Emergency Diesel Generator for UK Nuclear Site — Concept Definition
System
The {{entity:Emergency Diesel Generator for a UK Nuclear Licensed Site}} ({{hex:DFF73A59}}) is a Class 1 safety system providing standby electrical power during loss-of-offsite-power events at UK nuclear licensed sites. Its mission: ensure continuous cooling of reactor fuel to prevent core damage when the National Grid is unavailable. Compliance with Office for Nuclear Regulation Safety Assessment Principles, IEC 61513 (Instrumentation and Control for Nuclear Power Plants), and IEC 62645 (Nuclear Power Plants — Instrumentation, Control and Electrical Power Systems — Cybersecurity Requirements) is mandatory. The system must achieve 0.975 start-on-demand reliability and reach rated voltage within 10 seconds of LOOP detection.
ConOps
Seven operating modes span the EDG lifecycle:
| Mode | Entry | Exit |
|---|---|---|
| {{trait:Standby}} Ready | Post-maintenance/test | LOOP signal → Emergency Start |
| Emergency Start | LOOP detection | Rated V/Hz in 10s → Running Loaded |
| Running Loaded | Load sequencing complete | Grid stable → Cooldown |
| Cooldown Shutdown | Offsite power restored | Engine stopped → Standby Ready |
| Surveillance Test | Scheduled monthly test | Test complete → Cooldown |
| Maintenance Out-of-Service | LOTO applied | PMT passed → Standby Ready |
| Degraded Operation | Fault detected while running | Fault cleared or operator decision |
Six ConOps scenarios define operational reality: (1) LOOP response at 02:30 with both trains starting and operator monitoring from control room; (2) failure-to-start with stuck fuel solenoid requiring maintenance intervention; (3) EDG trip during extended LOOP due to cooling fan belt failure; (4) monthly surveillance test demonstrating 9.8-second start; (5) station blackout with common-cause loss of both EDGs requiring mobile generator; (6) planned 14-day overhaul during refuelling outage.
Hazard Register
| ID | Hazard | Severity | SIL | Safe State |
|---|---|---|---|---|
| H-001 | Failure to start on demand | Catastrophic | 3 | Diverse backup power or reactor trip |
| H-002 | Loss of output during operation | Catastrophic | 3 | Auto-transfer to alternate EDG |
| H-003 | Engine overspeed | Critical | 2 | Mechanical trip and fuel cutoff |
| H-004 | Fire in EDG building | Critical | 2 | Fire suppression, alternate EDG |
| H-005 | Fuel contamination/exhaustion | Critical | 2 | Alternate tank, replenishment |
| H-006 | Cooling system failure | Critical | 2 | High-temp trip, alternate EDG |
| H-007 | Common cause failure (both EDGs) | Catastrophic | 4 | Diverse AC, DC batteries, passive cooling |
| H-008 | Seismic damage | Critical | 2 | Post-seismic inspection |
| H-009 | Spurious start/trip | Major | 1 | Operator verification |
| H-010 | Cyber attack | Catastrophic | 3 | Air-gapped backup, hardwired trips |
Cross-domain analogs: elevator overspeed governors (mechanical trip pattern for H-003), offshore platform fire protection systems (deluge/foam for H-004), fusion plant cooling loss scenarios (thermal management for H-006).
Stakeholders
| Role | Relationship | Hex | Scenarios |
|---|---|---|---|
| Control Room Operator | Primary operational interface | {{hex:00AD6AF9}} | 1-5 |
| Shift Supervisor | LCO and emergency decisions | {{hex:01857AF9}} | 2-3, 5-6 |
| Mechanical Technician | Engine maintenance/repair | {{hex:018C28F8}} | 2-3, 6 |
| I&C Technician | Control/protection systems | {{hex:00A530F8}} | 2, 4, 6 |
| ONR | Regulatory approval | {{hex:008578FD}} | All |
| Licensee | Ultimate safety responsibility | {{hex:008538FD}} | All |
| EDG OEM | Technical support, spares | {{hex:40805098}} | 6 |
| Local Community | Expects accident prevention | {{hex:000412BD}} | — |
Operating Environment
- Seismic: Category I, 0.2g PGA design basis per EUR requirements
- Environmental: -10°C to +40°C ambient, IP54 minimum, coastal atmosphere
- EMC: IEC 61000-4 immunity, no spurious actuation from EMI
- Reliability: 0.975 start probability, 0.999 24-hour mission reliability
- Fuel: 7-day inventory at 100% load, EN 590 quality, diverse supply
- Time: 10-second start-to-rated-voltage, 15-second full load acceptance
External Interfaces
flowchart TB
EDG["Emergency Diesel Generator"]
GRID["National Grid"]
BUS["Emergency AC Bus"]
PPS["Plant Protection System"]
MCR["Main Control Room"]
UHS["Ultimate Heat Sink"]
FUEL["Fuel Supply"]
DC["DC Battery System"]
GRID -->|LOOP signal| EDG
EDG -->|6.6kV AC power| BUS
PPS -->|Start/stop commands| EDG
EDG -->|Status signals| PPS
EDG -->|HMI data| MCR
MCR -->|Manual controls| EDG
UHS -->|Cooling water| EDG
FUEL -->|Diesel fuel| EDG
DC -->|Control/start power| EDG
Next
The scaffold session should derive STK requirements from the ConOps scenarios, focusing on the {{entity:Control Room Operator}}‘s needs for monitoring and manual intervention, the {{entity:Shift Supervisor}}‘s decision support during LCO entry, and the {{entity:ONR}}‘s demonstration requirements for reliability and safety function adequacy. The station blackout scenario (H-007) demands particular attention — the safe state requires diverse alternate AC sources and battery coping time that may exceed current assumptions.