Issue 5 - September 2006 Page 25 of 65It is recommended that this flag be used to instigate an orderly shutdown of the remaining partof the process.3.5.14 MPP A, MPP B, MPP CWhen an external TMR watchdog circuit is used to provide additional defence against commoncause failure, these error flags are used to control the pulsing of the watchdog. The watchdogdrive ladder network should be placed at the end of the networks.3.5.15 Power Supply FailuresEach system chassis tolerates the loss of a single system power supply. The power fail alarmcontacts on each system power supply should be available to be read by a digital input to allowthe system power supply diagnostics to be reported.When two external power feeds are supplied to the system cabinets the system powerdistribution must be designed to tolerate the loss of one of these feeds.3.6 Application Software, Design, Verification and ValidationTriBuild provides a number of tools and facilities to aid safe application programming. Acomprehensive 'help' facility is provided with TriBuild and this is supplemented by the SoftwareReference Manual 008-5206. There are also a small number of functions available withTriguard that must not be used for safety applications.3.6.1 Non Safety FunctionsThe following function calls must not be used in Emergency Shutdown Safety Applications: -- GOTO- PAUSOnly the TUV approved library elements (marked with an * ) should be used for safety functions.3.6.2 Modularity and Version ControlThe TriBuild Ladder Network Editor is a page by page editor allowing function and sub-functionto be structured on a page by page basis. This facility should be used to provide structure to theapplication programme.When modifying a ladder design version control must be maintained, and the systems designermust fully document changes.3.6.3 Discretes and Register ValidationUsing the facilities within the TriBuild Network Editor a Cross-reference list must be produced.This list must be used to ensure that no double usage of discretes or registers has occurred.3.6.4 Power-Up InitialisationThe application logic must be designed that on power up all outputs are set to the 'off' safe state.As part of the Triguard Release 3 program a new feature has been added to RTTS (8.30-008and later versions) that permits a Triguard system to resume application logic executionautomatically after power is restored to the main processors.For main processor configuration details refer to revision 6 of the Triguard SC300E MPP ModuleUser Manual. Switch settings allow the auto-restart function to be enabled, assuming battery-backed memory is being used to store both application logic and I/O status.