Professional Documents
Culture Documents
Document: 124M5527
Rev. -
3500/25 SIL Enhanced Keyphasor Module
SIL Safety Manual
Copyright 2017 Baker Hughes, a GE company, LLC ("BHGE")
All rights reserved.
The information contained in this document is the property of BHGE and its affiliates; and is
subject to change without prior notice. It is being supplied as a service to our customers and
may not be altered or its content repackaged without the express written consent of BHGE.
* Denotes a trademark of Bently Nevada, LLC, a wholly owned subsidiary of Baker Hughes,
a GE company.
Keyphasor, Proximitor
All product and company names are trademarks of their respective holders. Use of the
trademark does not imply any affiliation with or endorsement by the respective holders.
The information published in this document is offered to you by BHGE in consideration of its ongoing
sales and service relationship with your organization. However, since the operation of your plant
involves many factors not within our knowledge, and since operation of the plant is in your control,
ultimate responsibility for its continuing successful operation rests with you, BHGE specifically disclaims
any responsibility for liability based on claims for damage of any type, i.e., direct, consequential or
special that may be alleged to have been incurred as result of applying this information regardless of
whether it is claimed that BHGE is strictly liable, in breach of contract, in breach of warranty, negligent,
or is in other respects responsible for any alleged injury or damage sustained by your organization as a
result of applying this information. This document is furnished to customers solely to assist in the
installation, testing, operation and/or maintenance of the equipment described. BHGE retains all rights
to any intellectual property that may be contained in this document.
Contact Information
When you cannot reach your local representative, use the following contact information to
reach us:
1631 Bently Parkway South
Mailing Address
Minden, Nevada USA 89423
1.775.782.3611
Telephone
1.800.227.5514 (US only)
Internet www.GEmeasurement.com
124M5527 Rev. - ii
3500/25 SIL Enhanced Keyphasor Module
SIL Safety Manual
Additional Information
NOTE
This manual does not contain all the information required to operate and maintain
the monitoring system. Refer to the following manuals for other required
information.
Contents
1. General Safety 1
1.1 Receiving Inspection 1
1.2 Handling and Storing Considerations 1
1.3 Safe Disposal 2
2. Purpose 3
2.1 Abbreviations 3
2.2 IEC 61508-2 Annex D Requirements References 5
2.3 References 6
3. Hardware 8
3.1 Rack Interface Monitor 9
3.2 System Power Supplies 9
3.3 Monitors 10
3.4 Enhanced Keyphasor Module 10
3.5 Relay Modules 10
3.6 3500/25_SIL2 Setup and Hardware 11
4. Constraints and SIL Requirements 14
4.1 Who Should Commission and Maintain SIL Monitors? 14
4.2 SIL Requirements 14
4.3 Recommendations 15
5. Functional Specifications 16
5.1 Systematic Capability 16
5.2 Architectural and Random Constraints 16
6. Failure Modes 19
6.1 Failure Modes of the Module 19
6.2 Failure Modes Not Detected by Internal Diagnostics 19
6.3 Failure Modes Detected by Internal Diagnostics 20
6.4 Failure Modes of the Diagnostic System 20
6.5 External Diagnostics 20
7. Periodic Proof Test 22
7.1 How to Choose a Periodic Proof Test Interval 22
7.2 Periodic Proof Test Guide 22
124M5527 Rev. - iv
3500/25 SIL Enhanced Keyphasor Module
SIL Safety Manual
1. General Safety
Before using your 3500/25 SIL Enhanced Keyphasor Module , read and understand the
following precautions thoroughly. Pay attention to all warnings and recommendations to
prevent data loss or inaccuracy, damage to the device, and injury to yourself.
2. Personnel must be grounded with a suitable grounding strap before handling or maintaining a printed circuit
board.
4. Use extra caution during dry weather. Relative humidity less than 30 % multiplies the accumulation of
static charges on any surface.
124M5527 Rev. - 1
3500/25 SIL Enhanced Keyphasor Module
SIL Safety Manual
124M5527 Rev. - 2
3500/25 SIL Enhanced Keyphasor Module
SIL Safety Manual
2. Purpose
This safety manual contains information about the 3500/25_SIL2 Enhanced Keyphasor
Module. The Keyphasor module is a certified component that can be used in a functional
safety system.
This safety manual is required for the proper integration of the 3500/25_SIL2 into a safety
related system in compliance with IEC 61508-2 Annex D.
The manual focuses on the functional safety use case. It augments the datasheets and user
manual of 3500/25 Enhanced Keyphasor Module.
2.1 Abbreviations
Abbreviation Description
ARM Armature
DC Diagnostic coverage
FS Functional Safety
NC Normally Closed
NE Normally Energized
NO Normally Open
124M5527 Rev. - 3
3500/25 SIL Enhanced Keyphasor Module
SIL Safety Manual
Abbreviation Description
SC Systematic coverage
Technischer Überwachungsverein
TUV
(Technical Inspection)
124M5527 Rev. - 4
3500/25 SIL Enhanced Keyphasor Module
SIL Safety Manual
See "3500/25_SIL2
D2.1 a) Functional specification of the functions being performed Setup and Hardware"
on page 11.
See "3500/25_SIL2
D2.1 b) Identification of the hardware and software configuration of the
Setup and Hardware"
compliant item
on page 11.
See "Functional
D2.2 b) For every failure mode in a), an estimated failure rate Specifications" on
page 16.
D2.2 d) The failure modes of the diagnostics, internal to the compliant item See "Failure Modes of
due to random hardware failures, that result in a failure of the diagnostics to the Diagnostic
detect failures of the function System" on page 20.
See "Functional
D2.2 e) For every failure mode in sections c) and d), the estimate failure rate Specifications" on
page 16.
D2.2 h) Any periodic proof test and maintenance requirements See "Periodic Proof
124M5527 Rev. - 5
3500/25 SIL Enhanced Keyphasor Module
SIL Safety Manual
D2.2 i) For those failure modes, in respect of a specified function, that are
See "External
capable of being detected by external diagnostics, sufficient information shall
Diagnostics" on page
be provided to facilitate the development of an external diagnostics capability
20.
See "Systematic
D.2.3 a) The systematic capability of the complaint item or that part of the
Capability" on page
element that provides the function
16.
D.2.3 b) Any instructions or constraints relating to the application of the See "SIL
compliant item, relevant to the function, that should be observed in order to Requirements" on
prevent systematic failures of the compliant item page 14.
2.3 References
IEC 61508, Parts 1 - 7:2010
Functional safety of electrical, electronic and programmable electronic safety-related
systems
API Standard 670, 5th edition, December 2000 Machinery Protection Systems
TÜV Certificate and Report Number 968/EZ 557.00/12
Schematic Diagram 3500/25 Enhanced Keyphasor Module, Dwg. No: 184685
Schematic Diagram Keyphasor I/O with internal termination, Dwg. No: 184390
Schematic Diagram Keyphasor I/O with external termination, Dwg. No: 184390
Schematic Diagram Isolated Keyphasor I/O with internal termination, Dwg. No: 184390
Schematic Diagram Isolated Keyphasor I/O with external termination, Dwg. No: 184390
Schematic Diagram Keyphasor I/O with internal Barriers, Dwg. No: 184833
Statement of Compliance, BN26744C-18
System test procedures, No: 158792, Rev. NC, 28 Nov 1995
124M5527 Rev. - 6
3500/25 SIL Enhanced Keyphasor Module
SIL Safety Manual
3500 Monitoring System Computer Hardware and Software Manual, Document 128158
3500 Monitoring System, Rack Installation and Maintenance Manual, Document 129766
Copy of ISO 9001 certificate, issued by Det Norske Veritas, 06 June 2017
124M5527 Rev. - 7
3500/25 SIL Enhanced Keyphasor Module
SIL Safety Manual
3. Hardware
The 3500 system is a rack based machinery protection and condition monitoring platform
that provides information to assess and protect the mechanical condition of rotating and
reciprocating machinery. The system continuously measures and monitors various
protection and supervisory parameters. It provides important information for early
identification of machinery problems such as imbalance, misalignment, shaft crack and
bearing failures.
The 3500 system has different slots where you can install system monitors and modules.
The monitors accept inputs from transducers, condition the signals to provide various
measurements, and compare the conditioned signals with user-programmable alarms.
Alarm statuses are generated and broadcast onto the system alarming networks.
124M5527 Rev. - 8
3500/25 SIL Enhanced Keyphasor Module
SIL Safety Manual
A SIL-certified 3500 system consists of one or more certified monitors interacting with one or
more certified relay modules. The monitors and relay modules function within the 3500
architecture and communicate with each other. You cannot directly interface the monitors
and relay modules to external devices except as depicted in the 3500 safety element
architecture.
The monitors and relay modules are certified individually. You can use them for many safety
instrumented function applications.
124M5527 Rev. - 9
3500/25 SIL Enhanced Keyphasor Module
SIL Safety Manual
3.3 Monitors
The 3500 monitors accept inputs from transducers in the field and condition signals into
measurements useful for machinery protection. The monitors constantly compare the
measurements against configured alarm setpoints to generate alarm and channel OK
statuses. These statuses are broadcast onto system alarming networks.
A monitor’s safety function is the broadcast alarm status and validity states on the alarming
network. All available software configuration options and logic parameters are valid for
supporting the safety function without restriction. You can select and arrange these
parameters to suit your application requirements.
The monitors are installed in any of the monitoring slots available in the system. We offer
numerous SIL-certified monitors for the 3500 system, each providing different machinery
protection capabilities. You can combine different certified monitors and duplicate them to
achieve the required safety instrumented functionality.
A 3500 monitor is composed of a main card and an I/O module. The I/O module interfaces
with the transducers producing the machinery-related signals and conditions the signals for
the monitor main card. The main card generates measurements from transducer information
as well as alarm and status messages.
124M5527 Rev. - 10
3500/25 SIL Enhanced Keyphasor Module
SIL Safety Manual
against the configured relay drive logic to provide machinery protection trip output
capability.
A 3500 relay module is a multi-channel module composed of the following:
l A main card known as the relay controller
The relay controller interfaces with the 3500 system alarming network to process its
configured relay drive logic and generate relay channel drive signals.
l A relay output module
The relay I/O module accepts the relay drive signals from the controller. The module
contains the relay devices which provide the machinery trip contacts.
Each channel provides independent Alarm Drive Logic functionality. You can develop
complex logic strings using Boolean (AND and OR) logic elements. The logic acts on the
alarm states (alert, danger) and validity states (Not OK) generated by monitors. The states
are available from the system alarming networks. Each channel’s logic string drives its own
relay output intended as a machinery trip output.
124M5527 Rev. - 11
3500/25 SIL Enhanced Keyphasor Module
SIL Safety Manual
The following diagram depicts the hardware components of 3500/25_SIL2 Keyphasor
Module:
124M5527 Rev. - 12
3500/25 SIL Enhanced Keyphasor Module
SIL Safety Manual
SIL-Certified 3500/25_SIL2 I/O Modules
The following table lists SIL-certified 3500/25_SIL2 ordering options:
BXX Type of I/O Module 03: Internal Barrier I/O with Internal Terminations
124M5527 Rev. - 13
3500/25 SIL Enhanced Keyphasor Module
SIL Safety Manual
Ordering Requirements
l For a SIL-certified 3500/25 module, order part number 3500/25_SIL2.
l Within a SIF, use only components contained within the TUV-certified configurations.
Hardware Requirements
l The 3500/25_SIL2 must be installed in a 3500 Rack with the following requirements:
l The rack must have a 3500/22M Transient Data Interface Module.
l The rack must have a SIL capable 3500 4-channel monitor.
l The rack must contain at least one SIL-certified relay module.
l The 3500 System must be supported by redundant 3500/15 power supplies.
124M5527 Rev. - 14
3500/25 SIL Enhanced Keyphasor Module
SIL Safety Manual
l You must set the system program keyswitch on the 3500/22M TDI to RUN after
configuring and commissioning the system.
l After removing any components that are part of the critical safety path in the 3500
system, you must perform a full-proof test of the SIL system.
l An automated system must continuously monitor the System OK relay on the
3500/22M TDI to detect system faults.
l The 3500/25_SIL2 operates in low demand mode.
Software Requirements
l You must configure and validate the monitors and relay cards associated with the SIL-
rated Keyphasor per the applicable SIL safety manuals.
l You can configure the Keyphasor module using the available options and parameters.
These values are valid for the safety function with the following exceptions:
The 3500/25 Enhanced Keyphasor Module can provide two types of output signals to the
system Keyphasor busses (“Processed” and Non-Processed”) within a paired or non-paired
configuration. Only non-paired, non-processed signals are valid for the support of the safety
function.
l You must perform the validation tests outlined in the 3500/25 Module Manual
(document 129770)
l When the module reports failure conditions such as a NOT OK status, evaluate the
behavior of the safety system at the system level.
l After downloading the configuration to the 3500/25_SIL2, upload the module
configuration back to the host computer.
Compare the specified settings to verify the configuration was correctly received.
l Use a password to protect the configuration of the 3500 system.
4.3 Recommendations
We recommend having GE’s Bently Nevada Services inspect your 3500 system when
validating and commissioning the components to ensure proper installation, configuration
and usage.
124M5527 Rev. - 15
3500/25 SIL Enhanced Keyphasor Module
SIL Safety Manual
5. Functional Specifications
The 3500/25_SIL2 Enhanced Keyphasor Module receives analog input signals from
proximity probes or magnetic pickups and converts them to conditioned digital signals
transmitted down the backplane to indicate when the Keyphasor mark on the shaft is in line
with the probe. The 3500 System Monitoring modules use this Keyphasor signal from the
backplane to calculate vector parameters such as 1X amplitude and phase, and compare
the measured parameter to the configured alarm set points. As a result of this comparison,
the monitors generate alarm statuses and broadcast them onto the system alarming
networks. The safety function is the monitor's broadcasting of the alarm status and validity
states on the alarming network.
The test institute has assessed the associated safety-related elements of Proximitors,
monitors and system relay modules such as 3500/32M_SIL and documented the results in
test reports.
124M5527 Rev. - 16
3500/25 SIL Enhanced Keyphasor Module
SIL Safety Manual
l The 3500/25_SIL2 module has a Hardware Fault Tolerance (HFT) of zero when used
in a one-out-of-one (1oo1) configuration.
l The MTTR and MRT for the 3500/25_SIL2 is 168 hours or 1 week**.
**MTTR and MRT were assigned as 168 hours for the purposes of generating the PFDAVG
calculation. This figure may be adjusted to suit application specific considerations as long
as the specific value is also used to adjust the PFDAVG calculation specific to the safety-
related installation. The following table lists the 3500/25_SIL2 failure rates based on the
various options:
3500/25_SIL2-A01-B01-CXX
3500/25_SIL2-A01-B02-CXX
PFDAVG = 2.99E-04*
3500/25_SIL2-AXX-B04-CXX
3500/25_SIL2-AXX-B05-CXX
PFDAVG = 4.17E-04*
3500/25_SIL2-AXX-B03-CXX
124M5527 Rev. - 17
3500/25 SIL Enhanced Keyphasor Module
SIL Safety Manual
PFDAVG = 3.56E-04*
* The above PFDavg (average probability of failure on demand) values are calculated per
the standard with the listed failure rates and have the following assumptions:
l 1 Year proof test interval (8760 hours)
l Mean time to repair (MTTR) is 168 hours.
124M5527 Rev. - 18
3500/25 SIL Enhanced Keyphasor Module
SIL Safety Manual
6. Failure Modes
NOTE
When performing the FMEA on the 3500/25_SIL2 the failure modes of the input
sensors (Proximitor, or magnetic pickup) were not included in the
FMEAcalculation.
This chapter covers the failure modes of the 3500/25_SIL2 and its internal diagnostics
system. Subsequent sections list the estimated failure rate for each failure mode.
The failure rates are driven by the following assumptions:
l Failure rates are based on Siemens standard SN 29500 at the outlined maximum
temperature limits shown under the user manual of the relevant component.
l The failure rate is constant over time.
l The listed failure rates are in Failures in Time (FIT).
For the failure rates of the monitor, relay module or a sensor, refer to their SIL manuals.
The 3500/25_SIL2 Enhanced Keyphasor module is set up for a single channel in a 1oo1
configuration. This configuration provides a hardware fault tolerance of zero. The module is
categorized as a Type B safety related element or subsystem.
124M5527 Rev. - 19
3500/25 SIL Enhanced Keyphasor Module
SIL Safety Manual
System Outputs
When the internal diagnostic system of the 3500/25_SIL2 detects a failure mode, the state of
the Rack OK relay changes to Not OK.
LED Fault Conditions
For a list of the LED fault conditions, refer to the 3500/25 Operation and Maintenance
Manual (document 129770).
124M5527 Rev. - 20
3500/25 SIL Enhanced Keyphasor Module
SIL Safety Manual
To support the SIL-certified module, the 3500 system must have a 3500/22M TDI module.
The Rack Interface Module performs diagnostics on the installed monitors and modules.
These diagnostics are different from those performed by each monitor internally.
When the Rack Interface Module detects a failure mode for one of the monitors, it changes
the status of the Rack OK relay to Not OK.
For a list of failure modes that drive the Rack OK relay, refer to the FMEDA report. The SIL
report includes the FMEDA report. Contact GE Bently Nevada for the SIL report.
124M5527 Rev. - 21
3500/25 SIL Enhanced Keyphasor Module
SIL Safety Manual
The dangerous failures that fall outside the monitors' diagnostic capabilities are considered
dangerous undetected failures. They must be detected as part of periodic proof test
activities.
GE Bently Nevada Recommends a periodic proof test interval of 1 year but by using the
PFDAVG equation from 61508-6 that is appropriate for the specific safety-related system, the
effect on the PFDAVG value can be determined for longer or shorter periodic proof test
intervals.
124M5527 Rev. - 22
3500/25 SIL Enhanced Keyphasor Module
SIL Safety Manual
l 3500/25 Proximitor Monitor Module Operation and Maintenance Manual (129770)
124M5527 Rev. - 23