System

The {{entity:Emergency Diesel Generator}} system for a UK nuclear licensed site, project se-edg-uk-nuclear. This is an interim QC session (Flow C) covering the full project scope at entry to the QC phase. At session start: 67 requirements, 37 trace links, 3 baselines. At session close: 73 requirements, 59 trace links, baseline QC-2026-03-26.

Findings

Missing rationale and verification — 6/67 requirements (all ARC). All six {{sub:ARC-REQ-001}} through {{sub:ARC-REQ-006}} carried no rationale or verification field. These are architecture decision records containing rich engineering justification in their text, but the structured fields were unpopulated.

Duplicate trace links — 13 duplicates across 10 pairs. Three pairs ({{sys:SYS-REQ-001}}→{{sub:SUB-REQ-001}}, {{sys:SYS-REQ-005}}→{{sub:SUB-REQ-003}}, {{sys:SYS-REQ-006}}→{{sub:SUB-REQ-002}}) had three copies each; four more pairs had two copies. Total link count was inflated from 24 unique to 37.

Orphan requirements — 34/67 (51%). The majority of {{ifc:IFC-REQ-001}} through {{ifc:IFC-REQ-007}} (external interfaces), and nine {{stk:STK-REQ-002}} through {{stk:STK-REQ-018}} entries, had no trace links at all. ARC requirements also showed as orphans because no linkset exists between architecture-decisions and system-requirements.

Coverage gaps — 5 critical SYS concepts untraced to SUB. Lint findings 73–76 identified {{sys:SYS-REQ-003}} (priority-based load sequencer), {{sys:SYS-REQ-008}} (fuel storage system), {{sys:SYS-REQ-010}} (engine independence), {{sys:SYS-REQ-011}} (building fire detection), and {{sys:SYS-REQ-007}} (independent trains) as having no corresponding subsystem requirements.

Verification coverage — 7/22 SUB+IFC requirements (32%). Below the 50% gate threshold. Most external interface requirements (IFC-REQ-001 to -007) and two-thirds of subsystem requirements had no VER entry.

Reversed trace directions — 7 link pairs. All verified links had direction SUB/IFC → VER instead of VER → SUB/IFC. trace validate --fix auto-corrected all 7.

Duplicate diagram — 1. Two instances of “Diesel Engine Assembly — Internal” (diagram-1774489045070, diagram-1774489049819). Older retained, duplicate deleted.

Corrections

Rationale and verification: All six ARC requirements updated with specific engineering rationale citing IEEE 387, IEC 61508 (Functional safety of E/E/PE safety-related systems), IEC 61513, and ONR SAPs. Verification method set to Inspection or Demonstration as appropriate. This brings missing rationale from 6 to 0 and missing verification from 6 to 0.

Duplicate trace links: 13 duplicate links deleted, reducing trace link count from 37 to 24 before new links were added.

ARC orphans: ARC requirements tagged informational — no linkset between architecture-decisions and system-requirements exists in the tool configuration. The six records serve as design rationale, not functional derivation chains.

IFC orphan links: {{ifc:IFC-REQ-001}} (LOOP detection) linked from {{sys:SYS-REQ-002}}; {{ifc:IFC-REQ-002}} (6.6kV delivery) from {{sys:SYS-REQ-001}}; {{ifc:IFC-REQ-003}}–{{ifc:IFC-REQ-007}} linked to SYS-REQ-005/002/013/008/007 respectively. Internal interfaces IFC-REQ-009, -010, -012, -013 linked to SYS-REQ-005 and SYS-REQ-010.

STK orphan links: Nine orphaned STK requirements linked: {{stk:STK-REQ-002}}, -005, -008 to SYS-REQ-013; STK-REQ-006, -009 to SYS-REQ-012; STK-REQ-007 to SYS-REQ-011; STK-REQ-011 to SYS-REQ-003; STK-REQ-013 to SYS-REQ-007; STK-REQ-014, -017 to SYS-REQ-005; STK-REQ-018 to SYS-REQ-015.

Coverage gap closures: {{sub:SUB-REQ-010}} created for the {{entity:Electrical Switchgear and Load Sequencer Subsystem}} load sequencer (500ms inter-group delay, 10-second total restoration) and {{sub:SUB-REQ-011}} for the {{entity:Fuel Oil System}} inventory (7,000 litres/train, CIMAC Class DM spec). Both traced from SYS-REQ-003 and SYS-REQ-008 respectively.

Verification coverage: Four VER requirements added: VER-REQ-007 (24-hour endurance verifying SUB-REQ-002/003), VER-REQ-008 (LOOP-to-bus test verifying IFC-REQ-001/002), VER-REQ-009 (seismic qualification analysis verifying SUB-REQ-008 per IEEE 344), VER-REQ-010 (load sequencer acceptance verifying SUB-REQ-010). Coverage now 13/24 = 54%, clearing the 50% gate.

flowchart TB
  n0["system - Emergency Diesel Generator"]
  n1["actor - National Grid"]
  n2["actor - Emergency AC Bus"]
  n3["actor - Plant Protection System"]
  n4["actor - Main Control Room"]
  n5["actor - Ultimate Heat Sink"]
  n6["actor - Fuel Supply"]
  n7["actor - DC Battery System"]
  n1 -->|LOOP signal| n0
  n0 -->|6.6kV AC power| n2
  n3 -->|Start/stop commands| n0
  n0 -->|Status signals| n3
  n0 -->|HMI data| n4
  n4 -->|Manual controls| n0
  n5 -->|Cooling water| n0
  n6 -->|Diesel fuel| n0
  n7 -->|Control/start power| n0

Residual

Lint findings (81 total, 73 medium) — the majority are ontological mismatch findings from UHT classifying concepts like “protection separation” as 00000000 (all-off), which triggers spurious {{trait:Biological/Biomimetic}} and {{trait:Powered}} trait findings. These are classification artefacts, not missing requirements; reclassification of “protection separation” should occur in the next decomposition session when the subsystem is formally defined.

Coverage gaps (findings 65–81) — nine STK concepts not yet traced to SYS (diagnostic access, shift supervisor, safety assessment principles, design basis throughout plant life, EUR requirements) and five SYS concepts not decomposed to SUB (EDG building, EDG installation, engine independence, IEC 62645 I&C compliance, technical specifications). These represent the next decomposition session’s scope — the {{entity:Digital Monitoring and Control System}} and the {{entity:EDG Building}} subsystems.

ARC linkset — no trace linkset between architecture-decisions and system-requirements is configured. ARC requirements remain formally orphaned but are tagged informational. A linkset creation capability would resolve this permanently.

Next

Residual lint coverage gaps point to two undecomposed subsystems: the {{entity:Digital Monitoring and Control System}} (ARC-REQ-002, IEC 62645 compliance, five medium-severity lint findings) and the EDG Building and Civil Works (SYS-REQ-011, fire detection, seismic anchorage). Decomposing the I&C subsystem is the higher priority: it carries the hardwired protection diversity constraint from ARC-REQ-002 and is the only subsystem where the SIL allocation has not yet been traced to individual components.