105M6369 Cda 000

SIL Safety Manual
Bently Nevada* Asset Condition Monitoring
3500/53 Overspeed Detection System
Part Number 105M6369-01

Rev. - (10/14)
3500/53 SIL safety manual
© 2014 Bently Nevada, Inc.

All rights reserved.
The information contained in this document is subject to change without notice.
* Denotes a trademark of Bently Nevada, Inc., a wholly owned subsidiary of General

Electric Company.
Bently Nevada, Proximitor
Printed in USA. Uncontrolled when transmitted electronically
Contact Information
The following contact information is provided for those times when you cannot contact
your local representative:
Mailing Address 1631 Bently Parkway South

Minden, Nevada USA 89423
USA
Telephone 1.775.782.3611
1.800.227.5514
Fax 1.775.215.2873
Internet www.ge-mcs.com/bently
ii
Additional Information
Notice:
This manual does not contain all the information required to operate and maintain
the product. Refer to the following manuals for other required information.
3500 Monitoring System Installation and Maintenance Manual (part number 129766-01)
3500 Monitoring System Rack Configuration and Utilities Guide (part number 129777-01)
3500 Field Wiring Diagram Package (part number 130432-01)
3500/53 Electronic Overspeed Detection System Data Sheet (part number 14139-01)
Product Disposal Statement

Customers and third parties, who are not member states of the European Union, who are
in control of the product at the end of its life or at the end of its use, are solely responsible
for the proper disposal of the product. No person, firm, corporation, association or agency
that is in control of product shall dispose of it in a manner that is in violation of any
applicable federal, state, local or international law. Bently Nevada, Inc. is not responsible
for the disposal of the product at the end of its life or at the end of its use.
iii
Contents
1. Purpose ............................................................................................................... 1
1.1 Abbreviations ........................................................................................................................................... 1
1.2 Definitions ................................................................................................................................................. 2
1.3 References ................................................................................................................................................ 5
2. Functional Specifications ................................................................................ 7
2.1 Three Channel Overspeed Detection System ........................................................................... 8
3. Hardware Identification................................................................................... 9
4. Constraints ....................................................................................................... 10
5. Limitations and Requirements of use ......................................................... 12
5.1 Configuration Limitations and Requirements ........................................................................ 12
5.2 Requirements of Use ......................................................................................................................... 13
6. Failure Modes................................................................................................... 14
6.1 Failure modes of the internal diagnostics system ............................................................... 14
6.1.1 Estimated failure rate .................................................................................................................. 14
6.2 Failure modes that are not detected by internal diagnostics ........................................ 15
6.3 Failure modes that are detected by internal diagnostic................................................... 15
6.3.2 Diagnostic test interval ............................................................................................................... 16
6.3.3 The output of the overspeed protection system ............................................................. 16
7. Periodic proof test........................................................................................... 33
8. List of failure codes detected by the internal diagnostic system .......... 34
9. Hardware fault tolerance and classification type .................................... 61
iv
1. Purpose
The purpose of this safety manual is to document all the information relating to the
3500/53 functional safety system. This safety manual is required in order to enable the
integration of the 3500/53 into a safety related system and to be in compliance with the
requirement of IEC 61508-2 Annex D.
1.1 Abbreviations
• ANSI/ISA – American National Standard Institute / International Society of
Automation
• API - American Petroleum Institute
• ARM - Armature
• CE – Conformité Européenne (European Conformity)
• DC - diagnostic coverage
• FIT - failures in time
• FMEA - failure mode effect and analysis
• FS – Functional Safety
• HFT - hardware fault tolerance
• IEC – International Electro-technical Commission
• IMC - inter-module communication
• MTBF - mean time between failure
• MTTF - mean time to failure
• NC - Normally Closed
• NDE - Normally De-energized
• NE - Normally Energized
• NO - Normally Open
• ODS - overspeed detection system
• OPS - overspeed protection system
• PFD - probability of failure on demand
• SIL – Safety Integrity Level
• SFF - safe failure fraction
• TMR – Triple Modular Reduntant
• TUV – Technischer Überwachungsverein (Technical Inspection)
1
1.2 Definitions
Overspeed Protection System (OPS):
The complete electro-mechanical (hydro-mechanical or electro-pneumatic)
system that senses the onset of an overspeed condition, and automatically
shuts the machine down by closing (or opening) valves, solenoids, and other
devices necessary to bring the machine to a safe halt.
Overspeed Detection System (ODS):

One part of the larger OPS system. It is responsible for consuming the sensor
input measurements observing the speed wheel, and providing a signal suitable
for triggering the rest of the OPS system. The rest of the OPS system removes
the energy from the machine, and brings it to a safe halt. The ODS supplies this
signal in the form of activation of one or more electrical relays.
Dependent Voting:
All Overspeed Detection monitors in the ODS Group will drive their relays
simultaneously if a group voting criterion is met (for example, two out of three
monitors vote for shutdown). This option applies to both the Overspeed relay
and the Alert relays. The Channel Not OK relays always vote independently.
Independent Voting:
Each Overspeed Detection monitor in the ODS Group will drive the relays on its
Overspeed Detection I/O module independently of the other monitors in the set.
This option applies to both the Overspeed relay and the Alert relays. The
Channel Not OK relays always vote independently.
Channel Not OK:

The Channel Not OK is a voltage check between the COM and SIG inputs of the
ODS I/O against the upper and lower OK limits set in monitor by Rack
Configuration. If the voltage between the COM and SIG inputs is above the
upper OK limit or lower than the lower OK limit a channel Not OK will be produce
causing the OK Relay to change state (de-energize).
2
Monitor or ODS Output:
See figure 1.2-1 for Monitor or ODS output.
Figure 1.2-1: 3500/53 Monitor and ODS output
3
Normally Energized versus Normally De-energized relay:
See figure 1.2-2 for Normally Energized or Normally De-energized relay.
Figure 1.2-2: Normally Energized versus Normally De-energized relay
1. No power, no alarm (shelf state)

2. With power, no alarm
3. With power, in alarm
4
1.3 References
“Considerations When Retrofitting Overspeed Detection Systems,”
ORBIT magazine, Vol. 25 No.1, First Quarter 2005, pp. 16-28
“Application of Safety Instrumented Systems for the Process Industries,”

ANSI/ISA-84.01-1996, First Edition, The Instrumentation, Systems, and
Automation Society, Research Triangle Park, NC (1996)
“Axial and Centrifugal Compressors and Expander-compressors for

Petroleum, Chemical and Gas Industry Services,” API Standard 617, Seventh
Edition, American Petroleum Institute, Washington, D.C. (2002)
“Electronic Overspeed Detection Systems,” ORBIT magazine, Vol. 20 No.

2, Second/Third Quarters 1999, pp. 44-45
“Functional Safety of Electrical/Electronic/Programmable Electronic

Safety-Related Systems,” IEC 61508, First Edition, International Electrotechnical
Commission (IEC), Geneva, Switzerland (1998).
“Functional Safety: Safety Instrumented Systems for the Process Sector,”

IEC 61511, First Edition, International Electrotechnical Commission (IEC),
Geneva, Switzerland (2003).
“Process Instrumentation and Control,” API Recommended Practice 554,

First Edition, American Petroleum Institute, Washington, D.C. (1995)
“Machinery Protection Systems,” API Standard 670, Fourth Edition, American

Petroleum Institute, Washington, D.C. (2000)
“Petroleum, Petrochemical, and Natural Gas Industries – Steam Turbines

– Special-purpose Applications,” API Standard 612, Fifth Edition, American
Petroleum Institute, Washington, D.C. (2003)
US MIL-STD-1629A-1984. Procedures for Performing a Failure Mode Effects and Criticality

Analysis.
IEC 60812. Ed. 1.0. 1985. Analysis Techniques for System Reliability – Procedure for Failure
Mode and Effects Analysis (FMEA).
5
Potential Failure Mode and Effects Analysis in Design (Design FMEA) and Potential Failure
Mode and Effects Analysis in Manufacturing and assembly Processes (Process FMEA)
Reference Manual. Society of Automotive Engineers, 2000.
Failure Mode / Mechanism Distributions. Reliability Analysis Center, 1997.
US MIL-HNBK-217F-1992. Failure Rates for Electronic Components.

Safety Equipment Reliability Handbook. exida, 2003. (available from ISA)
Component Failure Data Handbook. exida, 2005.
Bouricius, W. G., W. C. Carter, and P. R. Schneider. “Reliability Modeling Techniques for Self-
Repairing Systems.” Proceedings of ACM Annual Conference, 1969. Reprinted in Tutorial --
Fault-Tolerant Computing. V. P. Nelson and B. N. Carroll, eds. IEEE Computer Society Press,
1987.
Collett, R. E. and P. W. Bachant. “Integration of BIT Effectiveness with FMECA.” 1984

Proceedings of the Annual Reliability and Maintainabiltiy Symposium. IEEE, 1984.
Lasher, R. J. “Integrity Testing of Control Systems.” Control Engineering. February 1990.
Johnson, D. A. “Automatic Fault Insertion.” InTech. November, 1994 (pp. 42-43).
Goble, W. M., J. V. Bukowski, and A. C. Brombacher. “How Diagnostic Coverage Improves

Safety in Programmable Electronic Systems.” ISA Transactions (Vol. 36, No. 4). Elsevier,
1997.
Goble, W. M. and Brombacher, A. C., “Using a Failure Modes, Effects and Diagnostic
Analysis (FMEDA) to Measure Diagnostic Coverage in Programmable Electronic Systems,”
Reliability Engineering & System Safety, Vol. 66, No. 2, November 1999.
Goble, W. M. “Accurate Failure Metrics for Mechanical Instruments.” Proceedings of the

IEC61508 Conference (Augsberg, Germany). RWTUV, January 2003.
Brombacher, A. C., Van der Wal, J., Rouvroye, J. L. and Spiker, R., “RIFIT: A Technique to
Analyze the Safety of Programmable Safety Systems,” Proceedings of TECH97, NC:
Research Triangle Park, ISA, 1997.
6
2. Functional Specifications
The Bently Nevada* Electronic Overspeed Detection System for the 3500 Series Machinery
Detection System provides a highly reliable, fast response, redundant tachometer system
intended specifically for use as part of an overspeed protection system. It is designed to
meet the requirements of American Petroleum Institute (API) Standards 670 and 612
pertaining to overspeed protection.
The 3500/53 modules can be combined to form a 2-out-of-2 or a 2-out-of-3

(recommended) voting system. When using the Overspeed Detection System in a safety
function, 2-out-of-3 voting must be used. Refer to section 2.1 on the setup of the
Overspeed Detection System.
7
2.1 Three Channel Overspeed Detection System

The Three Channel Overspeed Detection System provides high reliability overspeed
protection as part of the 3500 Machinery Management and Protection System. A Three
Channel Overspeed Detection System includes the 3500 rack, 3500 Power Supplies, the
Transient Data Interface Module, and three separate Overspeed Detection monitors. Three
separate transducer inputs are required. The 3500/53 monitor can be installed in any slot
to the right of the Transient Data Interface Module (2 to 15) but must be installed adjacent
to each other in a group of three. Only one Overspeed Detection System may be installed
in each 3500 rack (unless an appropriate Custom Products modification is installed on the
system backplane). The Three Channel Overspeed Detection System may be installed in a
3500 rack that includes other 3500 monitoring functions.
The Three Channel Overspeed Detection System provides 3 channels of independent

speed monitoring. The Three Channel Overspeed Detection System can be configured to
provide 2 out of 3 voting on alarming. With this voting, the alarm outputs from each
monitor are compared and two monitors must agree before a relay is driven.
Communication between monitors is done using a high speed inter-module
communication network on the system backplane.
Figure 2-1: Typical Overspeed System

1. Interposing relays
2. Control oil supply
3. Solenoid
4. Drain
5. Fuel
6. Trip valve
7. Power supplies
8. 3500 Overspeed Detection System
9. Operator
8
3. Hardware Identification
3500/53_SIL3 Overspeed Detection System is the SIL 3 FS certified version of our standard
Overspeed Detection System. It is offered in a Triple Modular Redundant (TMR)
configuration and can be used with 3300XL series Proximity Transducer Systems or
passive magnetic speed pick-ups. See figure 3-1 below for hardware identification.
Figure 3-1: 3500/53 hardware identification
1) Main Module, front view.

2) Status LEDs
3) Buffered transducer output. Provides an unfiltered output for
the transducer. The output is short-circuit protected.
4) I/O Module, rear view.
9
4. Constraints
The following are requirements and recommendations for Functional Safety products to be
applied to the configuration and installation of Functional Safety Certified systems. For
detailed information on conditions of use, refer to the certificates and test reports, contact
Bently Nevada technical support or visit: www.ge-mcs.com/Bently.
• Relays to be configured for normally energized, see figure 1.2-2 and Note in this
section for more information.
• Relay 1 on the 3500/53 I/O is to be used for overspeed only (OPS relay)
• No external OR-ing or AND-ing of the OPS relay on the 3500/53 I/O to other relays
• Only those components contained within the TUV certified configurations can be
used within certified systems. Contact your local representative for details
• Dual power supplies are required
• For Overspeed the “OR Channel Not OK with Overspeed Voting” option must be
selected
• For all TMR, ‘Comparison Voting’ must be used
• Verification of configuration – uploading rack configuration after configuration
loaded and comparing to specified settings
• GE Bently Nevada Services to inspect during validation/commissioning for proper
installation, configuration and usage
• A complete validation test (proof test) must be performed annually
Alert
The monitor must be properly secured in the rack using the thumb screws. Failure to do so could result in
erroneous signals that could cause a false trip.
Warning
Removal of an Overspeed Detection monitor from an Overspeed Detection System can result in loss of
protection against an overspeed event. An overspeed event can result in damage to machinery, the
environment, and personnel including injury or death.
Do not remove an Overspeed Detection monitor while the machine is running unless online replacement of
the monitor is necessary.
To perform an online removal and replacement of an Overspeed Detection monitor follow these guidelines:
1. Review the maintenance manual instructions for replacement of an overspeed monitor.
2. Take the machine to a safe state if practical. If that is not practical then ensure the machine is
operating normally and heightened operator awareness is established during the monitor
replacement.
3. Have a spare ready when the replacement is initiated.
4. Only remove one overspeed monitor at a time.
5. Configure and restore to service the new replacement before removing another overspeed monitor.
See next page for Application Advisory and Note.
10
Application Advisory
Bently Nevada strongly recommends the use of a Three Channel Overspeed Detection System. A Three
Channel Overspeed Detection System can be configured so that no single point failure will cause either a
missed overspeed alarm or a false machine shutdown. The use of redundant power supplies in a 3500 rack
containing the Overspeed Detection System is required.
Note
Relay contacts are marked NC (Normally Closed), NO (Normally Open), and ARM (Armature). NC and NO
define the state of the relay contacts with no power applied to the relay coil (de-energized).
11
5. Limitations and Requirements of use

SIL certified 3500/53 Overspeed protection systems are subject to certain configuration
restrictions and conditions of user as specified in the certificate, test report and as
described below.
5.1 Configuration Limitations and Requirements

• Installation performed by Bently Nevada personnel
• Discrete configuration only (each monitor channel has dedicated transducers)
• Redundant power supplies are required
• Overspeed Protection System must have 3 3500/53 monitors
• IMC must be enabled
• OR "Not OK" Voting enabled
• Percentage Comparison enabled
• CE Mark required
• Agency Approvals required
• Only 3300 XL Proximitors* and certain Magnetic Pick-ups are allowed
• Only accepted Proximity Probes allowed (Reference current FS Mark certificate for
the complete list of approved transducers.)
• Reference current FS Mark certificate for a list of intrinsically safe barriers allowed
for use in a Functional Safety System
• Only Normally Energized relays are allowed for use
12
5.2 Requirements of Use
• Before attempting to update any firmware for a certified system, verify that the
new firmware revision is included in the latest TUV FS Mark certificate. Do not
download a firmware version that is not listed in the FS Mark certificate.
• The surge protection devices that are normally present at the relay outputs have
been removed. If required, external devices need to be placed in parallel with relay
loads.
• After each download of the configuration parameters to the 3500/53 monitors a
visual verification must be performed. This can be accomplished by uploading the
values into the configuration software and viewing the retrieved configuration
parameters. Additionally, a complete validation test must be performed whenever a
new configuration is downloaded to certified systems.
• A complete validation test (proof test) must be performed at least every three years.
Bently Nevada recommends that interval not exceed 18 months.
• In the event that an individual 3500/53 monitor, within the three monitor 3500
Overspeed Protection System fails, the certificate will remain in force for a
maximum of one week before the failed channel must be repaired. If more than one
week passes prior to the failed monitor being repaired or replaced, the certificate
becomes invalid until the failure is resolved.
13
6. Failure Modes
Note
When preforming the FMEA on the 3500/53 ODS, the failure modes of the input sensors (Proximitor or
magnetic pickup) were not included in the FMEA calculation.
This section covers the failure modes of the ODS diagnostics system, and includes
hardware failures that are detected and not detected. The estimated failure rate for each
of these failure modes are given after each subsection of the corresponding failure mode.
6.1 Failure modes of the internal diagnostics system

When the internal diagnostics systems fails, in a particular channel of the overspeed
detection system, there are two possible scenarios that can happen.
1. The failure results in the corresponding monitor, of that speed channel, rebooting
and restarting the diagnostics system.
2. The failure results in the corresponding monitor, of that speed channel, to reboot
but does not restart the diagnostic system. If this happens in conjunction with a
dangerous undetected or detectable failure, it may result in no overspeed detection
for that particular channel.
If the second scenario occurs, the remaining two 3500/53 monitors voting will change
from dependent to independent. When this happens, all three TMR overspeed protection
relays may not all be in the same state when an overspeed alarm is annunciated. For more
information see sections 6.3.3.2 voting tables, for independent voting and 6.3.3.3 voting
tables, for dependent voting.
6.1.1 Estimated failure rate

From a FMEA done on the 3500/53, using the Telcordia SR-332 Issue 3 method, it was
found that one monitor (P/N: 133388-01) is estimated to have 375.5900 failures after one
billion hours running and the I/O (P/N: 133396-01) is estimated to have 190.4100 failures
after one billion hours. When both of these failure rates are combined, it will yield an
estimated failure rate of 566.0000 failures after one billion hours with a confidence level of
60%.
14
6.2 Failure modes that are not detected by internal
diagnostics
Refer to the voting tables, section 6.3.3.3, for random hardware failures of the ODS that
result in a failure of the functions with the exception of an IMC failure.
If an IMC failure occurs, the ODS will change from dependent voting to independent voting,
see section 5.3.3.2 voting tables, independent voting for more information. When this
happens, all three TMR overspeed protection relays may not all be in the same state when
an overspeed alarm is annunciated.
Some common cases that cause an IMC failure include the following:
• Physically removing one (or more) /53 ODS monitor(s) from the rack.
• Physically removing one (or more) /53 ODS I/O(s) from the rack.
• Hardware or electrical failures of one (or more) /53 ODS monitor(s) diagnostic
systems.
• Hardware failures of one (or more) /53 ODS monitor(s) IMC communication lines.

From a FMEA done on the 3500/53 using the Telcordia SR-332 Issue 3 method, it was
billion hours running and the I/O (P/N: 133396-01) is estimated to have 163.7694 failures
after one billion hours. When both of these failure rates are combined, it will yield an
estimated failure rate of 271.7394 failures after one billion hours with a confidence level of
60%.
6.3 Failure modes that are detected by internal

diagnostic
Each channel monitor in the ODS has the ability to perform internal diagnostics and
displays any failures in the 3500 System Event List. Refer to section 8 for a full list of failure
codes that are detected by the internal diagnostic system.

From a FMEA done on the 3500/53 using the Telcordia SR-332 Issue 3 method, it was
billion hours running and the I/O (P/N: 133396-01) is estimated to have 0 failures after one
billion hours. When both of these failure rates are combined, it will yield an estimated
failure rate of 114.9400 failures after one billion hours with a confidence level of 60%.
15
6.3.2 Diagnostic test interval
The cycle interval between internal diagnostic checking is 1hour. This is due to the fact that
all of the diagnostics checks may take up to 1 hour to complete.
6.3.3 The output of the overspeed protection system

Each 3500 Overspeed Detection I/O module has four independent alarm relays. The
Overspeed (Danger) Alarm will always drive relay #1. Use the Relay Association field in
Rack Configuration to configure which events will drive relays #2, #3, and #4. Only one
event may be assigned to each relay. When OR Channel not OK Voting with Overspeed
Voting is enabled in the Group Options screen, either an Overspeed alarm or a Channel not
OK event can change the state of the Overspeed relay. See figure 6.3.3-1 and 1.2-1 for
more information.
Figure 6.3.3-1: Relay Association field

The output of the ODS relay when an overspeed alarm is annunciated, depends on the
configuration of the overspeed system. Refer to the voting tables listed below, and the
configuration of the ODS, to find out what the output of the overspeed detection system
will be.
6.3.3.1 Special considerations

The following items need to be considered when looking up voting tables to find out what
the output of the ODS will be.
• User enabled bypass of a monitor
• Removing one or more monitors from a set introduces an IMC fault in the remaining
monitors of the set, which will enter a not OK state.
• Removing one or more monitors from a dependent voting set causes independent
voting on the remaining modules.
16
• The following events cause a monitor to enter Not OK:
o input signal frequency less than minimum for specified transducer
o input signal has 50% or greater change in a period when machine speed is
greater than 100 rpm
o IMC faults
• The following events vote for an overspeed alarm when ORing channel Not OK with
overspeed, but will NEVER latch an Overspeed alarm, see figure 6.3.3.1-1 for more
details:
o input signal frequency of 20 KHz or greater
o input speed greater than 99,999 rpm
Figure 6.3.3.1-1: Maximum Events Per Revolution

1. RPM
2. Event per revolution
3. Upper rpm limit is 99,999
4. Upper frequency limit is 20 KHz
• If all monitors are removed from the rack or bypassed, no alarming can take place
• The channel Not OK relays always vote independently
6.3.3.2 Voting tables, Independent voting

The following sections show how alarm voting is implemented based on the configuration
choices of independent voting and ORing Channel Not OK with overspeed voting. See
"special considerations" section 6.3.3.1 for important considerations.
17
6.3.3.2.1 Two-monitor overspeed group, independent voting
Condition 1:
With no monitors in a bypassed state, see figure 6.3.3.2.1-1, or physically removed from
the rack, the group will behave as shown. This behavior applies to overspeed and alert
relays.
Monitor #1 Status Monitor #2 Status Alarm Status
#1 #2
OK OK No Alarm No Alarm
Alarm OK Alarm No Alarm
Alarm Not OK Alarm No Alarm
OK Not OK No Alarm No Alarm
Alarm Alarm Alarm Alarm
Not OK Not OK No Alarm No Alarm
Figure 6.3.3.2.1-1: ODS Monitor Bypass state selection in Rack Configuration
18
Condition 2:
When any one of the two monitors is in a bypassed state, see figure 6.3.3.2.1-1, or
physically removed from the rack,, the remaining monitor will behave as shown. This
behavior applies to overspeed and alert relays. Only the active monitor is shown.
Active Monitor’s Status Alarm Status
OK No Alarm
Not OK No Alarm
Alarm Alarm
The bypassed or removed monitor will remain in the "No Alarm" state.
6.3.3.2.2 Three-monitor Overspeed group, Independent voting

Condition 1:
the rack,, the group will behave as shown. This behavior applies to overspeed and alert
relays.
Monitor #1 Status Monitor #2 Status Monitor #3 Status Alarm Status
#1 #2 #3
OK OK OK No Alarm No Alarm No Alarm
Alarm OK OK Alarm No Alarm No Alarm
Alarm Alarm OK Alarm Alarm No Alarm
Alarm Alarm Not OK Alarm Alarm No Alarm
Alarm Not OK OK Alarm No Alarm No Alarm
Not OK OK OK No Alarm No Alarm No Alarm
Not OK Not OK OK No Alarm No Alarm No Alarm
Not OK Not OK Alarm No Alarm No Alarm Alarm
Alarm Alarm Alarm Alarm Alarm Alarm
Not OK Not OK Not OK No Alarm No Alarm No Alarm
19
Condition 2:
When any one of the three monitors is in a bypassed state, see figure 6.3.3.2.1-1, or
physically removed from the rack,, the remaining two monitors will behave as shown in
condition 1 of section 6.3.3.2.1 "Two-monitor overspeed group, independent voting."
Condition 3:
When any two of the three monitors are in a bypassed state, see figure 6.3.3.2.1-1, or
physically removed from the rack,, the remaining monitor will behave as shown in
Condition 2 of section 6.3.3.2.1 "Two-monitor Overspeed group, independent voting."
The bypassed or removed monitors will remain in the "No Alarm" state.
6.3.3.2.3 Two-monitor, Independent Voting with OR channel Not OK

Condition 1:
the rack,, the overspeed relays will behave as shown.
Monitor #1 Status Monitor #2 Status Overspeed Alarm Status
#1 #2
Overspeed OK Alarm No Alarm
Overspeed Not OK Alarm Alarm
OK Not OK No Alarm Alarm
Overspeed Overspeed Alarm Alarm
Not OK Not OK Alarm Alarm
The alert relays will behave per Condition 1 of section 6.3.3.2.1 "Two-monitor Overspeed
Group, Independent Voting."
20
Condition 2:
When any one of the two monitors is in a bypassed state, see figure 6.3.3.2.1-1, or
physically removed from the rack, the remaining monitor's overspeed relays will behave as
shown. Only the active monitor is shown.
Active Monitor’s Status Overspeed Alarm Status
OK No Alarm
Not OK Alarm
Overspeed Alarm
6.3.3.2.4 Three-monitor, Independent Voting with OR Channel Not OK

Condition 1:
With no monitors bypassed, the overspeed relays will behave as shown.
Monitor #1 Status Monitor #2 Status Monitor #3 Status Overspeed Alarm Status
#1 #2 #3
Overspeed OK OK Alarm No Alarm No Alarm
Overspeed Overspeed OK Alarm Alarm No Alarm
Overspeed Overspeed Not OK Alarm Alarm Alarm
Overspeed Not OK OK Alarm Alarm No Alarm
Not OK OK OK Alarm No Alarm No Alarm
Not Ok Not Ok OK Alarm Alarm No Alarm
Not OK Not OK Overspeed Alarm Alarm Alarm
Overspeed Overspeed Overspeed Alarm Alarm Alarm
Not OK Not OK Not Ok Alarm Alarm Alarm
21
The alert relays will behave per Condition 1 of section 6.3.3.2.2 "Three-monitor Overspeed
Condition 2:
When any one of the three monitors is in a bypassed state, see figure 6.3.3.2.1-1, or
physically removed from the rack, the remaining two monitors will behave as shown in
Condition 1 of section 6.3.3.2.3 "Two-monitor, independent voting with OR Channel Not
OK." The bypassed or removed monitor will remain in the "No Alarm" state.
Condition 3:
When any two of the three monitors are in a bypassed state, see figure 6.3.3.2.1-1, or
physically removed from the rack,, the remaining monitor will behave as shown in
Condition 2 of section 6.3.3.2.3 "Two-monitor, Independent voting with OR channel Not
OK." The bypassed or removed monitors will remain in the "No Alarm" state.
6.3.3.3 Voting Tables, Dependent Voting

The tables in the following sections show how alarm voting is implemented based on the
configuration choices of Dependent Voting, OR Channel NOT OK with Overspeed Voting
and Alarm if all group members are faulted voting. See "Special considerations" for
important considerations in section 6.3.3.1.
6.3.3.3.1 Two-monitor Overspeed Group, Dependent Voting

Condition 1:
With no monitors bypassed or removed, the group will behave as shown. This behavior
applies to overspeed and alert relays.
Monitor #1 Status Monitor #2 Status Alarm Status
#1 #2
Alarm OK Alarm Alarm
Alarm Not OK Alarm Alarm
Not OK Not OK No Alarm No Alarm
22
Condition 2:
When any one of the two monitors is bypassed, the monitors will behave as shown. The
behavior applies to overspeed and alert relays.
Active Monitor Bypassed Monitor
OK No Alarm No Alarm
Not OK No Alarm No Alarm
Alarm Alarm Alarm
Condition 3:
When any one of the two monitors is physically removed from the rack, the remaining
monitor will behave as shown in Condition 2 of section 6.3.3.2.1 "Two-monitor Overspeed
Group, Independent Voting." The removed monitor will remain in the "No Alarm" state.
23
6.3.3.3.2 Three-monitor Overspeed Group, Dependent Voting
Condition 1:
the rack,, the group will behave as shown. This behavior applies to overspeed and alert
relays.
Monitor #1 Status Monitor #2 Status Monitor #3 Status Alarm Status
#1 #2 #3
Alarm OK OK No Alarm No Alarm No Alarm
Alarm Alarm OK Alarm Alarm Alarm
Alarm Alarm Not OK Alarm Alarm Alarm
Alarm Not OK OK Alarm Alarm Alarm
Not Ok Not Ok OK No Alarm No Alarm No Alarm
Not OK Not OK Alarm Alarm Alarm Alarm
Alarm Alarm Alarm Alarm Alarm Alarm
Not OK Not OK Not Ok No Alarm No Alarm No Alarm
24
Condition 2:
When any one of the three monitors are bypassed, see figure 6.3.3.2.1-1, the group will
behave as shown. This behavior applies to overspeed and alert relays.
Monitor Status Alarm Status
Active Monitor #1 Active Monitor #2 Active #1 Active #2 Bypassed Monitor
OK OK No Alarm No Alarm No Alarm
Alarm OK Alarm Alarm Alarm
Alarm Not OK Alarm Alarm Alarm
OK Not OK No Alarm No Alarm No Alarm
Alarm Alarm Alarm Alarm Alarm
Not OK Not OK No Alarm No Alarm No Alarm
Condition 3:
When any two of the three monitors are in a bypassed state, see figure 6.3.3.2.1-1 the
group will behave as shown. This behavior applies to overspeed and alert relays.
Active Monitor Bypassed Monitor Bypassed Monitor
OK No Alarm No Alarm No Alarm
Not OK No Alarm No Alarm No Alarm
Condition 4:
When any one of the three monitors is physically removed from the rack, the remaining
two monitors will behave as shown in condition 1 of section 6.3.3.2.1 "Two-monitor
Overspeed group, Independent Voting." The removed monitor will remain in the "No
Alarm" state.
Condition 5:
When any two of the three monitors are physically removed from the rack, the remaining
monitor will behave as shown in condition 2 of section 6.3.3.2.1 "Two-monitor Overspeed
group, Independent Voting." The removed monitors will remain in the "No Alarm" state.
25
6.3.3.3.3 Two-monitor, Dependent Voting with OR Channel Not OK
Condition 1:
the rack, the overspeed relays will behave as shown.
#1 #2
Overspeed OK Alarm Alarm
OK Not OK Alarm Alarm
The alert relays will behave per condition 1 of section 6.3.3.3.1 "Two-monitor Overspeed
Group, Dependent Voting."
Condition 2:
When any one of the two monitors is in a bypassed state, see figure 6.3.3.2.1-1, the
overspeed relays will behave as shown.
Not OK Alarm Alarm
Overspeed Alarm Alarm
Condition 3:
monitor will behave as shown in Condition 2 of section "Two-monitor, Independent Voting
with OR Channel not OK" section 6.3.3.2.3. The removed monitor will remain in the ""No
Alarm" state.
26
6.3.3.3.4 Three-monitor, Dependent Voting with OR Channel Not OK
Condition 1:
#1 #2 #3
Overspeed OK OK No Alarm No Alarm No Alarm
Overspeed Overspeed OK Alarm Alarm Alarm
Overspeed Not OK OK Alarm Alarm Alarm
Not Ok Not Ok OK Alarm Alarm Alarm
27
Condition 2:
When any one of the three monitors is in a bypassed state, see figure 6.3.3.2.1-1, the
Active Monitor #1 Status Active Monitor #2 Status Overspeed Alarm Status
Active #1 Active #2 Bypassed Monitor.
Overspeed OK Alarm Alarm Alarm
Overspeed Not OK Alarm Alarm Alarm
OK Not OK Alarm Alarm Alarm
Overspeed Overspeed Alarm Alarm Alarm
Not OK Not OK Alarm Alarm Alarm
The alert relays will behave per condition 2 of section 6.3.3.3.2 "Three-monitor Overspeed
Condition 3:
When any two of the three monitors are in a bypassed state, see figure 6.3.3.2.1-1, the
Overspeed Alarm Alarm Alarm
Not OK Alarm Alarm Alarm
Condition 4:
two monitors will behave as shown in Condition 1 of section 6.3.3.3.3 "Two-monitor,
Independent Voting with OR Channel not OK." The removed monitor will remain in the "No
Alarm" state.
28
Condition 5:
monitor will behave as shown in Condition 2 of section 6.3.3.3.3 "Two-monitor,
Independent Voting with OR Channel not OK." The removed monitors will remain in the "No
Alarm" state.
6.3.3.3.5 Two-monitor, Dependent Voting, Alarm if all group members are faulted
Condition 1:
#1 #2
Overspeed OK Alarm Alarm
Condition 2:
When any one of the two monitors is in a bypassed state, see figure 6.3.3.2.1-1, the
Not OK Alarm Alarm
Overspeed Alarm Alarm
29
Condition 3:
Alarm" state.
6.3.3.3.6 Three-monitor, Dependent Voting, Alarm if all group members are faulted
Condition 1:
#1 #2 #3
Overspeed OK OK No Alarm No Alarm No Alarm
Overspeed Overspeed OK Alarm Alarm Alarm
Overspeed Not OK OK Alarm Alarm Alarm
Not Ok Not Ok OK No Alarm No Alarm No Alarm
30
Condition 2:
When any one of the three monitors is 6 the overspeed relays will behave as shown.
Active Monitor #1 Status Active Monitor #2 Status Overspeed Alarm Status
Active #1 Active #2 Bypassed Monitor
Overspeed OK Alarm Alarm Alarm
Overspeed Not OK Alarm Alarm Alarm
OK Not OK No Alarm No Alarm No Alarm
Overspeed Overspeed Alarm Alarm Alarm
Not OK Not OK Alarm Alarm Alarm
Condition 3:
When any two of the three monitors are in a bypassed state, see figure 6.3.3.2.1-1, the
Overspeed Alarm Alarm Alarm
Not OK Alarm Alarm Alarm
Condition 4:
two monitors will behave as shown in Condition 1 of section 6.3.3.2.3 "Two-monitor,
Alarm" state.
31
Condition 5:
Independent Voting with OR Channel not OK." The removed monitors will remain in the "No
Alarm" state.
6.3.3.4 LED Fault Conditions

The following table shows the LED output under fault conditions. LED state of 1Hz or 5Hz
referes to the LED flashing rate of 1 times per second or 5 times per second.
OK TX/RX BYPASS Scenario Not OK Action

TEST
Relay
Mode
Driven
ON Flashing Monitor is operating correctly. No No action required.
Monitor is not configured, is in Reconfigure the Monitor or exit

1 Hz 1 Hz ON Yes
Configuration Mode, or in Configuration or Calibration
Calibration Mode. Mode.
ON Some or all Alarming Disabled. No action required.
ON Overspeed Test Mode Invoked. No action required.
OFF Flashing OFF XDCR Fault Yes Check the System Event List and
( Must be configured for Magnetic
the Alarm Event List.
Pickup or have OK Limits disabled ).
Overspeed Detection System

OFF ON Yes Check the System Event List,
Monitor Issue.
Check the System Event List and

5 Hz Overspeed Detection System Issue. Yes
the Alarm Event List.
32
7. Periodic proof test
Bently Nevada recommends 1 year proof testing intervals for the ODS system. To remain in
compliant with the SIL safety certification, proof testing must occur at least once every 3
years if all 4 relays are used in safety related application, and 7 years if only relay #1 is
used in a safety related application. Refer to figure 6 below for the PFD curve for an
overspeed protection system using only 1 safety relay versus all 4 safety relays.
Figure 7: probability of failure on demand for the ODS system

The proof test should verify the ODS hardware integrity. A detailed description of the
procedure and the requested test equipment can be found in the 3500/53 operation and
maintenance Manual (BN# 134939-01) section 6, maintenance.
If a channel fails in the overspeed protection system, the channel must be replaced or
repaired within 1 week. Continued operation with only 2 channels after one channel has
entered the bypass state is only acceptable for a period of 1 week maximum per SIL
certification.
After the performance of the proof test, and the elimination of the detected failures in the
system, the PFD is reset. Due to the fact that the failure rates are constant over time, the
next period of operation the probability of a failure of the safety function on demand starts
increasing again with the same PFD curve as seen in figure 6.
33
8. List of failure codes detected by the

internal diagnostic system
A system module or monitor may place the following messages, which are listed in
numerical order, in the System Event List. If an event marked with a star (*) occurs the
monitor will stop alarming.
Message Event Classification Module Action / Description

Flash Memory Failure 11 Severe/Fatal Event RIM/TDI, /91 /92 Replace the Monitor Module as soon
4 chan, Temp, PV as possible.
Display
Real Time Clock Failure 12 Severe/Fatal Event RIM/TDI
EEPROM Memory Failure 13 Potential Problem Relay, TMR Relay Replace the Monitor Module as soon
or Severe/Fatal Kph, 4 chan, as possible.
Event Temp
PV, Tach
Overspeed
Checksum Failure 14 Severe/Fatal Event TMR Relay The checksum of the alarm drive
code has failed. The alarm drive code
may be corrupted.
Serial EEPROM Failure 15

Internal Network Failure 30 Severe/Fatal Event RIM/TDI, /91 /92, Replace the Transient Data Interface
Relay, Display immediately.
Resync Internal Network 31 Potential Problem RIM/TDI, TMR Check to see if one of the following
Relay components is faulty: the Transient
Data Interface, the rack backplane.
Device Not Communicating 32 Potential Problem RIM/TDI, Tach Determine whether one of the
Overspeed following components is faulty: the
Display monitor module, the rack backplane.
Device Is Communicating 33 Potential Problem RIM/TDI, Tach Determine whether one of the
Overspeed following components is faulty: the
Display monitor module, the rack backplane.
* Neuron Failure 34 Severe/Fatal Event 4 chan, Temp, PV Replace the Monitor Module
Tach, Overspeed immediately.
Monitor Module will stop
transmitting alarm status.
34
Display Unit Not 35 Potential Problem Display The Display Unit connected the
Communicating Display Interface Module is no longer
communicating.
Display Unit 36 Potential Problem Display The Display Unit connected the
Communicating Display Interface Module has
returned
from a non-communicating state
Config Token Acquired 50 Typical Logged RIM/TD No action required.
Config Token Released 51 Typical Logged RIM/TDI No action required.
Event
Config Token Expired 52 Potential Problem RIM/TDI Check to see if one of the following
components is faulty: the connection
between the Transient Data Interface
and the computer running the Rack
Configuration Software; the Transient
Data Interface; the computer running
the Rack Configuration Software.
Config Token Override 53 Typical Logged RIM/TDI No action required.
Event
Fail Relay Coil Sense 55 Potential Problem RIM/TDI, Relay Replace I/O module
TMR Relay
Overspeed
Pass Relay Coil Sense 56 Potential Problem RIM/TDI, Relay Replace I/O module
TMR Relay
Overspeed
I/O Module Mismatch 60 Potential Problem RIM/TDI Replace I/O module or reconfigure
the monitor
Rack type Mismatch 61 Potential Problem RIM/TDI Reconfigure the monitor.
I/O Module Mismatch 62 Potential Problem /91 /92, 4 chan The modules software configuration
Temp, PV, Tach defining the type of I/O module does
Overspeed not match the physical I/O module
found on the rear of the module
I/O Module Compatible 63 Severe/Fatal 4 chan, Temp, PV The Monitors configuration defining
Tach, Overspeed the type of I/O module does now
match the physical I/O module found
on the rear of the Monitor.
35
Fail I/O Jumper Check 64 Severe/Fatal 4 chan The Monitors configuration defining
the type of I/O transducer input does
not match the physical I/O module
jumper configuration.
Pass I/O Jumper Check 65 Severe/Fatal Event 4 chan Verify that the type of I/O module
installed matches what was selected
in the software. If the correct I/O
module is installed, there may be a
fault with the Monitor Module or the
Fail Test Mode IOID 66 Potential Problem The modules software configuration
defining the type of I/O module does
not match the physical I/O module
found on the rear of the module
Pass Test Mode IOID 67 Potential Problem The Monitors configuration defining
the type of I/O module now matches
the physical I/O module found on the
rear of the Monitor.
HW Rack Alm Inh Active 70 Typical Logged RIM/TDI No action required.
(Hardware Rack Alarm Event
Inhibit Active)
HW Rack Alm Inh Inactive 71 Typical Logged RIM/TDI No action required.
(Hardware Rack Alarm Event
Inhibit Inactive)
HW override of SW Inh 72 Typical Logged RIM/TDI No action required.
(Hardware override of Event
Software Inhibit)
HW Trip Multiply Active 73 Typical Logged RIM/TDI No action required.
(Hardware Trip Multiply Event
Active)
HW Trip Mult Inactive 74 Typical Logged RIM/TDI No action required.
(Hardware Trip Multiply Event
Inactive):
HW override of SW TM 75 Typical Logged RIM/TDI No action required.
(Hardware override of Event
Software Trip Multiply)
HW Rack Reset Active 76 Typical Logged RIM/TDI No action required.
(Hardware Rack Reset Event
Active)
36
HW Rack Reset Inactive 77 Typical Logged RIM/TDI No action required.
(Hardware Rack Reset Event
Inactive)
SW Rack Alm Inh Active 78 Typical Logged RIM/TDI No action required.
(Software Rack Alarm Event
Inhibit Active)
SW Rack Alm Inh Inactive 79 Typical Logged RIM/TDI No action required.
(Software Rack Alarm Event
Inhibit Inactive)
SW Trip Multiply Active 80 Typical Logged RIM/TDI No action required.
(Software Trip Multiply Event
Active)
SW Trip Mult Inactive 81 Typical Logged RIM/TDI No action required.
(Software Trip Multiply Event
Inactive)
SW Rack Reset (Software 82 Typical Logged RIM/TDI No action required.
Rack Reset) Event
Rack Address Changed 90 Typical Logged RIM/TDI No action required.
Event
Key Switch in Run Mode 91 Typical Logged RIM/TDI No action required.
Event
Key Switch in Prgm Mode 92 Typical Logged RIM/TDI No action required.
(Key Switch in Program Event
Mode)
Fail Main Board +5V-A (Fail 100 Potential Problem RIM/TDI, /91 /92, When events 100-146 are placed in
Main Board +5V - upper Relay, TMR Relay the system event list the specified
Power Supply) Kph, Temp, PV device most likely has a detected a
Tach, Overspeed problem with its power system.
Display However, certain external rack
power faults, may also cause these
events. The A indicated the top supply
and the B indicates the bottom
supply. AB indicates both top and
bottom.
Verify that noise from the power

source is not causing the problem. If
noise is not the cause of the problem,
determine whether one of the
following components is faulty: the
Monitor Module, the Power Supply.
37
Pass Main Board +5V-A 101 Potential Problem RIM/TDI, /91 /92 see Event 100
(Fail Main Board +5V - Relay, TMR Relay
Kph, 4 chan
upper Power Supply) Temp, PV, Tach,
Overspeed
Display
Fail Main Board +5V-B (Fail 102 Potential Problem RIM/TDI, /91 /92 see Event 100
Main Board +5V - lower Relay, TMR Relay
Power Supply) Kph, 4 chan,
Temp, PV, Tach
Overspeed
Display
Pass Main Board +5V-B 103 Potential Problem RIM/TDI, /91 /92 see Event 100
(Pass Main Board +5V - Relay, TMR Relay
lower Power Supply) Kph ,4 chan
Temp, PV, Tach
Overspeed
Display
* Fail Main Board +5V-AB 104 Severe/Fatal Event RIM/TDI, /91 /92 see Event 100
(Fail Main Board +5V - Relay, Kph, 4
upper and lower Power chan
Supplies) Temp, PV, Tach
Overspeed
Display
Pass Main Board +5V-AB 105 Severe/Fatal Event RIM/TDI, /91 /92 see Event 100
(Pass Main Board +5V - Relay, Kph ,4
upper and lower Power chan
Supplies) Temp, PV, Tach
Overspeed
Display
Fail Main Board +15V-A 106 Potential Problem RIM/TDI, /91 /92 see Event 100
(Fail Main Board +15V - 4 chan, Tach
upper Power Supply) Overspeed
Pass Main Board +15V-A 107 Potential Problem RIM/TDI, /91 /92 see Event 100
(Pass Main Board +15V - 4 cha, Tachn
upper Power Supply)
Fail Main Board +15V-B 108 Potential Problem RIM/TDI, /91 /92 see Event 100
(Fail Main Board +15V - 4 chan, Tach
lower Power Supply)
38
Pass Main Board +15V-B 109 Potential Problem RIM/TDI, /91 /92 see Event 100
(Pass Main Board +15V - 4 chan, Tach
lower Power Supply) Overspeed
* Fail Main Board +15V-AB 110 Severe/Fatal Event RIM/TDI, /91 /92 see Event 100
(Fail Main Board +15V -
4 chan, Tach
upper and lower Power
Overspeed
Supplies)
Pass Main Board +15V-AB 111 Severe/Fatal Event RIM/TDI, /91 /92 see Event 100
(Pass Main Board +15V -
4 chan, Tach
upper and lower Power
Overspeed
Supplies)
Fail Main Board -24V-A (Fail 112 Potential Problem RIM/TDI, Kph see Event 100
Main Board -24V - upper 4 chan, Tach
Power Supply) Overspeed
Pass Main Board -24V-A 113 Potential Problem RIM/TDI, Kph see Event 100
(Pass Main Board -24V - 4 chan, Tach
upper Power Supply) Overspeed
Fail Main Board -24V-B 114 Potential Problem RIM/TDI, Kph see Event 100
4 chan, Tach
Overspeed
Pass Main Board -24V-B 115 Potential Problem RIM/TDI, Kph see Event 100
4 chan, Tach
Overspeed
Fail Main Board -24V-AB 116 Potential Problem RIM/TDI, Kph see Event 100
4 chan, Tach
Overspeed
Pass Main Board -24V-AB 117 Potential Problem RIM/TDI, Kph see Event 100
4 chan, Tach
Overspeed
Fail Main Board +5V-C 118 Severe/Fatal Event TMR Relay see Event 100
Pass Main Board +5V-C 119 Severe/Fatal Event TMR Relay see Event 100
Fail Main Board +5VA-A 122 Potential Problem 4 chan, Temp, PV see Event 100
39
Pass Main Board +5VA-A 123 Potential Problem 4 chan, Temp, PV see Event 100
Fail Main Board +5VA-B 124 Potential Problem 4 chan, Temp, PV see Event 100
Pass Main Board +5VA-B 125 Potential Problem 4 chan, Temp, PV see Event 100
Fail Main Board +5VA-AB 126 Severe/Fatal Event 4 chan, Temp, PV see Event 100
Tach, Overspeed
Pass Main Board +5VA-AB 127 Severe/Fatal Event 4 chan, Temp, PV see Event 100
Tach, Overspeed
Fail Main Board -5VA 128 Severe/Fatal Event Temp, PV see Event 100
Pass Main Board -5VA 129 Severe/Fatal Event Temp, PV see Event 100
Fail Main Board +VA-A 130 Potential Problem Temp, PV see Event 100
Pass Main Board +VA-A 131 Potential Problem Temp, PV see Event 100
Fail Main Board +VA-B 132 Potential Problem Temp, PV see Event 100
Pass Main Board +VA-B 133 Potential Problem Temp, PV see Event 100
Fail Main Board +VA-AB 134 Severe/Fatal Event Temp, PV see Event 100
Pass Main Board +VA-AB 135 Severe/Fatal Event Temp, PV see Event 100
Fail Main Board -VA-A 136 Potential Problem Temp, PV see Event 100
Pass Main Board -VA-A 137 Potential Problem Temp, PV see Event 100
Fail Main Board -VA-B 138 Potential Problem Temp, PV see Event 100
Pass Main Board -VA-B 139 Potential Problem Temp, PV see Event 100
Fail Main Board -VA-AB 140 Severe/Fatal Event Temp, PV see Event 100
Pass Main Board -VA-AB 141 Severe/Fatal Event Temp, PV see Event 100
Fail Main Board -15V-AB 144 Severe/Fatal Event Tach, Overspeed see Event 100
Pass Main Board -15V-AB 145 Severe/Fatal Event Tach, Overspeed see Event 100
Fail OK Limit Volt Check 146 Severe/Fatal Event Tach, Overspeed Verify that the transducer is properly
gapped. If the gap is OK, check to see
if one of the following components is
faulty:
transducer, tachometer I/O module,
monitor module.
Monitor Module will stop alarming
40
Pass OK Limit Volt Check 147 Severe/Fatal Event Tach, Overspeed Verify that the transducer is properly
gapped. If the gap is OK, check to see
if one of the following components is
faulty:
monitor module.
Fail Transducer Power 148 Severe/Fatal Event Tach, Overspeed Verify that noise from the power
the problem is not caused by noise,
check to see if one of the following
components is faulty: monitor
module, power supply.
Monitor module will stop alarming.
Pass Transducer Power 149 Severe/Fatal Event Tach Verify that noise from the power
the problem is not caused by noise,
check to see if one of the following
module, power supply.
Fail I/O Board +2.5V-AB 150 Severe/Fatal Event Tach, Overspeed see Event 148
Pass I/O Board +2.5V-AB 151 Severe/Fatal Event Tach, Overspeed see Event 149
Fail Main Board +17V-A 152 Potential Problem Display
Pass Main Board +17V-A 153 Potential Problem Display
Fail Main Board +17V-B 154 Potential Problem Display
Pass Main Board +17V-B 155 Potential Problem Display
Fail Main Board +12V 156 Severe/Fatal Event Display
Pass Main Board +12V 157 Severe/Fatal Event Display
41
Fail Main Board -24V-A or B 158 Potential Problem Display
Pass Main Board -24V-A or

159 Potential Problem Display
B
Fail Main Board +3.3V 162 Severe/Fatal Event Display
Pass Main Board +3.3V 163 Severe/Fatal Event Display
Fail Main Board +2.5V 164 Severe/Fatal Event Display
Pass Main Board +2.5V 165 Severe/Fatal Event Display
Fail Ch 1 Transducer Pwr 166 Check Transducer wiring
Pass Ch 1 Transducer Pwr 167
Fail Ch 2 Transducer Pwr 168
Fail 3.75V and 1.25V ref 178 Potental Problem see Event 100
Pass 3.75V and 1.25V ref 179 Potental Problem See Event 100
Fail VRL 180 Potental Problem See Event 100
Pass VRL 181 Potental Problem See Event 100
Fail VRL1 182 Potental Problem See Event 100
Pass VRL1 183 Potental Problem See Event 100
Fail VRL2 184 Potental Problem See Event 100
Pass VRL2 185 Potental Problem See Event 100
Fail 3.3, 5, 2.6, 1.8 186 Potental Problem See Event 100
42
Pass 3.3, 5, 2.6, 1.8 187 Potental Problem See Event 100
Fail 2.5V Transducer Pwr 188 Potental Problem See Event 100
Pass 2.5V Transducer Pwr 189 Potental Problem See Event 100
Fail VRH 190 Potental Problem See Event 100
Pass VRH 191 Potental Problem See Event 100
Fail VRH1 192 Potental Problem See Event 100
Pass VRH1 193 Potental Problem See Event 100
Fail VRH2 194 Potental Problem See Event 100
Pass VRH2 195 Potental Problem See Event 100
Fail +16V 196 Potental Problem See Event 100
Pass +16V 197 Potental Problem See Event 100
Fail VR 198 Potental Problem See Event 100
Pass VR 199 Potental Problem See Event 100
Fail VR1 200 Potental Problem See Event 100
Pass VR1 201 Potental Problem See Event 100
Fail VR2 202 Potental Problem See Event 100
Pass VR3 203 Potental Problem See Event 100
Fail VT 204 Potental Problem See Event 100
Pass VT 205 Potental Problem See Event 100
Fail +2.8V 206 Potental Problem See Event 100
Pass +2.8V 207 Potental Problem See Event 100
Fail -V Test 208 Potental Problem See Event 100

Pass -V Test 209 Potental Problem See Event 100
Fail +2.5V ref 210 Potental Problem See Event 100
43
Pass +2.5V ref 211 Potental Problem See Event 100
Fail +0.640V ref 212 Potental Problem See Event 100
Pass +0.640V ref 213 Potental Problem See Event 100
Device Configured 300 RIM/TDI, Tach No action required.

Typical Logged
Overspeed
Event
Display
* Configuration Failure 301 Severe/Fatal Event RIM/TDI, /91 /92 Download a new configuration to the
Relay, TMR Relay Monitor Module. If the problem
Kph, 4 chan persists, replace the Monitor Module
Temp, PV, Tach immediately.
Overspeed
Display Monitor Module will stop alarming.
*Configuration Failure 301 Potential Problem RIM/TDI, /91 /92 The module detected that one of its
Relay, TMR Relay configuration banks is faulted.
Kph, 4 chan Download a new configuration.
Temp, PV, Tach
Overspeed
Display
* Module Entered Cfg Mode 302 No action required.

Typical Logged RIM/TDI, Tach
(Module Entered
Event Overspeed Monitor Module will stop alarming.
Configuration Mode)
Software Switches Reset 305 Potential Problem RIM/TDI, /91 /92 Download the software switches to
Relay, TMR Relay the Monitor Module. If the software
Kph, 4 chan switches are not correct, replace the
Temp, PV, Tach Monitor Module as soon as possible.
Overspeed
Display
306 Potential Problem RIM/TDI Replace the Real-Time Clock

Init Real Time Clock
component in the Transient Data
(Initialize Real Time Clock)
Interface as soon as possible.
Internal Cal Reset (Internal

307 Severe/Fatal Event Replace Monitor Module immediately.
Calibration Reset)
Monitor TMR PPL Failed RIM/TDI, 4 chan

310 Potential Problem Verify that the transducer is properly
(Monitor TMR Proportional Tach, Overspeed
44
Value Failed) installed. If the transducer is properly

installed, check to see if one of the
following components is faulty:
monitor module.
Monitor TMR PPL Passed 311 Potential Problem RIM/TDI, Tach Verify that the transducer is properly
(Monitor TMR Proportional Overspeed installed. If the transducer is properly
Value Passed) installed, check to see if one of the
monitor module.
Fail Alarm Latch Leg-<x> 312 Severe/Fatal Event TMR Relay Leg <x> of the SPI output alarm latch
has failed. The data sent out the SPI
<x> = A, B, C, D
alarm Leg <x> path does not agree
with the data read in.
Pass Alarm Latch Leg-<x> 312 Severe/Fatal Event TMR Relay Leg <x> of the SPI output alarm latch
has recovered. The data sent out the
<x> = A, B, C, D
SPI alarm Leg <x> path now agrees
with the data read in.
Module Reboot 320 RIM/TDI, Tach No action required.

Typical Logged
Overspeed
Event
Display
325 RIM/TDI, Tach No action required.

* Module Removed from Typical Logged
Overspeed
Rack Event Monitor Module will stop alarming.
Display
Module Inserted in Rack 326 RIM/TDI, Tach No action required.

Typical Logged
Overspeed
Event
Display
Supply OK/Installed 330 Potential Problem RIM/TDI Determine if a power supply has
been installed. Verify that there is not
a problem with the power source. If
there are no problems with the
power source, replace the power
supply as soon as possible.
Supply Faulted/Removed 331 Potential Problem RIM/TDI Determine if a power supply has
45
been removed. Verify that there is

not a problem with the power source.
If there are no problems with the
power source, replace the power
supply as soon as possible.
Rack/TDI Powered Down 340 RIM/TDI No action required.

Typical Logged
(Rack or Transient Data
Event
Interface Powered Down)
Rack/TDI Powered Up (Rack 341 RIM/TDI No action required.

Typical Logged
or Transient Data Interface
Event
Powered Up)
Typical Logged The carrier on the phone line was

Modem Reinitialized 350 RIM/TDI
Event dropped. Modem is rinitialized.
Device Events Lost 355 Typical Logged RIM/TDI, Tach No action required. This may be due
Event Overspeed to the removal of the Rack Interface
Module for an extended period of
time.
Module Alarms Lost 356 Typical Logged RIM/TDI, Tach No action required. This may be due
Event Overspeed to the removal of the Rack Interface
Module for an extended period of
time.
Typical Logged
Rack Time Changed 360 RIM/TDI No action required.
Event
* Module Entered Calibr. 365 RIM/TDI No action required.

Typical Logged
(Module Entered Calibration
Event Monitor Module will stop alarming.
Mode)
Module Exited Calibr. 366 RIM/TDI No action required.

Typical Logged
(Module Exited Calibration
Event
Mode)
Fail I/O Board +5V-AB 390 Potential Problem Relay, When events 390 - 397 are placed in
Overspeed the system event list the specified
device most likely has a detected a
problem with its power system.
However, certain external rack
46
power faults, may also cause these

events. The A indicated the top supply
and the B indicates the bottom
bottom.
Relay,
Pass I/O Board +5V-AB 391 Potential Problem see above
Overspeed
Relay, TMR Relay

Fail I/O Board +14V-A 392 Potential Problem see above
Overspeed
Relay, TMR Relay

Pass I/O Board +14V-A 393 Potential Problem see above
Overspeed
Relay, TMR Relay

Fail I/O Board +14V-B 394 Potential Problem see above
Overspeed
Relay, TMR Relay

Pass I/O Board +14V-B 395 Potential Problem see above
Overspeed
Relay,
Fail I/O Board +14V-AB 396 Potential Problem see above
Overspeed
Relay,
Pass I/O Board +14V-AB 397 Potential Problem see above
Overspeed
Relay, An error was detected when reading

Fail I/O Module DIP Sw 398 Potential Problem
Overspeed the DIP switches on the I/O module.
Pass I/O Module DIP Sw 399 Potential Problem Relay, An error had been previously
Overspeed detected when reading the DIP
switches on the I/O module and is
now OK
I/O Module Detect Fault 399 Severe/Fatal Event /91 /92 The Communication Gateway could
not detect the type of I/O module or
the Communication Gateway 92
detected an Ethernet I/O Module that
could not pass an internal Ethernet
loopback test
Config Password Changed Typical Logged

400 RIM/TDI No action required.
(Configuration Password Event
47
Changed)
Connect Password Typical Logged

401 No action required.
Changed Event
Change the configuration of the TDI

Incompatible Backplane 402 Potential Problem
to match that of the rack.
Loopback Test Failed 403 Potential Problem Replace the TDI module.
Management Test Failed 404 Potential Problem Replace the TDI module.
Pass Module Self-test 410 Typical Logged /91 /92, Relay No action required.
Event TMR Relay, Kph
4 chan, Temp, PV
Tach, Overspeed
Display
Management Password Typical Logged

411 No action required.
Changed Event
* Enabled Ch Bypass 416 Typical Logged /91 /92, Relay No action required. This action
(Enabled Channel Bypass) Event TMR Relaym, inhibits alarming.
Kph
Event Specific: Ch x
4 chan, Temp, PV
Tach, Overspeed
Disabled Ch Bypass 417 Typical Logged /91 /92, Relay No action required.
(Disabled Channel Bypass) Event TMR Relay, Kph
4 chan, Temp, PV
Event Specific: Ch x Tach, Overspeed
Enabled Threshold Adj 418 The software threshold adjust

Typical Logged Kph, Tach
module switch has been enabled on
Event Overspeed
the Keyphasor module
Disabled Threshold Adj 419 The software threshold adjust

Typical Logged Kph, Tach
module switch has been disabled on
Event Overspeed
the Keyphasor module
* Enabled Alert Bypass 420 Typical Logged 4 chan, Temp, PV No action required. Alarming has
Event Tach, Overspeed been inhibited by this action.
48
Disabled Alert Bypass 421 Typical Logged 4 chan, Temp, PV No action required.
Event Tach, Overspeed
* Enabled Danger Bypass 422 Typical Logged 4 chan, Temp, PV No action required. Alarming has
Event Tach, Overspeed been inhibited by this action.
Disabled Danger Bypass 423 Typical Logged 4 chan, Temp, PV No action required. The software
Event Tach, Overspeed danger bypass switch has been
Event Specific: Ch x disabled.
Enabled Special Inh 424 Typical Logged 4 chan, Temp, PV No action required. The software
Event Overspeed special inhibit module switch has
been enabled on the 4 channel
Event Specific: Ch x monitor module.
Disabled Special Inh 425 4 chan, Temp, PV No action required.

Typical Logged
Overspeed
Event The software special inhibit module
switch has been disabled on the 4
channel monitor module.
* Enabled Mon Alarm Byp 426 Typical Logged 4 chan, Temp, PV No action required. Monitor Module
(Enabled Monitor Alarm
Event Tach, Overspeed will stop alarming.
Bypass)
Disabled Mon Alarm Byp 427 Typical Logged 4 chan, Temp, PV No action required.
(Disabled Monitor Alarm
Event Tach, Overspeed
Bypass)
Enabled Direct PPL 428 Typical Logged 4 chan The enabled direct PPL software
Event channel switch has been enabled on
the 4 channel monitor module (only
applies to /45 monitor).
Disabled Direct PPL 429 Typical Logged 4 chan The enabled direct PPL software
Event channel switch has been disabled on
the 4 channel monitor module (only
applies to /45 monitor).
Enabled CJ Verification 430 Typical Logged Temp The cold junction temperature
49
Event verification dip switch has been

enabled. This causes the bargraph,
displayed by the rack configuration
verification screen, to show the cold
junction temperature.
Disabled CJ Verification 431 Typical Logged Temp The cold junction temperature
Event verification dip switch has been
disabled. This causes the bargraph,
displayed by the rack configuration
verification screen, to show the direct
channel temperature.
Enabled SW Channel Reset 432 Typical Logged Overspeed No action required.

Event
Typical Logged
SW Peak Reset 433 Tach, Overspeed No action required.
Event
The cyclic check to verify the alarm

Invalid Alm Drive Logic 451 Severe/Fatal Event Relay, TMR Relay
drive logic has detected and error.
* Fail Slot Id Test 461 Severe/Fatal Event /91 /92, Relay Verify that the Monitor Module is fully
TMR Relay, Kph inserted in the rack. If the Monitor
4 chan, Temp, PV Module is installed correctly,
Tach, Overspeed determine whether one of the
Display following components is faulty: the
Monitor Module, the rack backplane.
Monitor Module will stop alarming.
Pass Slot Id Test 462 Severe/Fatal Event Verify that the Monitor Module is fully
/91 /92, Relay
inserted in the rack. If the Monitor
TMR Relay, Kph
Module is installed correctly,
4 chan, Temp, PV
determine whether one of the
Tach, Overspeed
following components is faulty: the
Display
Monitor Module, the rack backplane.
Fail Comm Id Mismatch 463 Potential Problem The module SCI communication
4 chan, Temp, PV
address is inconsistent with the Slot
Tach, Overspeed
Id.
50
Verify that the Monitor Module is fully

Module is installed correctly, check to
see if one of the following
components is faulty: Monitor
Module, rack backplane.
Monitor Module will stop alarming
Pass Comm Id Mismatch 464 Potential Problem The module SCI communication
4 chan, Temp, PV
address is now consistent with the
Tach, Overspeed
Slot Id.
Fail DAC Test 471 Severe/Fatal Event Kph, Tach During a power up test the Digital to
Overspeed Analog converter test detected an
error. The module should be
replaced.
Pass DAC Test 472 Severe/Fatal Event Kph, Tach During a power up test the module
Overspeed had detected a failure in the Digital to
Analog converter. The DAC has now
returned to an OK state. The module
should be replaced.
Typical Logged Kph, 4 chan No action required. Monitor Module

* Enabled Test Signal 481
Event Overspeed will stop alarming.
Typical Logged Kph, 4 chan

Disabled Test Signal 482 No action required.
Event Overspeed
Switch To Primary Kph 491 Potential Problem 4 chan, Tach Determine whether one of the
following is faulty: the secondary
Event Specific: Ch Keyphasor transducer on the
pair x machine, the Monitor Module.
Switch To Backup Kph 492 Potential Problem 4 chan, Tach Determine whether one of the
following is faulty: the secondary
Event Specific: Ch Keyphasor transducer on the
pair x machine, the Monitor Module.
* Kph Lost 493 Potential Problem 4 chan Determine whether one of the
Event Specific: Ch following is faulty: both Keyphasor
pair x transducers on the machine, the
51
Monitor Module, the Keyphasor

Module
For vector and Keyphasor based,

alarms the Monitor Module will stop
alarming.
Sw To Paired Primary Kph 494 Potential Problem Kph The module switched to using its
Paired Primary Keyphasor input
signal source. This occurs upon
return to validity of what was
previously an invalid Primary input
signal.
Sw To Paired Backup Kph 495 Potential Problem Kph The module switched to using its
Paired Primary Keyphasor input
signal source. This occurs upon
return to validity of what was
previously an invalid Primary input
signal
Kph Backplane Conflict 496 Potential Problem Kph The module tested a configured
output Keyphasor signal channel for
drive contention, and found a
problem. This can occur upon power-
up or reboot for a Paired- or
Standard- configured Keyphasor
module, or at run-time for Paired
Keyphasor operation, prior to fully
driving the output. This can occur for
a number of reasons, including
invalidly configured modules,
incompatible use of multiple Paired
and Standard Keyphasor Modules in
a rack, incompatible use of Paired or
Standard Keyphasor Modules with a
Tachometer Module in the rack, or a
hardware failure of one or more
modules in the rack.
DSP Reset Attempted 501 Severe/Fatal Event 4 chan If the System Event List contains
Event Specific: Ch repeated instances of this message,
52
then replace the Monitor Module

pair x
immediately.
* DSP Self-test Failure 502 Severe/Fatal Event 4 chan Replace the Monitor Module
Event Specific: Ch immediately. Monitor Module will
pair x stop alarming.
DSP Failure 503 Severe/Fatal Event 4 chan The DSP for the indicated channel
pair is not functioning properly.
Event Specific: Ch
pair x
Incompatible DSP 509 Severe/Fatal Event Overspeed This event normally occurs if certain
firmware files are not compatible
with the Rack Config files.
Setpoint Updated 511 Typical Logged 4 chan, Temp, PV No action required. A setpoint on the
Event Tach, Overspeed specified channel has been updated.
Group Setting Reset 521 Typical Logged 4 chan, Tach No action required. When a monitor is
Event powered up and has nothing in its
EEPROM, the group settings are reset
to default.
The 5 volt Leg A supply has failed on

Fail I/O Board +5V-A 540 Severe/Fatal Event TMR Relay
the I/O module.
he 5 volt Leg A supply has recovered

Pass I/O Board +5V-A 541 Severe/Fatal Event TMR Relay
on the I/O module.
The 5 volt Leg B supply has failed on

Fail I/O Board +5V-B 542 Severe/Fatal Event TMR Relay
the I/O module.
The 5 volt Leg B supply has recovered

Pass I/O Board +5V-B 543 Severe/Fatal Event TMR Relay
on the I/O module.
The 5 volt Leg C supply has failed on

Fail I/O Board +5V-C 544 Severe/Fatal Event TMR Relay
the I/O module.
The 5 volt Leg C supply has recovered

Pass I/O Board +5V-C 545 Severe/Fatal Event TMR Relay
on the I/O module.
Fail I/O Board +14V-C 546 Severe/Fatal Event TMR Relay The 14 volt Leg A supply has failed on
53
the I/O module.
The 14 volt Leg A supply has

Pass I/O Board +14V-C 547 Severe/Fatal Event TMR Relay
recovered on the I/O module.
Typical logged
I/O Module Inserted 549
event
I/O Module Removed 550 Typical logged 4 chan, Temp, The physical I/O module found on the
event PV, Tach, rear of the monitor has been
Event Specific: Ch x Overspeed removed.
Probable Open Transducer 551 Severe/Fatal Temp, PV A possible open in the signal path
between the transducer and
processor has been detected. This
open may be in the monitor module,
I/O module, or in the wiring between
the I/O module and the transducer.
The condition has the highest degree
of probability in the wiring between
the I/O module and transducer, and
the lowest probability in the monitor
module.
Prob. Xdcr Wiring Fault 552 Severe/Fatal Temp, PV A possible short, or open in the signal
path between the transducer and
Event Specific: Ch x processor has been detected. This
fault may be in the monitor module,
I/O module, or in the wiring between
the I/O module and the transducer.
The condition has the highest degree
of probability in the wiring between
the I.O module and transducer, and
the lowest probability in the monitor
module.
Xdcr OK 553
Fail I/O Board +15V-A 554 Potential Problem 4 chan When events 554-559 are placed in
the system event list the specified
device most likely has a detected a
problem with its power system.
54
However, certain external rack power

faults, may also cause these events.
The A indicated the top supply and the
B indicates the bottom
bottom.
Pass I/O Board +15V-A 555 Potential Problem 4 chan See Event 554.
F.ail I/O Board +15V-B 556 Potential Problem 4 chan See Event 554.
Pass I/O Board +15V-B 557 Potential Problem 4 chan See Event 554.
Fail I/O Board +15V-AB 558 Severe/Fatal Event 4 chan See Event 554.
Pass I/O Board +15V-AB 559 Severe/Fatal Event 4 chan See Event 554.
IO Calibration Failure 560 Severe/Fatal Temp, PV The module was unable to store its IO
Calibration data in either bank of
nonvolatile memory. The module may
also place the event in the event list
when both banks fail during a cyclic
test.
The module detected that one of its

IO Calibration Failure 560 Potential Problem Temp, PV
nonvolatile banks is faulted.
ADC Calibration Failure 561 Severe/Fatal Temp, PV The module was unable to store its
ADC Calibration data in either bank
of nonvolatile memory. The module
may also place the event in the event
list when both banks fail during a
cyclic test.
The module detected that one of its

ADC Calibration Failure 561 Potential Problem Temp, PV
nonvolatile banks is faulted.
The ADC for the temperature monitor

ADC Failure 562 Severe/Fatal Temp, PV
is not functioning properly.
The monitor is unable to process the

Fail CJC Temperature 563 Severe/Fatal Temp
TC Transducer data.
Pass CJC Temperature 564 Potential Problem Temp The monitor is now able to process
55
the TC Transducer data
The rack is exceeding its operational

Fail Rack Ambient Temp 565 Severe/Fatal Temp
temperature range.
The rack is within its operational

Pass Rack Ambient Temp 566 Potential Problem Temp
temperature range.
Fail ADC Reading 567
Pass ADC Reading 568
*Enabled User Test Mode 570 Typical Logged Overspeed No action required.
Event
Enabled HW Chan Reset 571 Typical Logged Overspeed No action required.

Event
Disabled HW Chan Reset 572 Typical Logged Overspeed No action required.

Event
Replace Monitor module as soon as

Fail Test Signal Verify 573 Potential Problem Overspeed
possible.
Peak Hold Speed Cleared 574 Typical Logged Overspeed No action required.
Event
Inter-Module Comm Fault 575 Potential Problem Overspeed Verify that all modules in the OPS
group are properly installed. If the
Monitor Modules are installed
correctly, check to see if one of the
monitor module, rack backplane.
Inter-Module Comm OK 576 Potential Problem Overspeed Verify that all modules in the OPS
group are properly installed. If the
Monitor Modules are installed
correctly, check to see if one of the
56

monitor module, rack backplane.
OPS In Wrong Slot 577 Severe/Fatal Event Overspeed Verify that the Monitor Module is fully
Module is installed correctly, check to
see if one of the following
module, rack backplane.
Fail Channel Pair Check 578 Potential Problem Tach Verify both channels are configured
as a Zero Speed monitor type. If not,
download a new configuration to the
Monitor Module. If the problem still
exists, replace the Monitor Module
immediately.
Monitor module will stop alarming.
Pass Channel Pair Check 579 Potential Problem Tach Verify both channels are configured
as a Zero Speed monitor type. If not,
download a new configuration to the
Monitor Module. If the problem still
exists, replace the Monitor Module
immediately.
Enabled HW Peak Reset 580 Typical Logged Tach No action required.

Event
Disabled HW Peak Reset 581 Typical Logged Tach No action required.

Event
Typical Logged
Enabled Zero Spd Alarm 582 Tach No action required.
Event
Typical Logged No action required. Alarming will be

Disabled Zero Spd Alarm 583 Tach
Event inhibited by this action.
Typical Logged
Supply Cond Kph Enabled 584 Tach No action required.
Event
57
Supply Cond Kph DIsabled 585 Typical Logged No action required.

Event
Disabled User Test Mode 586 Typical Logged Overspeed No action required.
Event
XDCR Signal Too Slow 590 Potential Problem Tach,Overspeed This may be due to a machine
stopped condition. Verify that the
transducer is functioning properly.
XDCR Signal Too Fast 591 Potential Problem Tach, Overspeed This may be due to an input frequency
above 20 kHz. Verify that the
transducer is functioning properly
Verify that the transducer is

XDCR Fifty Percent Error 592 Potential Problem Tach, Overspeed
functioning properly.
RPM Reading Too Low 593 Potential Problem Tach, Overspeed This may be due to a machine
stopped condition. Verify that the
RPM Reading Too High 594 Potential Problem Tach, Overspeed This may be due to a speed input
above the configured full-scale range
for the monitor. Verify that the
Accel Reading Too Low 595 Potential Problem Tach This may be due to an acceleration
input below the configured full-scale
range for the monitor. Verify that the
Accel Reading Too High 596 Potential Problem Tach This may be due to an acceleration
input above the configured full-scale
range for the monitor. Verify that the
Typical Logged
XDCR Signal Now Valid 597 Tach, Overspeed No action required.
Event
58
Typical Logged
Pass Direction Check 598 Tach No action required.
Event
Fail Direction Check 599 Potential Problem Tach This is an indication that the status of
one or both of the transducers
required for direction detection
cannot be reliably determined. This
may be an indication of configuration,
transducer, transducer mounting,
signal path, I/O, or monitor problems.
Carrier HW Mismatch 610
Enter Group Trip Multiply 641 Typical Logged RIM/TDI This event is placed in the system list
Event, TDI ONLY Event when a /91 gateway initiates a group
trip multiply command to enter trip
multiply.
Enter Group RAI Event, TDI 642 Typical Logged RIM/TDI This event is placed in the system list
ONLY Event when a /91 gateway initiates a group
rack alarm inhibit command to enter
rack alarm inhibit.
643 RIM/TDI This event is placed in the system list

Enter Group Reset Event, Typical Logged
when a /91 gateway initiates a group
TDI ONLY Event
reset command to enter group reset.
Enter Group SAI Event, TDI 644 Typical Logged RIM/TDI This event is placed in the system list
special alarm inhibit command to
enter special alarm inhibit.
Left Group Trip Multiply 645 Typical Logged RIM/TDI This event is placed in the system list
Event, TDI ONLY Event when a /91 gateway initiates a group
trip multiply command to leave trip
multiply.
Left Group RAI Event, TDI 646 Typical Logged RIM/TDI This event is placed in the system list
rack alarm inhibit command to leave
rack alarm inhibit.
Left Group Reset Event, TDI 647 Typical Logged RIM/TDI This event is placed in the system list
59
when a /91 gateway initiates a group

ONLY Event
reset command to leave group reset.
Left Group Reset Event, TDI 648 Typical Logged RIM/TDI This event is placed in the system list
special alarm inhibit command to
leave special alarm inhibit.
Command Exchange Typical Logged

649 /91 /92 No action required.
Timeout Event
Typical Logged
Group Commands Cleared 650 /91 /92 No action required.
Event
Fail PCM node volt. adc 660 Potential Problem See Event 100
Pass PCM node volt. adc 661 Potential Problem See Event 100
The display may no longer reflect

Display Comm Failure 662 Potential Problem ENCORE
system state. Reboot monitor.
60
9. Hardware fault tolerance and
classification type
Hardware fault tolerance (HFT) is the maximum number of hardware faults which will not
lead to a dangerous failure. For example, a hardware fault tolerance of one means that no
one single fault can cause loss of the safety function. Since the overspeed detection
system is configured as a 2 out of 3 voting system, the hardware fault tolerance of
overspeed protection system is 1.
The overspeed detection system is defined as type B classification. This means that the
ODS has a failure mode of at least one constituent component that is not well defined, the
behavior of the element under fault conditions cannot be completely determined or there
is insufficient dependable failure data to support claims for rates of failure for detected
and undetected dangerous failures.
The safe failure fraction of the overspeed protection system is 90% ≤ 99%. With the SFF,
HFT and classification type of the overspeed protection system, the SIL level can be
determined from Table 3 of the IEC 61508-2. Table 3 from IEC 61508-2 has been included
below for reference.
Safe Failure Fraction Hardware fault tolerance
0 1 2
< 60% Not Allowed SIL1 SIL2
60% ≤ 90% SIL1 SIL2 SIL3
90% ≤ 99% SIL2 SIL3 SIL4
≥ 99% SIL3 SIL4 SIL4
Table 1: Maximum allowable safety integrity level for type B safety-related elements
61

105M6369 Cda 000

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

105M6369 Cda 000

Uploaded by

Copyright:

Available Formats

SIL Safety Manual

Bently Nevada* Asset Condition Monitoring

3500/53 Overspeed Detection System

Part Number 105M6369-01

© 2014 Bently Nevada, Inc.

The information contained in this document is subject to change without notice.

* Denotes a trademark of Bently Nevada, Inc., a wholly owned subsidiary of General

Bently Nevada, Proximitor

Printed in USA. Uncontrolled when transmitted electronically

Mailing Address 1631 Bently Parkway South

Product Disposal Statement

Overspeed Detection System (ODS):

Channel Not OK:

Figure 1.2-1: 3500/53 Monitor and ODS output

Figure 1.2-2: Normally Energized versus Normally De-energized relay

1. No power, no alarm (shelf state)

“Application of Safety Instrumented Systems for the Process Industries,”

“Axial and Centrifugal Compressors and Expander-compressors for

“Electronic Overspeed Detection Systems,” ORBIT magazine, Vol. 20 No.

“Functional Safety of Electrical/Electronic/Programmable Electronic

“Functional Safety: Safety Instrumented Systems for the Process Sector,”

“Process Instrumentation and Control,” API Recommended Practice 554,

“Machinery Protection Systems,” API Standard 670, Fourth Edition, American

“Petroleum, Petrochemical, and Natural Gas Industries – Steam Turbines

US MIL-STD-1629A-1984. Procedures for Performing a Failure Mode Effects and Criticality

Failure Mode / Mechanism Distributions. Reliability Analysis Center, 1997.

US MIL-HNBK-217F-1992. Failure Rates for Electronic Components.

Component Failure Data Handbook. exida, 2005.

Collett, R. E. and P. W. Bachant. “Integration of BIT Effectiveness with FMECA.” 1984

Lasher, R. J. “Integrity Testing of Control Systems.” Control Engineering. February 1990.

Johnson, D. A. “Automatic Fault Insertion.” InTech. November, 1994 (pp. 42-43).

Goble, W. M., J. V. Bukowski, and A. C. Brombacher. “How Diagnostic Coverage Improves

Goble, W. M. “Accurate Failure Metrics for Mechanical Instruments.” Proceedings of the

The 3500/53 modules can be combined to form a 2-out-of-2 or a 2-out-of-3

2.1 Three Channel Overspeed Detection System

The Three Channel Overspeed Detection System provides 3 channels of independent

Figure 2-1: Typical Overspeed System

Figure 3-1: 3500/53 hardware identification

1) Main Module, front view.

See next page for Application Advisory and Note.

5. Limitations and Requirements of use

5.1 Configuration Limitations and Requirements

6.1 Failure modes of the internal diagnostics system

6.1.1 Estimated failure rate

6.2.1 Estimated failure rate

6.3 Failure modes that are detected by internal

6.3.1 Estimated failure rate

6.3.3 The output of the overspeed protection system

Figure 6.3.3-1: Relay Association field

6.3.3.1 Special considerations

Figure 6.3.3.1-1: Maximum Events Per Revolution

6.3.3.2 Voting tables, Independent voting

Monitor #1 Status Monitor #2 Status Alarm Status

Alarm OK Alarm No Alarm

Alarm Not OK Alarm No Alarm

OK Not OK No Alarm No Alarm

Alarm Alarm Alarm Alarm

Not OK Not OK No Alarm No Alarm

Figure 6.3.3.2.1-1: ODS Monitor Bypass state selection in Rack Configuration

Active Monitor’s Status Alarm Status

6.3.3.2.2 Three-monitor Overspeed group, Independent voting

Monitor #1 Status Monitor #2 Status Monitor #3 Status Alarm Status