parkerFunctional Safety Manual VM600 Machinery Protection Safety Integrated System

• the relay is de-energized to indicate an alarm.

• The use of the VM function danger bypass is not allowed.

• The use of the VM function trip multiply is not allowed.

• The alarm must be defined as ‘latching’.

3.2 Valid Safety Configurations

The VM600 machinery protection system (MPS) can be configured in many different

arrangements. These configurations are described in more detail in the hardware manual

(see 1.5 - Applicable Documents). For example, the VM600 can be used to protect rotating

machines in a safety related system.

Monitored Signal Valid for SRS Reference in HW 

Manual

Broad-Band Absolute Bearing Vibration Yes Section 7.1

Tracking No Section 7.2

Relative Shaft Vibration with Gap Monitoring Yes Section 7.3

Absolute Shaft Vibration Yes Section 7.4

Shaft Position Yes Section 7.5

Safety Inputs and Outputs

Monitored Signal Valid for SRS Reference in HW 

Manual

Broad-Band Absolute Bearing Vibration Yes Section 7.1

Tracking No Section 7.2

Relative Shaft Vibration with Gap Monitoring Yes Section 7.3

Absolute Shaft Vibration Yes Section 7.4

Shaft Position Yes Section 7.5

Table 3-1 : Overview of valid safety configurations

Signal Comments Reference in HW 

Manual

MPC4 CH1-CH4 (inputs) Ensure cabling follows the 

guidelines Table 9-1 part 1

MPC4 relay contacts (outputs) Table 9-1 part 2

Safety Function

With reference to IEC 61508 the safety function for the system is defined below.

For the required safety function SF1, the following safety parameters (SP) are required in

accordance with IEC 61508.

SF 

Number Description Safe State

Required 

Safety 

Parameters

SF1

If an input value (or values) 

exceed(s) a predefined limit, 

then a trip activation signal is 

made.

De-energize to trip (open relay 

contact).

That is, the EUC and the 

VM600 interpret a 

de-energized state as a safe 

state.

See table 

below

SP 

Number Safety Parameter Requirement Comment

SP1 Safety integrity level SIL 1

SP2 Operational mode Low demand mode

SP3a Component type sensor Type B

Component type logic 

(measuring logic) Type B

Component type 

actuator (relay) Type A

SP4 Hardware fault tolerance 

(HFT) 0

Single channel architecture 

of an already existing 

proven-in-use system 

should be used for SIL 1 

application without any 

changes

SP5 Probability of failure on 

demand (PFD) ≥ 10-2 to 10-1

PFD by proof test years 

FMEDA

0.5 1.0 2.0 5.0

5.5e-3 1.1e-3 2.2e-2 5.0e-2

SP6

Safe failure fraction 

(SFF) for Type A 

subsystem

< 60% for SIL 1 and 

HFT 0

Safe failure fraction 

(SFF) for Type B 

subsystem

60% to < 90% for SIL 1 

and HFT 0

In practice, the output relay or relays are normally the ‘input’ to a safety related PLC that takes

this input together with other safety related signals.

3.5 ISO 13849-1 Performance Level

The table below shows the breakdown of performance level (PL) by diagnostic coverage and

mean time to dangerous failure (MTTFd).

Safety Time

After the defined safety level threshold has been exceeded, the VM600 system will open the

associated safety relay within 100 ms.

3.7 Protection of Relay Contacts

In a safety system it is important to protect against a relay contact becoming welded due to

excessive current being inadvertently passed. Therefore, the outputs must be protected by a

5A(T) fuse

nstallation

The system shall be installed following the procedures described in the MPS Hardware

Manual (Standard Version) MAMPS-HW/E (see 1.5 - Applicable Documents). Environmental

restrictions are described in Appendix A of the manual.

3.9 Configuring the System

It is important that the levels (vibration and so on) are adjusted to suit the system under

protection and that a manual verification is made of the parameters that are uploaded to the

system (MPC4 card).

Note that the procedures described should only be performed by competent and authorized

personnel following the plant specific guidelines in force at the installation site.

3.9.1 Define the levels

The choice of alarm levels must be made in consultation with the site manager. It is the end

user’s responsibility to ensure that the alarm levels are appropriate for the particular system

being protected.

The levels are defined using the MPS1 software (supplied) or the MPS2 software (optional).

Please refer to the appropriate documentation for complete information.

3.9.2 Define the alarm outputs

Any relay on the MPC4 or RLC16 cards can be configured to provide the safety function. As

previously noted, the alarms must be:

• configured as ‘latching’

• de-energized to ‘trip’.

3.9.3 Upload the levels and configuration

Once the system parameters have been correctly defined using the MPS software, the

configuration for each MPC4 card must be uploaded to the card. This procedure is described

in the MPS1 Software Manual MAMPS1-SW/E (see 1.5 - Applicable Documents).

3.9.4 Configuration verification

Whilst the actual upload of data is controlled by CRC verification and other techniques, in

order to fulfil the IEC 61508 requirements a manual verification of this upload is required. The

verification is made by downloading the configuration from the MPC4 card to the computer