Mpp A, Mpp B, Mpp C; Power Supply Failures; Application Software, Design, Verification And Validation; Non Safety Functions - ABB Triguard SC300E Safety Manual

It is recommended that this flag be used to instigate an orderly shutdown of the remaining part
of the process.

3.5.14 MPP A, MPP B, MPP C

When an external TMR watchdog circuit is used to provide additional defence against common
cause failure, these error flags are used to control the pulsing of the watchdog. The watchdog
drive ladder network should be placed at the end of the networks.

3.5.15 Power Supply Failures

Each system chassis tolerates the loss of a single system power supply. The power fail alarm
contacts on each system power supply should be available to be read by a digital input to allow
the system power supply diagnostics to be reported.
When two external power feeds are supplied to the system cabinets the system power
distribution must be designed to tolerate the loss of one of these feeds.

3.6 Application Software, Design, Verification and Validation

TriBuild provides a number of tools and facilities to aid safe application programming. A
comprehensive 'help' facility is provided with TriBuild and this is supplemented by the Software
Reference Manual 008-5206.
Triguard that must not be used for safety applications.
3.6.1

Non Safety Functions

The following function calls must not be used in Emergency Shutdown Safety Applications: -
- GOTO
- PAUS
Only the TUV approved library elements (marked with an * ) should be used for safety functions.
3.6.2

Modularity and Version Control

The TriBuild Ladder Network Editor is a page by page editor allowing function and sub-function
to be structured on a page by page basis. This facility should be used to provide structure to the
application programme.
When modifying a ladder design version control must be maintained, and the systems designer
must fully document changes.
3.6.3

Discretes and Register Validation

Using the facilities within the TriBuild Network Editor a Cross-reference list must be produced.
This list must be used to ensure that no double usage of discretes or registers has occurred.
3.6.4

Power-Up Initialisation

The application logic must be designed that on power up all outputs are set to the 'off' safe state.
As part of the Triguard Release 3 program a new feature has been added to RTTS (8.30-008
and later versions) that permits a Triguard system to resume application logic execution
automatically after power is restored to the main processors.
For main processor configuration details refer to revision 6 of the Triguard SC300E MPP Module
User Manual. Switch settings allow the auto-restart function to be enabled, assuming battery-
backed memory is being used to store both application logic and I/O status.
Issue 5 - September 2006
There are also a small number of functions available with
Page 25 of 65