Issue 5 - September 2006 Page 26 of 65If this feature is employed then system designers must ensure that the system’s I/Oconfiguration and application logic are structured such that both operators and plant are notpresented with a dangerous condition upon restoration of system power after a power outage.3.6.5 Application Logic VerificationA peer to peer application logic code walk through should be completed prior to Test.3.6.6 Application Logic ValidationPrior to the Acceptance Test the application logics should be fully functionally tested on thetarget system.Particular care should be taken in the testing of the application logic if the system auto-restartfeature is used.3.6.7 Start-up OverridesIf the application requires certain safety permits to be overridden during the process start-up, theoverride logic must automatically time-out within the process safety time related to the start-upsequences.Start-up overrides may only be enabled via keyswitch or password operator protection.3.6.8 System Acceptance TestThe System Acceptance Test should at minimum cover mechanical inspection, electrical testing(isolation and earth bonding / continuity) and functional testing.The System Acceptance Test harness should be configured to as closely as possible simulatethe site functional conditions.All Triguard SC300E input and output modules must have their 3-2-0 configuration checked andlogged prior to the start of the Factory Acceptance Test (FAT).In addition to a 100% Cause and Effect Validation (full Functional Test), the FAT should includeas much random testing as is practical as well as test to confirm both fault tolerance andmaintainability.Particular care should be taken in the testing of the application logic if the system auto-restartfeature is used.3.6.9 Application Software DocumentationThe TriBuild Software Development Tools provide version control, and it is mandatory that theapplication software developer documents the networks thoroughly and provides tractability ofchanges by adding the appropriate change description.Typical well-documented networks are given in Appendix 1.3.6.10 Application Logic Driven External Triplicated Watchdog TimerThe application logic used to drive the external triplicated watchdog timer is used to confirm thatthe application logic is operating correctly and the outputs are being written to. The triplicatedwatchdog timer should never be required to operate; however, it is an effective measure againstunknown systematic faults, which cannot otherwise be detected.The outputs from the external watchdog can be used to shutdown the field power supplies ordisconnect the field power to the final elements on the systematic failure of 2 or moreprocessors. The configuration of the output of the external watchdog will depend on the end