Issue 5 - September 2006
Page 25 of 65
It is recommended that this flag be used to instigate an orderly shutdown of the remaining part
of the process.
3.5.14 MPP A, MPP B, MPP C
When an external TMR watchdog circuit is used to provide additional defence against common
cause failure, these error flags are used to control the pulsing of the watchdog. The watchdog
drive ladder network should be placed at the end of the networks.
3.5.15 Power Supply Failures
Each system chassis tolerates the loss of a single system power supply. The power fail alarm
contacts on each system power supply should be available to be read by a digital input to allow
the system power supply diagnostics to be reported.
When two external power feeds are supplied to the system cabinets the system power
distribution must be designed to tolerate the loss of one of these feeds.
3.6 Application Software, Design, Verification and Validation
TriBuild provides a number of tools and facilities to aid safe application programming. A
comprehensive 'help' facility is provided with TriBuild and this is supplemented by the Software
Reference Manual 008-5206. There are also a small number of functions available with
Triguard that must not be used for safety applications.
3.6.1 Non Safety Functions
The following function calls must
not
be used in Emergency Shutdown Safety Applications: -
- GOTO
-
PAUS
Only the TUV approved library elements (marked with an * ) should be used for safety functions.
3.6.2 Modularity and Version Control
The TriBuild Ladder Network Editor is a page by page editor allowing function and sub-function
to be structured on a page by page basis. This facility should be used to provide structure to the
application programme.
When modifying a ladder design version control must be maintained, and the systems designer
must fully document changes.
3.6.3 Discretes
and
Register
Validation
Using the facilities within the TriBuild Network Editor a Cross-reference list must be produced.
This list must be used to ensure that no double usage of discretes or registers has occurred.
3.6.4 Power-Up
Initialisation
The application logic must be designed that on power up all outputs are set to the 'off' safe state.
As part of the Triguard Release 3 program a new feature has been added to RTTS (8.30-008
and later versions) that permits a Triguard system to resume application logic execution
automatically after power is restored to the main processors.
For main processor configuration details refer to revision 6 of the Triguard SC300E MPP Module
User Manual. Switch settings allow the auto-restart function to be enabled, assuming battery-
backed memory is being used to store both application logic and I/O status.
