3500 - Proximitor and Seismic Monitor

3500/40M Proximitor and 3500/42M
Prox/Seismic Monitor
SIL2 Safety Manual
Bently Nevada* Asset Condition Monitoring
Document: 115M9608
Rev. A
3500/40M Proximitor and 3500/42M Prox/Seismic Monitor
SIL2 Safety Manual
Copyright 2016 - 2018 Baker Hughes, a GE company, LLC ("BHGE")
All rights reserved.
The information contained in this document is the property of BHGE and its affiliates; and is
subject to change without prior notice. It is being supplied as a service to our customers and
may not be altered or its content repackaged without the express written consent of BHGE.
* Denotes a trademark of Bently Nevada, LLC, a wholly owned subsidiary of Baker Hughes, a
GE company.
Bently Nevada, Proximitor, Velomitor
All product and company names are trademarks of their respective holders. Use of the
trademark does not imply any affiliation with or endorsement by the respective holders.
The information published in this document is offered to you by BHGE in consideration of its ongoing sales
and service relationship with your organization. However, since the operation of your plant involves many
factors not within our knowledge, and since operation of the plant is in your control, ultimate responsibility
for its continuing successful operation rests with you, BHGE specifically disclaims any responsibility for
liability based on claims for damage of any type, i.e., direct, consequential or special that may be alleged to
have been incurred as result of applying this information regardless of whether it is claimed that BHGE is
strictly liable, in breach of contract, in breach of warranty, negligent, or is in other respects responsible for
any alleged injury or damage sustained by your organization as a result of applying this information. This
document is furnished to customers solely to assist in the installation, testing, operation and/or
maintenance of the equipment described. BHGE retains all rights to any intellectual property that may be
contained in this document.
Contact Information
When you cannot reach your local representative, use the following contact information to
reach us:
1631 Bently Parkway South

Mailing Address
Minden, Nevada USA 89423
1.775.782.3611
Telephone
1.800.227.5514 (US only)
Internet www.GEmeasurement.com
115M9608 Rev. A ii
SIL2 Safety Manual
Additional Information
NOTE
This manual does not contain all the information required to operate and
maintain the product. Refer to the following manuals for other required
information.
Order the "Bently_Manuals" customer DVD to access all manuals,

datasheets, application notes, and field wiring diagrams for all available
languages.
3500 Monitoring System Installation and Maintenance Manual

(Document 129766)
3500 Monitoring System Rack Configuration and Utilities Guide

(Document 129777)
3500 Field Wiring Diagram Package
(Document 130432)
3500/40M Proximitor Monitor Module Operation and Maintenance Manual
(Document 143488)
3500/42M Prox/Seismic Monitor Module Operation and Maintenance Manual (Document
143489)
3500/40M Proximitor Monitor Datasheet
(Document 141535)
3500/42M Prox/Seismic Monitor Datasheet
(Document 143694)
3500 Machinery Protection System Functional Safety Certified Products Datasheet
(Document 162242)
3500/22M Operation and Maintenance Manual
(Document 161580)
3500/32M Operation and Maintenance Manual
(Document129771)
115M9608 Rev. A iii

SIL2 Safety Manual
Contents
1. General Safety 1
1.1 Product Disposal Statement 1
2. Purpose 2
2.1 Abbreviations 3
2.2 IEC 61508-2 Annex D Requirements References 5
2.3 References 7
3. Hardware 8
3.1 Rack Interface Module 9
3.2 System Power Supplies 9
3.3 Monitors 9
3.4 Relay Modules 10
3.5 3500/40_SIL Setup and Hardware 11
3.6 3500/42_SIL and Setup and Hardware 14
4. Constraints and SIL Requirements 18
4.1 Who Should Commission and Maintain SIL Monitors? 18
4.2 SIL Requirements 18
5. Functional Specifications 21
5.1 Systematic Capability 23
5.2 Architectural and Random Constraints 23
5.3 3500/40_SIL Architectural Constraints 24
5.4 3500/42_SIL Architectural Constraints 28
6. Failure Modes 33
6.1 Failure Modes of the Modules 33
6.2 Failure Modes Not Detected by Internal Diagnostics 33
6.3 Failure Modes Detected by Internal Diagnostics 35
6.4 Failure Modes of the Diagnostic System 35
6.5 External Diagnostics 36
7. Periodic Proof Test 37
7.1 How to Choose a Periodic Proof Test Interval 37
7.2 Periodic Proof Test Guide 37
115M9608 Rev. A iv
SIL2 Safety Manual
1. General Safety
1.1 Product Disposal Statement

Customers and third parties, who are not member states of the European Union, who are in
control of the product at the end of its life or at the end of its use, are solely responsible for
the proper disposal of the product. No person, firm, corporation, association or agency that is
in control of product shall dispose of it in a manner that is in violation of any applicable
federal, state, local or international law. Baker Hughes, a GE company, LLC ("BHGE") is not
responsible for the disposal of the product at the end of its life or at the end of its use. Visit
www.weeerohsinfo.com for recycling information.
115M9608 Rev. A 1
SIL2 Safety Manual
2. Purpose
This safety manual contains information about the 3500/40M Proximitor and 3500/42M
Prox/Seismic Monitor. These monitors are certified components that can be used in a
functional safety system.
This safety manual is required for the integration of the 3500/40_SIL and 3500/42_SIL into a
safety related system in compliance with IEC 61508-2 Annex D.
The manual focuses on the functional safety use case. It augments the datasheets and user
manuals of the 3500/40_SIL Proximitor Monitor and 3500/42_SIL Prox/Seismic Monitor.
115M9608 Rev. A 2
SIL2 Safety Manual
2.1 Abbreviations
Abbreviation Description
American National Standard Institute or

ANSI/ISA
International Society of Automation
API American Petroleum Institute
ARM Armature
CE Conformité Européenne (European Conformity)
DC Diagnostic coverage
FIT Failures in time
FMEA Failure modes and effects analysis
FMEDA Failure Modes, Effects and Diagnostic Analysis
FS Functional Safety
HFT Hardware fault tolerance
IEC International Electro-technical Commission
MRT Mean repair time
MTBF Mean time between failure
MTTF Mean time to failure
MTTR Mean time to restoration
NC Normally Closed
NDE Normally De-energized
NE Normally Energized
NO Normally Open
PTC Proof test coverage
PFD Probability of failure on demand
RIM Rack Interface Module
SC Systematic coverage
SIL Safety Integrity Level
SFF Safe failure fraction
SIF Safety instrumented function
TUV Technischer Überwachungsverein (Inspection)
115M9608 Rev. A 3
SIL2 Safety Manual
Abbreviation Description
λs Safe failure rate
λsd Safe detected failure rate
λsu Safe undetected failure rate
λd Dangerous failure rate
λdd Dangerous detected failure rate
λdu Dangerous undetected failure rate
115M9608 Rev. A 4
SIL2 Safety Manual
2.2 IEC 61508-2 Annex D Requirements References

The following table provides references to information that fulfills the 61508-2 Standard:
IEC 61508 Requirements

Reference
(Part 2 Annex D)
D2.1 a) See " 3500/40_SIL Setup and Hardware" on page 11.

Functional specification of the functions being
performed See "3500/42_SIL and Setup and Hardware" on page 14.
D2.1 b) See " 3500/40_SIL Setup and Hardware" on page 11.

Identification of the hardware and software
configuration of the compliant item See "3500/42_SIL and Setup and Hardware" on page 14.
D2.1 c)
Constraints on the use of the compliant item an
See "Constraints and SIL Requirements" on page 18.
assumptions on which analysis of the behavior or
failure rates of the item are based
D2.2 a)
The failure modes of the compliant item due to
See "Failure Modes Not Detected by Internal
random hardware failures that result in a failure of the
Diagnostics" on page 33.
function and are not detected by diagnostics internal
to the compliant item
D2.2 b)
See "Functional Specifications" on page 21.
For every failure mode in a), an estimated failure rate
D2.2 c)
The failure modes of the compliant item due to
See "Failure Modes Not Detected by Internal
random hardware failures, that result in a failure of
Diagnostics" on page 33.
the function and that are detected by
diagnostics internal to the compliant item
D2.2 d)
The failure modes of the diagnostics, internal to the
See "Failure Modes of the Diagnostic System" on page
compliant item due to random hardware failures, that
35.
result in a failure of the diagnostics
to detect failures of the function
Failure rate for D.2.2 c) See "Functional Specifications"

D2.2 e) on page 21.
For every failure mode in sections c) and d), the
estimate failure rate Failure rate for D.2.2 d) See "Functional Specifications"
on page 21.
D2.2 f)
For every failure mode in section c) detected by See "How to Choose a Periodic Proof Test Interval" on
diagnostics internal to the compliant item, the page 37.
diagnostic test interval
D2.2 g) See "Failure Modes Detected by Internal Diagnostics"

For every failure mode in section c), the outputs of the on page 35.
115M9608 Rev. A 5
SIL2 Safety Manual
IEC 61508 Requirements
Reference
(Part 2 Annex D)
compliant item initiated by the internal diagnostics
D2.2 h)
See "Periodic Proof Test Guide" on page 37.
Any periodic proof test and maintenance requirements
D2.2 i)
For those failure modes, in respect of a specified
function, that are capable of being detected by
See "External Diagnostics" on page 36.
external diagnostics, sufficient information shall be
provided to facilitate the development of an external
diagnostics capability
D2.2 j) See "Architectural and Random Constraints" on page

The hardware fault tolerance 23.
D2.2 k) For 3500/40_SIL, See " 3500/40_SIL Architectural

The classification as type A or type B of that part of the Constraints" on page 24.
compliant item that provides the function. part of the For 3500/42_SIL, See " 3500/42_SIL Architectural
compliant item that provides the function Constraints" on page 28.
D.2.3 a)
The systematic capability of the complaint item or that See "Systematic Capability" on page 23.
part of the element that provides the function
D.2.3 b)
Any instructions or constraints relating to the
application of the compliant item, relevant to the See "SIL Requirements" on page 18.
function, that should be observed in order to prevent
systematic failures of the compliant item
115M9608 Rev. A 6
SIL2 Safety Manual
2.3 References
IEC 61508, Parts 1 - 7:2010
Functional safety of electrical, electronic and programmable electronic safety-related systems
API Standard 670, 5th edition, November 2014, Machinery Protection Systems
TÜV Certificate and Report: 968/EZ 310.03/18
Schematic Diagram 3500/42M & 40 Board, Dwg. No: 184574
Schematic Diagram Consolidated I/O Dwg. No: 184140
Schematic Diagram I/O with internal Barrier, Dwg Number 184608
Statement of Compliance, BN26744C-18
System test procedures, No: 158792, Rev. -, 11 Aug 2016

3500 Monitoring System, Rack Installation and Maintenance Manual, Document 129766.
Copy of ISO 9001 certificate, issued by Det Norske Veritas, 06 June 2017.
115M9608 Rev. A 7
SIL2 Safety Manual
3. Hardware
The 3500 system is a rack based machinery protection and condition monitoring platform that
provides information to assess and protect the mechanical condition of rotating and
reciprocating machinery. The system continuously measures and monitors various protection
and supervisory parameters. It provides important information for early identification of
machinery problems such as imbalance, misalignment, shaft crack and bearing failures.
The 3500 system has different slots where a system monitor and various other modules can
be installed. The monitor modules accept inputs from transducers, condition the signals to
provide various measurements, and compare the conditioned signals with user-programmable
alarms. Alarm statuses are generated and broadcast onto the system alarming networks.
In SIL-certified systems, the safety function is supported by one or more SIL-certified monitors.
These monitors supply alarm and status information to one or more relay modules. The relay
modules consume the information to resolve machine trip logic and drive their relay outputs.
The 3500 system also has relay modules that observe the alarming networks and drive relays
based on user programmable relay logic. The relay outputs are the monitoring system’s safety
output function. The relay outputs are used in the greater Safety Instrumented Function (SIF)
to bring the process to a safe state.
The core 3500 system consists of the following components:
l A rack chassis
l A backplane circuit board
l Redundant power supplies
l A rack interface module
The balance of the rack is made up of a series of monitoring slots. The minimum rack includes
seven slots. The full-size rack has 14 slots. The system performs machinery monitoring
including SIL-certified functionality.
The following diagram depicts the 3500 safety element architecture:
Figure 3 - 1: 3500 Safety Element Architecture

A SIL-certified 3500 system consists of one or more certified monitors interacting with one or
more certified relay modules. The monitors and relay modules function within the 3500
115M9608 Rev. A 8
SIL2 Safety Manual
architecture and communicate with each other. The monitors and relay modules cannot be
directly interfaced to external devices except as depicted in the 3500 safety element
architecture.
The monitors and relay modules are certified individually. They can be used for many safety
instrumented function applications.
3.1 Rack Interface Module

The 3500/22M Transient Data Interface module (TDI) performs the interface functions for the
3500 system. The monitors and modules in the system must be configured using the TDI. The
TDI's Rack OK relay provides an output to indicate the overall system health.
The TDI includes the following physical and software mechanisms to prevent unauthorized
configuration changes:
l A configuration control keyswitch that locks system configuration

l A password required to modify system configuration
3.2 System Power Supplies

The 3500/15 System Power Supply accepts power from one of several possible power mains
sources. The system conditions the input into internal rack power supplies that support
internal power busses for the consumption of the installed monitors and modules.
Each 3500/15 Power Supply is capable of supporting all 3500 system functions. When two
supplies are installed in a rack, they provide fully redundant system power mains capability.
This feature automatically switches out the support of rack power load when one supply or its
power mains experiences a fault.
For 3500 systems supporting SIL-certified safety elements, redundant power supplies are
required.
3.3 Monitors
The 3500 monitors accept inputs from transducers in the field and condition signals into
measurements useful for machinery protection. The monitors constantly compare the
measurements against configured alarm setpoints to generate alarm and channel OK statuses.
These statuses are broadcast onto system alarming networks.
A monitor’s safety function is the broadcast alarm status and validity states on the alarming
network. All available software configuration options and logic parameters are valid for
supporting the safety function without restriction. These parameters can be selected and
arranged to suit application requirements.
The monitors are installed in any of the monitoring slots available in the system. Bently Nevada
offers numerous SIL-certified monitors for the 3500 system, each providing different
115M9608 Rev. A 9
SIL2 Safety Manual
machinery protection capabilities. Different certified monitors can be combined and
duplicated to achieve the required safety instrumented functionality.
A 3500 monitor is composed of a main card and an I/O module. The I/O module interfaces with
the transducers producing the machinery-related signals and conditions the signals for the
monitor main card. The main card generates measurements from transducer information as
well as alarm and status messages.
3.4 Relay Modules

The 3500 system relay modules consume the alarm and status information broadcast onto the
system alarming networks. The relay modules constantly compare these messages against the
configured relay drive logic to provide machinery protection trip output capability.
A 3500 relay module is a multi-channel module composed of the following:
l A main card known as the relay controller

The relay controller interfaces with the 3500 system alarming network to process its
configured relay drive logic and generate relay channel drive signals.
l A relay output module
The relay I/O module accepts the relay drive signals from the controller. The module contains
the relay devices which provide the machinery trip contacts.
Each channel provides independent Alarm Drive Logic functionality. Complex logic strings can
be developed using Boolean (AND and OR) logic elements. The logic acts on the alarm states
(alert, danger) and validity states (Not OK) generated by monitors. The states are available
from the system alarming networks. Each channel’s logic string drives its own relay output
intended as a machinery trip output.
115M9608 Rev. A 10
SIL2 Safety Manual
3.5 3500/40_SIL Setup and Hardware

The 3500/40_SIL Proximitor Monitor is a four-channel device. When a single channel is applied
in a one-out-of-one (1oo1) architecture, the monitor can be used to achieve a SIL 2 capable
solution.
To properly configure the monitor using the 3500 Rack Configuration Software, refer to the
3500/40M Proximitor Monitor Module Operation and Maintenance Manual (Document
143488).
(For proper field wiring setup to connect the transducer to the 3500/40_SIL I/O, refer to the
3500 System Field Wiring Diagram Package (Document 130432).
115M9608 Rev. A 11
SIL2 Safety Manual
1. 3500/40_SIL Main Card, front view

2. Status LEDs
3. Buffered Transducer Outputs
4. Proximitor I/O Module, internal termination
5. Proximitor I/O Module, external termination
6. Proximitor I/O Module with internal barriers and internal termination
Figure 3 - 2: 3500/40_SIL Proximitor Monitor Hardware Components
115M9608 Rev. A 12
SIL2 Safety Manual
SIL-Certified 3500/40_SIL I/O Modules
The following table lists SIL-certified 3500/40_SIL I/O modules:
SIL Type Orderable Part I/O Description Approval Options

Notes
Designation Number (AXX) (BXX)
3500/40_SIL-AXX- 3500/40_SIL- AXX- 01 - Proximitor I/O 00 – None A 3500 system

BXX BXX module with one or
with Internal more barrier I/O
Terminations 01 - CSA/NRTL/C modules
(Class I, Div 2) must include a
02 - Proximitor I/O
3500/04 Earthing
module
Module.
with External
Terminations 02 - CSA, ATEX, IECEx
(Class I, Zone 2)
03 -Proximitor I/O
module
with Internal Barriers
and
Internal Terminations
The following table lists the spare parts for the 3500/40_SIL Proximitor Monitor:
Orderable Spare Spare Hardware Firmware

Description
Part Number Part Type Revision Revision
3500/40_SIL 3500/40_SIL Proximitor
176449-01 SIL GA 5.2
Monitor
Proximitor I/O Module

125680-01 SIL with Internal E N/A
Terminations

126615-01 SIL with External D N/A
Terminations

with Internal Barriers
135489-04 SIL M N/A
and Internal
Terminations
115M9608 Rev. A 13
SIL2 Safety Manual
3.6 3500/42_SIL and Setup and Hardware

The 3500/42_SIL Prox/Seismic Monitor is a four-channel device. When a single channel is
applied in a one-out-of-one (1oo1) architecture, the monitor can be used to achieve a SIL 2
capable solution.
To properly configure the monitor using the 3500 Rack Configuration Software, refer to the
3500/42M Operation and Maintenance manual (Document 143489).
For proper field wiring setup to connect the transducer to the 3500/42_SIL monitor I/O, refer
to the 3500 System Field Wiring diagram package (Document 130432).
115M9608 Rev. A 14
SIL2 Safety Manual
1. 3500/42_SIL Main Card, front view

2. Status LEDs
3. Buffered Transducer Outputs
4. Proximitor I/O Module with internal terminations. Jumpers are located on the side of
the module, as shown in the small image with the arrow.
5. Proximitor I/O Module with external terminations. Jumpers are located on the side of
the module, as shown in the small image with the arrow.
6. I/O module with internal barriers (4 x Prox/Accel).
7. I/O module with internal barriers. (2x Prox/Accel and 2 x Velomitor).
8. I/O module with internal barriers (4 x Velomitor).
Figure 3 - 3: 3500/42_SIL Prox/Seismic Hardware Components
115M9608 Rev. A 15
SIL2 Safety Manual
SIL-Certified 3500/42_SIL I/O Modules
The following table lists SIL-certified 3500/42_SIL I/O modules:
SIL Type Orderable Part I/O Description Approval Options

Notes
Designation Number (AXX) (BXX)
3500/42_SIL-AXX- 3500/42_SIL-AXX- 01 - Proximitor I/O 00 – None A 3500 system

BXX BXX module with Internal with one or
Terminations more barrier I/O
01 - CSA/NRTL/C modules must
02 - Proximitor I/O
(Class I, Div 2) include
module with External
a 3500/04
Terminations
Earthing Module.
04 - I/O Module 02 - CSA, ATEX, IECEx
with Internal Barriers, (Class I, Zone 2)
internal Terminations,
4 x Prox/Accel
05 - I/O Module
with internal barriers,
internal terminations,
2 x Prox/Accel and
2 x Velomitor
06 - I/O Module
with internal barriers,
internal terminations,
and 4 x Velomitor
The following table lists the spare parts for the 3500/42_SIL Prox/ Seismic Monitor:
Orderable Spare Spare Part

Description Hardware Revision Firmware Revision
Part Number Number
3500/42_SIL 3500/42_SIL Prox/

176449-02 SIL GC 5.2
Seismic Monitor
Prox/Seismic I/O
128229-01 SIL Module with Internal H N/A
Terminations
Prox/Seismic I/O
128240-01 SIL Module with External G N/A
Terminations
I/O Module with Internal

Barriers,
135489-01 SIL R N/A
Internal Terminations
and 4 x Prox/Accel
135489-02 SIL I/O Module with Internal R N/A
115M9608 Rev. A 16
SIL2 Safety Manual
Orderable Spare Spare Part
Description Hardware Revision Firmware Revision
Part Number Number
Barriers,
Internal Terminations,
2 x Prox/Accel and
2 x Velomitor
I/O Module with Internal

135489-03 SIL R N/A
Barriers
Prox/Velomitor I/O
140471-01 SIL Module with Internal D N/A
Terminations
115M9608 Rev. A 17
SIL2 Safety Manual
4. Constraints and SIL Requirements

This section lists the requirements and recommendations for the 3500/40_SIL Proximitor
Monitor and the 3500/42_SIL Prox/Monitor Functional Safety Certified products.
n Follow the requirements and recommendations to ensure the product is integrated into
a safety-related system.
n Observe the requirements and recommendations to achieve the necessary system
performance and prevent systematic failures of the compliant product.
For detailed information on conditions of use, refer to the certificates and test reports. Contact
Bently Nevada technical support, or visit http://www.GEmeasurement.com.
4.1 Who Should Commission and Maintain SIL Monitors?

The 3500 Monitoring System is highly configurable such that it can accommodate the needs of
various machinery monitoring and protection applications. Only qualified individuals with the
knowledge of the 3500 platform should install, configure, operate and maintain the system.
Proper training or certification in SIL applications and installations is also required.
4.2 SIL Requirements

The requirements for SIL 2 are met by using a single vibration channel to support the SIF. You
can use a single-channel architecture for machinery protection when the risk evaluation shows
SIL 2 protection is a sufficient safeguard.
For the SIL 2 approval, we have evaluated these systems using specific components and
configurations. Adhere to the following requirements to remain compliant:
n Ordering requirements
See " 3500/40_SIL Setup and Hardware" on page 11
See "3500/42_SIL and Setup and Hardware" on page 14

n Hardware requirements
See "Hardware Requirements" on page 19
n Software requirements
See "Software Requirements" on page 19
115M9608 Rev. A 18
SIL2 Safety Manual
Hardware Requirements
n The 3500/40_SIL Proximitor Monitor or 3500/42_SIL Prox/Seismic Monitor must be
installed in a 3500 Rack with the following requirements:
l The rack must have a 3500/22M Transient Data Interface Module.
l The rack must contain at least one SIL-certified relay module.
n The 3500 System with the 3500/40_SIL Proximitor Monitor or 3500/42_SIL Prox/Seismic
Monitor must be supported by redundant 3500/15 power supplies.
n You must set the system program keyswitch on the 3500/22M TDI to RUN after
configuring the 3500/40_SIL Proximitor Monitor or 3500/42_SIL Prox/Seismic Monitor
and commissioning the system.
n After removing any components that are part of the critical safety path in the 3500
Monitoring System, you must perform a full-proof test of the SIL system.
n An automated system must continuously monitor the System OK relay on the 3500/22M
TDI to detect system faults.
n The 3500/40_SIL Proximitor Monitor or 3500/42_SIL Prox/Seismic Monitor operate in low
demand mode.
Software Requirements
n You must configure the relay card used with the 3500/40_SIL Proximitor Monitor or
3500/42_SIL Prox/Seismic Monitor per the applicable relay card SIL safety manual.
n You can configure the monitors using the available options and parameters. These values
are valid for the safety function without restriction.
n You must perform the validation tests outlined in the following manuals:
l The 3500/40M Monitor Manual (Document 143488).
l The 3500/42M Monitor Manual (Document 143489).

When the monitor reports failure conditions such as a NOT OK status or no neuron
communication, evaluate the behavior of the safety system at the system level.
n After downloading the configuration to the 3500/40_SIL Proximitor Monitor or 3500/42_
SIL Prox/Seismic Monitor, upload the module configuration back to the host computer.
Compare the specified settings to verify the configuration was correctly received.
n Use a password to protect the configuration of the 3500 Monitoring System.
115M9608 Rev. A 19
SIL2 Safety Manual
Recommendations
We recommend having Bently Nevada Services inspect your 3500 Monitoring System when
validating and commissioning the components to ensure proper installation, configuration and
usage.
115M9608 Rev. A 20
SIL2 Safety Manual
5. Functional Specifications
The 3500/40_SIL Proximitor Monitor and the 3500/42_SIL Prox/Seismic Monitor condition
transducer inputs to create a measured value and compare the measured value to the
configured alarm set points. As a result of this comparison, the monitors generate alarm
statuses and broadcast them onto the system alarming networks. The safety function is the
monitor's broadcasting of the alarm status and validity states on the alarming network.
The test institute has assessed the associated safety-related elements of Proximitors and
system relay modules such as 3500/32M_SIL and documented the results in test reports.
Due to the recent need for RoHS compliancy, the 3500 series of monitor modules and I/O
modules have undergone internal changes to the circuit boards. RoHS compliant boards are
BLUE and RoHS non-compliant boards are GREEN. There are also differences in how the
monitor modules and I/O modules are labeled. Both options are shown below, and are pictured
with the faceplate to the left.
1. MODULE Number and

2. PWA Number (blue PWA board)
Figure 5 - 1: RoHS Compliant Markings on Top Edge of Monitor Module
3. MODULE and PWA Numbers
Figure 5 - 2: RoHS Compliant Markings on Side Panel of I/O Module
115M9608 Rev. A 21
SIL2 Safety Manual
1. PWA number only (green PWA board)
Figure 5 - 3: Non-RoHS Compliant Marking on Top Edge of Monitor Module
2. PWA number only
Figure 5 - 4: Non-RoHS Compliant Marking on Side Panel of I/O Module
115M9608 Rev. A 22
SIL2 Safety Manual
5.1 Systematic Capability

We have inspected the techniques and measures to control and avoid systematic failures
during different phases of the lifecycles of the 3500/40_SIL Proximitor Monitor and the
3500/42_SIL Prox/Seismic Monitor in accordance to IEC 61508-2, Route 1S. The internal
inspection resulted in a systematic capability of SIL 2 based on the following techniques and
measures:
n Project management according to ISO 9001
n Documentation and review activities controlled by a formal quality system
n Structured design in hardware and software
n EMC and environmental tests with increased levels for safety related products in
reference to the levels defined by IEC 61131-2
n Thorough and comprehensible operation and maintenance manuals
The 3500/40_SIL Proximitor Monitor and the 3500/42_SIL Prox/Seismic Monitor are
comparable to the 3500/72M Monitor. TÜV Rheinland has inspected the 3500/72M Monitor for
compliance with the SIL 2 requirements of IEC 61508-2.
The 3500/40_SIL Proximitor Monitor and the 3500/42_SIL Prox/Seismic Monitor platforms
have been developed under the same systems and processes as those used for the 3500/72M.
5.2 Architectural and Random Constraints

TÜV Rheinland of North America has certified the 3500/40_SIL Proximitor Monitor and the
3500/42_SIL Prox/Seismic Monitor as SIL 2 by the IEC 61508 standard in a 1oo1 (one-out-of-
one) architecture. Therefore, the hardware fault tolerance (HFT) of zero has been assigned.
To achieve the targeted SIL 2, the safety related parameters are:
n Average probability of a dangerous Failure on Demand (PFD) < 10 E-1
n The 3500/40_SIL Proximitor Monitor and the 3500/42_SIL Prox/Seismic Monitor are
systems operating in a low demand mode.
n The 3500/40_SIL Proximitor Monitor and the 3500/42_SIL Prox/Seismic Monitor have a
hardware safety integrity route of 1H.
n The 3500/40_SIL Proximitor Monitor and the 3500/42_SIL Prox/Seismic Monitor have a
systematic safety Integrity route of 1S.
n The rated life time of the 3500/40_SIL Proximitor Monitor and the 3500/42_SIL
Prox/Seismic Monitor is 10 years.
115M9608 Rev. A 23
SIL2 Safety Manual
n The 3500/40_SIL Proximitor Monitor and the 3500/42_SIL Prox/Seismic Monitor are Type
B safety-related elements with a Safe Failure (SFF) of 60% to < 90%.
n The 3500/40_SIL Proximitor Monitor and the 3500/42_SIL Prox/Seismic Monitor
monitors have a Hardware Fault Tolerance (HFT) of zero when used in a one-out-of-one
(1oo1) configuration.
n For the 3500/40_SIL Proximitor Monitor and the 3500/42_SIL Prox/Seismic Monitor ,
MTTR and MRT are 168 hours or one week1.
1. MTTR and MRT were assigned as 168 hours for the purposes of generating the PFDavg
calculation. You may adjust this figure to suit your application's needs as long as the
same value is also used to adjust the PFDavg calculation specific to the safety-related
installation.
5.3 3500/40_SIL Architectural Constraints

The 3500/40_SIL Proximitor monitor is classified as a Type B device. The type of I/O ordered
with the main card determines which safety block diagram and failure rate you must use.
The following certified 3500/40_SIL main card and I/O combinations are available:
n 3500/40_SIL-A01-BXX
See "3500/40_SIL-A01-BXX" on page 25.
n 3500/40_SIL-A02-BXX
n 3500/40_SIL-A03-BXX
115M9608 Rev. A 24
SIL2 Safety Manual
3500/40_SIL-A01-BXX
The 3500/40_SIL-A01-BXX consists of the 3500/40_SIL main card and the Proximitor I/O
module with Internal Terminations. The BXX option represents the available approvals for the
3500/40_SIL. See " 3500/40_SIL Setup and Hardware" on page 11.
Figure 5 - 5: 3500/40_SIL-A01-BXX Safety Block Diagram

The following table lists the 3500/40_SIL-A01-BXX failure rates for RoHS- compliant SIL-rated
modules:
3500/40_SIL-A01-BXX RoHS
Failure modes Main board and I/O
Safe failure rate λs 1018.1 FIT
Dangerous failure rate λd 1453.3 FIT
Dangerous undetected failure rate λdu 236.3 FIT
PFDavg 1.28 E-3
The following table lists the 3500/40_SIL-A01-BXX failure rates for Non-RoHS Compliant SIL-
rated modules:
3500/40_SIL-A01-BXX Non- RoHS
Safe failure rate λs 1136 FIT
Dangerous failure rate λd 977 FIT
Dangerous undetected failure rate λdu 977 FIT
PFDavg 2.96 E-3
115M9608 Rev. A 25
SIL2 Safety Manual
3500/40_SIL-A02-BXX
module with External Terminations. The BXX option represents the available approvals for the
Figure 5 - 6: 3500/40_SIL-A02-BXX Safety Block Diagram:

The following table lists the 3500/40_SIL-A02-BXX RoHS Compliant failure rates:
3500/40_SIL-A02-BB RoHS Compliant
Failure modes Main Board and I/O
PFDavg 1.28 E-3
The following table lists the 3500/40_SIL-A02-BXX Non-RoHS Compliant failure rates:
3500/40_SIL-A02-BB Non-RoHS
PFDavg 2.96 E-3
115M9608 Rev. A 26
SIL2 Safety Manual
3500/40_SIL-A03-BXX
module with internal barriers. The BXX option represents the available approvals for the

The following table lists the 3500/40_SIL-A03-BXX failure rates:
Failure modes Main Board and I/O Barrier
Safe failure rate λs 975.8 FIT 34.3 FIT
Dangerous failure rate λd 1338.2 FIT 87.7 FIT
Dangerous undetected failure rate

231.2 FIT 6.1 FIT
λdu
PFDavg 1.33 E-3
rated modules:
3500/40_SIL-A03-BXX Non-RoHS
Safe failure rate λs 1212 FIT 231 FIT
Dangerous failure rate λd 1048 FIT 231 FIT
Dangerous undetected failure rate

660 FIT 231 FIT
λdu
PFDavg 3.9 E-3
115M9608 Rev. A 27
SIL2 Safety Manual
5.4 3500/42_SIL Architectural Constraints

The 3500/42_SIL Prox/Seismic monitors is classified as a Type B device. The type of I/O ordered
with the main card determines which safety block diagram and failure rate you must use.
The following certified 3500/42_SIL main card and I/O combinations are available:
n 3500/42_SIL-A01-BXX
See "3500/42_SIL-A01-BXX" on page 29
n 3500/42_SIL-A02-BXX
n 3500/42_SIL with Internal Barrier I/O
l A04-BXX
l A05-BXX
l A06-BXX
See "3500/42_SIL with Internal Barrier I/O" on page 31.
115M9608 Rev. A 28
SIL2 Safety Manual
3500/42_SIL-A01-BXX
module with Internal Terminations. The BXX option represents the available approvals for the
3500/42_SIL. See "3500/42_SIL and Setup and Hardware" on page 14.

The following table lists the 3500/42_SIL-A01-BXX failure rates for RoHS Compliant SIL-rated
modules:
PFDavg 1.30 E-3
rated modules:
PFDavg 3.06 E-3
115M9608 Rev. A 29
SIL2 Safety Manual
3500/42_SIL-A02-BXX
module with External Terminations. The BXX option represents the available approvals for the
3500/42_SIL. See "3500/42_SIL and Setup and Hardware" on page 14.

The following table lists the 3500/42_SIL-A02-BXX failure rates for RoHS Compliant SIL-rated
modules:
PFDavg 1.29 E-1
rated modules:
PFDavg 3.06 E-3
115M9608 Rev. A 30
SIL2 Safety Manual
3500/42_SIL with Internal Barrier I/O
The 3500/42_SIL Prox/Seismic Monitor with Internal Barriers consists of the 3500/42_SIL main
card and one I/O module with internal Barriers. The following options are available:
n A04 provides 4 x Prox/Accel channels
n A05 provides 2 x Prox and 2 x Velomitor channels
n A06 provides 4 x Velomitor channels
The BXX option represents the available approvals for the 3500/42_SIL . See "3500/42_SIL and
Setup and Hardware" on page 14.
Figure 5 - 10: 3500/42_SIL Prox/Seismic Monitor with Internal Barrier I/O Safety Block
Diagram for Options A04, A05 and A06
The following tables list the 3500/42_SIL Prox/Seismic Monitor with Barrier I/O failure rates
(RoHS Compliant) for options A04, A05 and A06:
3500/42_SIL - A04-BXX RoHS
Failure modes Main Board and I/O + Barrier
PFDavg 1.33 E-3
PFDavg 1.35 E-3
115M9608 Rev. A 31
SIL2 Safety Manual
PFDavg 1.41 E-3
The following tables list the 3500/42_SIL Prox/Seismic Monitor with Barrier I/O failure rates
(Non-RoHS Compliant) for options A04, A05 and A06:
3500/42_SIL - A04-BXX Non-RoHS
Dangerous undetected failure rate λdu 660 FIT 231 FIT
PFDavg 3.9 E-3
PFDavg 3.9 E-3
PFDavg 3.9 E-3
115M9608 Rev. A 32
SIL2 Safety Manual
6. Failure Modes
NOTE
When performing the FMEA on the 3500/40_SIL Proximitor Monitor or

the 3500/42_SIL Prox/Seismic Monitor, the failure modes of the input
sensors (Proximitor, accelerometer or seismic) were not included in the
FMEA calculation.
This chapter covers the failure modes of the 3500/40_SIL Proximitor Monitor and the
3500/42_SIL Prox/Seismic Monitor and their internal diagnostics system. Subsequent sections
list the estimated failure rate for each failure mode.
The failure rates are driven by the following assumptions:
n Failure rates are based on Siemens standard SN 29500 at the outlined maximum
temperature limits shown under the user manual of the relevant component.
n The failure rate is constant over time.
n The listed failure rates are in Failures in Time (FIT).
For the failure rates of the relay or a sensor, refer to their SIL manuals.
The 3500/40_SIL Proximitor and the 3500/42_SIL monitors are set up for a single monitor
channel in a 1oo1 configuration. This configuration provides a hardware fault tolerance of zero.
These monitors are Type B safety related elements or subsystems.
6.1 Failure Modes of the Modules

A Failure Modes, Effects and Diagnostic Analysis (FMEDA) report is available from Bently
Nevada for 3500/40_SIL and 3500/42_SIL modules. For failure mode information refer to the
SIL certification report, which includes the required information from the FMEDA.
6.2 Failure Modes Not Detected by Internal Diagnostics

A failure mode may occur in the 3500/40_SIL Proximitor Monitor or the 3500/42_
SIL Prox/Seismic Monitor but the internal diagnostics of the monitor may not detect the
failure. Therefore, the following is true for all failures regardless of whether they are safe or
dangerous:
n The monitor does not report the failure mode.
n The monitor does not adjust the alarm output states.
115M9608 Rev. A 33
SIL2 Safety Manual
n The Rack OK relay does not change state.
115M9608 Rev. A 34
SIL2 Safety Manual
6.3 Failure Modes Detected by Internal Diagnostics

The 3500/40_SIL Proximitor or 3500/42_SIL Prox/Seismic monitors have internal diagnostics
capabilities. When any failure is detected by the diagnostics, the monitor responds by
annunciating the condition. The Rack OK relay on the 3500/22M TDI changes state to NOT OK.
If the detected fault affects the ability of the monitor to perform its alarming function, the
fault is a dangerous failure. Therefore, the following actions are taken:
n The monitor adjusts the broadcast message on the alarming network to indicate the
channel is invalid.
n The system relay module uses the invalid alarm status to adjust its alarm drive logic per
its application-specific logic configuration.
When a fault prevents the monitor from generating alarming messages, the system relay
module detects the loss of alarming communication and responds by adjusting its alarm drive
logic per its application-specific configuration.
When the monitor or the system relay module detects a fault, the 3500/22M TDI records the
failure in the 3500 System Event List. For a list of failure codes detected by the internal
diagnostic system, refer to the following sources:
n The 3500/40M Operation and Maintenance Manual (Document 143488)
Diagnostic Test Interval

The cycle interval between internal diagnostic tests is one hour maximum. The interval is far
less in most cases. Diagnostics checks may take up to one hour to complete under worst-case
conditions.
System Outputs
When the internal diagnostic system of the 3500/40_SIL Proximitor and 3500/42_SIL
Prox/Seismic detects a failure mode, the state of the Rack OK relay changes to NOT OK.
LED Fault Conditions

For a list of the LED fault conditions, refer to the following sources:
6.4 Failure Modes of the Diagnostic System

115M9608 Rev. A 35
SIL2 Safety Manual
6.5 External Diagnostics

A 3500 Monitoring System with the 3500/40_SIL Proximitor or 3500/42_SIL Prox/Seismic
monitors must include at least one of the SIL-certified system relay modules. The relay module
provides safety relay output functionality to the system. It also functions as an external
diagnostic device when the monitor cannot broadcast alarming messages. You must configure
the relay drive logic with at least one alarm.
To support the SIL-certified monitor, the 3500 system must have a 3500/22M TDI module. The
Rack Interface Module performs diagnostics on the installed monitors and I/O modules. These
diagnostics are different from those performed by each monitor internally.
When the Rack Interface Module detects a failure mode for one of the monitors, it changes the
status of the Rack OK relay to NOT OK.
115M9608 Rev. A 36
SIL2 Safety Manual
7. Periodic Proof Test

You cannot repair the circuit boards and components of the 3500 modules in the field. To
maintain the 3500 rack, you can test the monitors' channels to verify their operation. Replace
the monitors and modules that are not operating correctly.
If the 3500 rack is not in a hazardous area, you may install the 3500/40_SIL Proximitor or
3500/42_SIL Prox/Seismic into or remove the monitor from the rack while power is applied to
it.
If the 3500 rack is in a hazardous area, refer to the Rack Installation and Maintenance Manual
(Document 129766) for the proper installation and removal procedures.
Standard IEC/EN 60079-0 defines a hazardous environment as an area in which an explosive
atmosphere is present, or may be expected to be present, in quantities that require special
precautions for the construction, installation and use of electrical apparatus.
7.1 How to Choose a Periodic Proof Test Interval

The proof test coverage provided by the internal diagnostic functionality of the 3500/40_SIL
Proximitor and 3500/42_SIL Prox/Seismic monitors is 78.5%. The dangerous failures that fall
outside the monitors' diagnostic capabilities are considered dangerous undetected failures.
They must be detected as part of periodic proof test activities.
We recommend a periodic proof test interval of 1 year, but by using the PFDAVE equation from
IEC 61508-6, which is appropriate for the specific safety-related system, the effect on the
PFDAVE value can be determined for longer or shorter periodic proof test intervals.
7.2 Periodic Proof Test Guide

The proof test verifies the hardware and configuration integrity. The following manuals
describe the verification procedures and the recommended test equipment:
n 3500/40M Proximitor Monitor Module Operation and Maintenance Manual (Document

143488).
n 3500/42M Prox/Seismic Monitor Module Operation and Maintenance Manual (Document
143489).
115M9608 Rev. A 37

3500 - Proximitor and Seismic Monitor

Uploaded by

Copyright:

Available Formats

3500 - Proximitor and Seismic Monitor

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

3500 - Proximitor and Seismic Monitor

Uploaded by

Copyright:

Available Formats

3500/40M Proximitor and 3500/42M

1631 Bently Parkway South

Order the "Bently_Manuals" customer DVD to access all manuals,

3500 Monitoring System Installation and Maintenance Manual

3500 Monitoring System Rack Configuration and Utilities Guide

115M9608 Rev. A iii

1.1 Product Disposal Statement

American National Standard Institute or

API American Petroleum Institute

CE Conformité Européenne (European Conformity)

FIT Failures in time

FMEA Failure modes and effects analysis

FMEDA Failure Modes, Effects and Diagnostic Analysis

HFT Hardware fault tolerance

IEC International Electro-technical Commission

MRT Mean repair time

MTBF Mean time between failure

MTTF Mean time to failure

MTTR Mean time to restoration

NDE Normally De-energized

PTC Proof test coverage

PFD Probability of failure on demand

RIM Rack Interface Module

SIL Safety Integrity Level

SFF Safe failure fraction

SIF Safety instrumented function

TUV Technischer Überwachungsverein (Inspection)

λs Safe failure rate

λsd Safe detected failure rate

λsu Safe undetected failure rate

λd Dangerous failure rate

λdd Dangerous detected failure rate

λdu Dangerous undetected failure rate

2.2 IEC 61508-2 Annex D Requirements References

IEC 61508 Requirements

D2.1 a) See " 3500/40_SIL Setup and Hardware" on page 11.

D2.1 b) See " 3500/40_SIL Setup and Hardware" on page 11.

Failure rate for D.2.2 c) See "Functional Specifications"

D2.2 g) See "Failure Modes Detected by Internal Diagnostics"

compliant item initiated by the internal diagnostics

D2.2 j) See "Architectural and Random Constraints" on page

D2.2 k) For 3500/40_SIL, See " 3500/40_SIL Architectural

System test procedures, No: 158792, Rev. -, 11 Aug 2016

The following diagram depicts the 3500 safety element architecture:

Figure 3 - 1: 3500 Safety Element Architecture

3.1 Rack Interface Module

l A configuration control keyswitch that locks system configuration

3.2 System Power Supplies

3.4 Relay Modules

l A main card known as the relay controller

3.5 3500/40_SIL Setup and Hardware

1. 3500/40_SIL Main Card, front view

Figure 3 - 2: 3500/40_SIL Proximitor Monitor Hardware Components

SIL Type Orderable Part I/O Description Approval Options

3500/40_SIL-AXX- 3500/40_SIL- AXX- 01 - Proximitor I/O 00 – None A 3500 system

Orderable Spare Spare Hardware Firmware

Proximitor I/O Module

Proximitor I/O Module

Proximitor I/O Module