500/25_SIL2.
l Within a SIF, use only components contained within the TUV-certified configurations.
Hardware Requirements
l The 3500/25_SIL2 must be installed in a 3500 Rack with the following requirements:
l The rack must have a 3500/22M Transient Data Interface Module.
l The rack must have a SIL capable 3500 4-channel monitor.
l The rack must contain at least one SIL-certified relay module.
l The 3500 System must be supported by redundant 3500/15 power supplies.
124M5527 Rev. - 14
SIL Safety Manual
l You must set the system program keyswitch on the 3500/22M TDI to RUN after
configuring and commissioning the system.
l After removing any components that are part of the critical safety path in the 3500
system, you must perform a full-proof test of the SIL system.
l An automated system must continuously monitor the System OK relay on the
3500/22M TDI to detect system faults.
l The 3500/25_SIL2 operates in low demand mode.
Software Requirements
l You must configure and validate the monitors and relay cards associated with the SIL-
rated Keyphasor per the applicable SIL safety manuals.
l You can configure the Keyphasor module using the available options and parameters.
These values are valid for the safety function with the following exceptions:
The 3500/25 Enhanced Keyphasor Module can provide two types of output signals to the
system Keyphasor busses (“Processed” and Non-Processed”) within a paired or non-paired
configuration. Only non-paired, non-processed signals are valid for the support of the safety
function.
l You must perform the validation tests outlined in the 3500/25 Module Manual
(document 129770)
l When the module reports failure conditions such as a NOT OK status, evaluate the
behavior of the safety system at the system level.
l After downloading the configuration to the 3500/25_SIL2, upload the module
configuration back to the host computer.
Compare the specified settings to verify the configuration was correctly received.
l Use a password to protect the configuration of the 3500 system.
4.3 Recommendations
We recommend having GE’s Bently Nevada Services inspect your 3500 system when
validating and commissioning the components to ensure proper installation, configuration
and usage.
124M5527 Rev. - 15
SIL Safety Manual
5. Functional Specifications
The 3500/25_SIL2 Enhanced Keyphasor Module receives analog input signals from
proximity probes or magnetic pickups and converts them to conditioned digital signals
transmitted down the backplane to indicate when the Keyphasor mark on the shaft is in line
with the probe. The 3500 System Monitoring modules use this Keyphasor signal from the
backplane to calculate vector parameters such as 1X amplitude and phase, and compare
the measured parameter to the configured alarm set points. As a result of this comparison,
the monitors generate alarm statuses and broadcast them onto the system alarming
networks. The safety function is the monitor's broadcasting of the alarm status and validity
states on the alarming network.
The test institute has assessed the associated safety-related elements of Proximitors,
monitors and system relay modules such as 3500/32M_SIL and documented the results in
test reports.
5.1 Systematic Capability

The 3500/25M_SIL2 techniques and measures to avoid and control systematic failures
during the safety lifecycle phases were inspected by TÜV Rheinland, which resulted in a
systematic capability of SIL 2 in accordance to IEC 61508: 2010, route 1S.
5.2 Architectural and Random Constraints

The calculation of the 3500/25_SIL2 Enhanced Keyphasor Module’s safety relevant
parameters has shown that the requirements of SIL 2 to IEC 61508: 2010 are fulfilled in a
1oo1 configuration.
The component level FMEDA was carried out by TÜV Rheinland under consideration to the
requirements of IEC 61508, parts 1-7:2010. Component failure rates were based on SN
29500, with a maximum ambient temperature of 65°C.
To achieve the targeted SIL 2, the safety related parameters are:
l Average probability of a dangerous Failure on Demand (PFD) < 10 E-2
l The 3500/25_SIL2 operates in a low demand mode.
l The 3500/25_SIL2 has a hardware safety integrity route of 1H.
l The 3500/25_SIL2 has a systematic safety Integrity route of 1S.
l The rated life time of the 3500/25_SIL2 is 10 years.
l The 3500/25_SIL2 is a Type B safety-related element with the Safe Failure Fraction
(SFF) of 90% - <99%.
124M5527 Rev. - 16
SIL Safety Manual
l The 3500/25_SIL2 module has a Hardware Fault Tolerance (HFT) of zero when used
in a one-out-of-one (1oo1) configuration.
l The MTTR and MRT for the 3500/25_SIL2 is 168 hours or 1 week**.
**MTTR and MRT were assigned as 168 hours for the purposes of generating the PFDAVG
calculation. This figure may be adjusted to suit application specific considerations as long
as the specific value is also used to adjust the PFDAVG calculation specific to the safety-
related installation. The following table lists the 3500/25_SIL2 failure rates based on the
various options:
3500/25_SIL2-A01-B01-CXX
3500/25_SIL2-A01-B02-CXX
(Non-Isolated I/O with Internal or External Terminations)
Failure modes Main board and I/O
Safe failure rate λs 358.9 Fit
Dangerous failure rate λd 353.8 Fit
Dangerous undetected failure rate λdu 54.7 Fit
PFDAVG = 2.99E-04*
3500/25_SIL2-AXX-B04-CXX
(Isolated I/O with Internal or External Terminations)
PFDAVG = 4.17E-04*
(Barrier I/O with Internal Terminations)
124M5527 Rev. - 17
SIL Safety Manual
PFDAVG = 3.56E-04*
* The above PFDavg (average probability of failure on demand) values are calculated per
the standard with the listed failure rates and have the following assumptions:
l 1 Year proof test interval (8760 hours)
l Mean time to repair (MTTR) is 168 hours.
124M5527 Rev. - 18
SIL Safety Manual
6. Failure Modes
NOTE
When performing the FMEA on the 3500/25_SIL2 the failure modes of the input
sensors (Proximitor, or magnetic pickup) were not included in the
FMEAcalculation.
This chapter covers the failure modes of the 3500/25_SIL2 and its internal diagnostics
system. Subsequent sections list the estimated failure rate for each failure mode.
The failure rates are driven by the following assumptions:
l Failure rates are based on Siemens standard SN 29500 at the outlined maximum
temperature limits shown under the user manual of the relevant component.
l The failure rate is constant over time.
l The listed failure rates are in Failures in Time (FIT).
For the failure rates of the monitor, relay module or a sensor, refer to their SIL manuals.
The 3500/25_SIL2 Enhanced Keyphasor module is set up for a single channel in a 1oo1
configuration. This configuration provides a hardware fault tolerance of zero. The module is
categorized as a Type B safety related element or subsystem.
6.1 Failure Modes of the Module

The FMEDA report outlines the failure modes of the 3500/25_SIL2 Keyphasor module. The
SIL report includes the FMEDA report. Contact GE Bently Nevada for the SIL report.
6.2 Failure Modes Not Detected by Internal Diagnostics

A failure mode may occur in the 3500/25_SIL2 module that is not capable of being detected
by the internal diagnostics of the module. This condition is not reported, there is no
adjustment of the Rack OK relay, and the relay output module does not change state. This
is the case whether the failure is safe or dangerous.
l The module does not report the failure mode.
l The associated monitors do not adjust the alarm output states.
l The Rack OK relay does not change state.
124M5527 Rev. - 19
SIL Safety Manual
6.3 Failure Modes Detected by Internal Diagnostics

The 3500/25_SIL2 module has internal diagnostics capabilities. When any failure of the
module is detected by the diagnostics, the module responds by annunciating the condition.
The Rack OK relay on the 3500/22M TDI changes state to Not OK, and the TDI records the
failure in the 3500 System Event List.
When the transducer or module is unable to generate a conditioned Keyphasor signal

output, the associated monitor detects the condition, and annunciates the loss of the
conditioned Keyphasor signal. The associated monitor responds by adjusting its alarming
behavior per its application-specific design, and the TDI records the loss of Keyphasor in
the 3500 System Event List. For a list of failure codes detected by the internal diagnostic
system, refer to the 3500/25 Operation and Maintenance Manual (document 129770).
Diagnostic Test Interval

The cycle interval between internal diagnostic tests is one hour maximum. The interval is far
less in most cases. Diagnostics checks may take up to one hour to complete under worst-
case conditions.
System Outputs
When the internal diagnostic system of the 3500/25_SIL2 detects a failure mode, the state of
the Rack OK relay changes to Not OK.
LED Fault Conditions
For a list of the LED fault conditions, refer to the 3500/25 Operation and Maintenance
Manual (document 129770).
6.4 Failure Modes of the Diagnostic System

The FMEDA report contains the failure modes of the 3500/25_SIL2 diagnostic system.
Contact GE Bently Nevada for the FMEDA report.
6.5 External Diagnostics

A 3500 system with the 3500/25_SIL2 module must include at least one of the 3500 SIL-
certified monitors and system relay module. The relay module provides safety relay output
functionality to the system. It also functions as an external diagnostic device when the
monitor cannot broadcast alarming messages. You must configure the relay drive logic with
at least one alarm.
124M5527 Rev. - 20
SIL Safety Manual
To support the SIL-certified module, the 3500 system must have a 3500/22M TDI module.
The Rack Interface Module performs diagnostics on the installed monitors and modules.
These diagnostics are different from those performed by each monitor internally.
When the Rack Interface Module detects a failure mode for one of the monitors, it changes
the status of the Rack OK relay to Not OK.
For a list of failure modes that drive the Rack OK relay, refer to the FMEDA report. The SIL
report includes the FMEDA report. Contact GE Bently Nevada for the SIL report.
124M5527 Rev. - 21
SIL Safety Manual
7. Periodic Proof Test

You cannot repair the circuit boards and components of the 3500 modules in the field. To
maintain the 3500 rack, you can test the monitors' channels to verify their operation.
Replace the monitors and modules that are not operating correctly.
If the 3500 rack is not in a hazardous area, you may install the 3500/25_SIL2 module into
or remove the module from the rack while power is applied to it.
If the 3500 rack is in a hazardous area, refer to the Rack Installation and Maintenance
Manual (document 129766) for the proper installation and removal procedures.
Document BS EN 60079-0:2012 defines a hazardous environment as an area in which an
explosive atmosphere is present, or may be expected to be present, in quantities that
require special precautions for the construction, installation and use of electrical apparatus.
7.1 How to Choose a Periodic Proof Test Interval

The proof test coverage provided by the periodic proof test of the 3500/25_SIL2 module
varies depending on the installed I/O module as listed below:
Non-Isolated I/O with Internal or External Terminations (B01 or B02)
PTC = 63%
Isolated I/O with Internal or External Terminations (B04 or B05)
PTC = 74%
Barrier I/O with Internal Terminations (B03)
PTC = 52%
The dangerous failures that fall outside the monitors' diagnostic capabilities are considered
dangerous undetected failures. They must be detected as part of periodic proof test
activities.
GE Bently Nevada Recommends a periodic proof test interval of 1 year but by using the
PFDAVG equation from 61508-6 that is appropriate for the specific safety-related system, the
effect on the PFDAVG value can be determined for longer or shorter periodic proof test
intervals.
7.2 Periodic Proof Test Guide

The proof test verifies the hardware and configuration integrity. The following manuals
describe the verification procedures and the recommended test equipment:
124M5527 Rev. - 22
SIL Safety Manual
l 3500/25 Proximitor Monitor Module Operation and Maintenance Manual (129770)
124M5527 Rev. - 23

3500/25 SIL Enhanced Keyphasor Module

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

3500/25 SIL Enhanced Keyphasor Module

Uploaded by

Copyright:

Available Formats

3500/25 SIL Enhanced Keyphasor Module

SIL Safety Manual

Order the Bently_Manuals DVD to access all manuals, datasheets, application

l 3500 Monitoring System Installation and Maintenance Manual(Document129766)

124M5527 Rev. - iii

1.1 Receiving Inspection

1.2 Handling and Storing Considerations

3. Transport and store circuit boards in electrically conductive bags or foil.

1.3 Safe Disposal

American National Standard Institute or

API American Petroleum Institute

CE Conformité Européenne (European Conformity)

FIT Failures in time

FMEA Failure modes and effects analysis

HFT Hardware fault tolerance

IEC International Electro-technical Commission

MRT Mean repair time

MTBF Mean time between failure

MTTF Mean time to failure

MTTR Mean time to restoration

NDE Normally De-energized

PTC Proof test coverage

PFD Probability of failure on demand

RIM Rack Interface Module

SIL Safety Integrity Level

SFF Safe failure fraction

SIF Safety instrumented function

λs Safe failure rate

λsd Safe detected failure rate

λsu Safe undetected failure rate

λd Dangerous failure rate

λdd Dangerous detected failure rate

λdu Dangerous undetected failure rate

2.2 IEC 61508-2 Annex D Requirements References

IEC 61508 Requirements (Part 2 Annex D) Reference

See "Constraints and

See "Failure Modes

See "Failure Modes

See "How to Choose a

See "Failure Modes

IEC 61508 Requirements (Part 2 Annex D) Reference

Test Guide" on page

See "Architectural and

See "Architectural and

In SIL-certified systems, the safety function is supported by one or more SIL-certified

The core 3500 system consists of the following components:

3.1 Rack Interface Monitor

3.2 System Power Supplies

3.4 Enhanced Keyphasor Module

3.5 Relay Modules

3.6 3500/25_SIL2 Setup and Hardware

Figure 3 - 1: Keyphasor I/O Front and Rear Panels

3500/25_SIL2- AXX-BXX-CXX Options

01: Single half-height 2-channel Keyphasor card

01: I/O module with Internal Terminations

02: I/O module with External Terminations

04: Isolated I/O module with Internal Terminations*

05: Isolated I/O module with External Terminations*

01: CSA/NRTL/C (Class 1, Div 2)

*Designed for use with Magnetic Pickups

Spare Part Hardware Firmware

149369-01 Enhanced Keyphasor Module R 3.51

125800-01 Keyphasor I/O Module with Internal Terminations F N/A