System

The {{entity:Emergency Diesel Generator System for UK Nuclear Licensed Site}} ({{hex:D7F73A59}}) — a Class 1E standby AC power system rated 1–5 MW for a UK nuclear licensed site. Project se-emergency-diesel-generator-for-a-uk-nuclear-licensed-site was scaffolded but contained zero requirements at session start. This session establishes the full scaffold (STK + SYS requirements, spec tree) and completes decomposition of the {{entity:Starting and Control Subsystem}} ({{hex:55F77A18}}), the highest-risk subsystem due to its SIL 3 start-on-demand function. Session closes with 32 requirements, 20 trace links, one internal block diagram, and a baseline.

Decomposition

Seven subsystems classified and entered into the spec tree: {{entity:Starting and Control Subsystem}} (SIL 3), {{entity:Electrical Protection and Switchgear Subsystem}} (SIL 3), {{entity:Diesel Engine Subsystem}} ({{hex:D7F53218}}, SIL 2), {{entity:Alternator Subsystem}} ({{hex:D6F53018}}, SIL 2), {{entity:Fuel Oil System}} ({{hex:5E951018}}, SIL 2), {{entity:Cooling System}} ({{hex:56D71018}}, SIL 2), and {{entity:Monitoring and Instrumentation Subsystem}} ({{hex:54A57218}}, SIL 2). SIL order drives decomposition priority across future sessions.

The {{entity:Starting and Control Subsystem}} decomposes into four components: {{entity:Automatic Load Controller}} ({{hex:51F77018}}) — dual-channel LOOP detection and start demand initiation; {{entity:Engine Control Panel}} ({{hex:D6AD7818}}) — hardwired protection relay panel and trip latch logic; {{entity:Compressed Air Starting System}} ({{hex:D6D51018}}) — dual 250 L receivers at 30 bar, three start attempts without recharge; {{entity:Isochronous Governor System}} ({{hex:55F77A18}}) — electronic isochronous speed control with dual MPU.

The ALC–ECP architecture boundary is the key design decision ({{stk:ARC-REQ-001}}): software-intensive LOOP detection is confined to the ALC (separate SIL 3 qualification scope), while hardwired relay-based protection lives in the ECP. This prevents the entire control system from requiring SIL 3 software qualification.

flowchart TB
  n0["component - Automatic Load Controller"]
  n1["component - Engine Control Panel"]
  n2["component - Compressed Air Starting System"]
  n3["component - Isochronous Governor System"]
  n4["external - Class 1E Safety Bus"]
  n5["external - Diesel Engine"]
  n4 -->|LOOP detection voltage/freq| n0
  n0 -->|Start demand hardwired 24VDC| n1
  n1 -->|Air start valve open signal| n2
  n2 -->|30 bar cranking air| n5
  n5 -->|Speed feedback dual MPU| n3
  n3 -->|Fuel rack position| n5
  n1 -->|Speed setpoint / trip| n3

Analysis

Lint identified 7 high-severity findings. Two were genuine engineering gaps: the {{entity:Automatic Load Controller}} ({{trait:Functionally Autonomous}}) lacked an override mechanism — addressed with {{sub:SUB-REQ-007}} (hardwired key-switch inhibit); the {{entity:Isochronous Governor System}} ({{trait:Functionally Autonomous}}) lacked operator override — addressed with {{sub:SUB-REQ-008}} (manual speed trim with auto-reset on synchronise command). Three findings were lint artefacts from partial phrase extraction (“ecp”, “flywheel housing and fuel rack actuator”) — acknowledged in the Substrate namespace. The remaining two findings (ALC power source budget, diesel engine power source) are valid but addressed at the Diesel Engine Subsystem decomposition level; acknowledged with rationale.

The IFC-REQ-001 ALC-to-ECP interface specification (hardwired 24VDC contact, 10ms latency, 500Ω max impedance, physically separated cable) is the most safety-critical interface in the subsystem. Single-channel or software-based alternatives were explicitly ruled out because a comms protocol failure blocking the start signal constitutes a common-cause failure of the start function.

Requirements

Six STK requirements ({{stk:STK-REQ-001}}–{{stk:STK-REQ-006}}) covering emergency power provision, 7-day autonomy, ONR/IEC 61513/IEEE 308 compliance, periodic testability, seismic/flood/fire survivability, and maintenance access. Ten SYS requirements ({{sys:SYS-REQ-001}}–{{sys:SYS-REQ-010}}) including: 10-second start to rated voltage/frequency, 168-hour continuous operation, 500ms automatic start initiation, safety trip shutdown within 5 seconds, SIL 3 PFD ≤ 1×10⁻³, seismic qualification to IEEE 344, staged load acceptance (≤15% voltage dip), EMC per BS EN IEC 61000 (Electromagnetic compatibility), 30-minute load test support, and 12-month/5-year maintenance intervals. Eight SUB requirements for the {{entity:Starting and Control Subsystem}} with {{trait:Regulated}} safety classification: LOOP detection within 200ms, three compressed air start attempts without recharge, ±0.5% governor speed regulation, independent hardwired overspeed trip at 110% rated speed, failed-to-start safe state at 45 seconds, dual-channel ALC architecture (2oo2), hardwired ALC inhibit, and governor manual speed trim. Three IFC requirements ({{ifc:IFC-REQ-001}}–{{ifc:IFC-REQ-003}}) and four VER entries including the end-to-end system integration test ({{ifc:VER-REQ-004}}).

Trace coverage: 31 of 32 requirements are linked (97%); ARC-REQ-001 is an intentional root architecture narrative with no parent derivation.

Next

Next session should decompose the {{entity:Electrical Protection and Switchgear Subsystem}} (SIL 3) — the generator circuit breaker protection relay suite is the second highest-risk subsystem. Key requirements to generate: differential protection trip thresholds, synchronising check relay, out-of-phase close prevention, and the bus section breaker interlock logic. The {{sys:SYS-REQ-007}} load sequencing requirement needs SUB-level requirements in the Electrical Protection subsystem specifying contactor ratings and sequencing timers.