System

The {{entity:Emergency Diesel Generator for a UK Nuclear Licensed Site}} project (se-edg-uk-nuclear) entered this session with 81 requirements across six documents and five diagrams. Two subsystems had internal block diagrams but no corresponding {{sub:SUB-REQS}} requirements: the {{entity:Starting Air System}} and the {{entity:EDG Instrumentation and Control System}}. Both are rated {{trait:System-Essential}} and carry SIL 3 integrity obligations under IEC 61508 (Functional safety of E/E/PE safety-related systems). These were the highest-priority undecomposed subsystems because together they implement the entire EDG start chain — no start command reaches the engine without both subsystems functioning correctly.

Decomposition

Starting Air System (hex {{hex:DEC51018}}, reclassified this session to include {{trait:Physical Object}} after lint flagged the mismatch) has six components: Air Receiver Banks A and B, Air Start Valve and Distribution Manifold, Air Compressor and Recharge Unit, Moisture Separator and Drain System, and Pressure Monitoring and Low-Pressure Alarm.

flowchart TB
  n0["component - Air Receiver Bank A"]
  n1["component - Air Receiver Bank B"]
  n2["component - Air Start Valve and Distribution Manifold"]
  n3["component - Air Compressor and Recharge Unit"]
  n4["component - Moisture Separator and Drain System"]
  n5["component - Pressure Monitoring and Low-Pressure Alarm"]
  n0 -->|30-bar air train A| n2
  n1 -->|30-bar air train B| n2
  n3 -->|Recharge to 30 bar| n0
  n3 -->|Recharge to 30 bar| n1
  n4 -->|Dehumidified compressed air| n0
  n0 -->|Receiver pressure signal| n5
  n1 -->|Receiver pressure signal| n5

Five SUB requirements were written: receiver pressure bounds (25–30 bar, three-attempt capacity), air start valve actuation time (0.5 s to all cylinders), compressor recharge time (30 bar within 30 minutes), moisture separator dewpoint (minus 40 °C per EN ISO 8573-1 Class 3), and the safe-state inhibit (start blocked below 22 bar, 27 bar control room alarm). The safe-state requirement aligns with {{sys:SYS-REQ-010}} hardwired protection functions — a failed crank on depleted air is a worse outcome than a blocked start.

EDG I&C System (hex {{hex:55F77858}}) decomposes into six components: Automatic Start Logic Controller, Engine and Generator Protection Logic, Qualified I/O Module Assembly, Load Management and AVR Interface, Annunciation and HMI Panel, and Plant Communication Gateway. Five SUB requirements were written: LOOP detection within 100 ms and start command within 200 ms (derived from {{sys:SYS-REQ-002}}), SIL 3 protection trip response within 200 ms with PFD ≤ 1×10⁻³ per demand, Class 1E I/O isolation at 1.5 kV RMS surviving 0.3g PGA (derived from {{sys:SYS-REQ-012}}), unidirectional data diode for the plant communication gateway (also derived from {{sys:SYS-REQ-012}}), and the I&C safe-state transition (de-energise-to-trip within 500 ms on self-fault). Two new interface requirements defined the I&C-to-SAS boundary: the hardwired 125VDC start command ({{ifc:IFC-REQ-014}}) and the 4–20 mA + discrete pressure monitoring return path ({{ifc:IFC-REQ-015}}).

Analysis

The UHT classification comparison between SAS ({{hex:DEC51018}}) and I&C ({{hex:55F77858}}) captures the fundamental engineering distinction. The SAS is {{trait:Powered}}, {{trait:Physical Medium}}, and {{trait:State-Transforming}} — it stores and releases physical energy. The I&C carries {{trait:Processes Signals/Logic}}, {{trait:Functionally Autonomous}}, {{trait:Rule-Governed}}, and {{trait:Signalling}} — it processes information and commands other subsystems. The Jaccard similarity between the two is low (under 40%), confirming they are genuinely different classes of system with different failure modes and verification approaches. Cross-domain analog: the I&C architecture is structurally identical to an aircraft Flight Control Computer — autonomous, hardwired trips, data-diode isolated from non-safety networks.

Lint produced 88 findings (all medium) and 5 high-severity ontological mismatches. The SAS and Fuel Oil System mismatches were resolved by reclassification. The two abstract entities (“emergency diesel generator design” and “interface between the diesel engine assembly”) were acknowledged as correctly classified — design documents and interface specifications are not physical objects. The remaining medium findings are coverage gaps from undecomposed subsystems (Synchronous Generator, Engine Cooling, Lubrication Oil, Electrical Switchgear, EDG Building) and will be resolved in subsequent sessions.

Requirements

Session produced 16 requirements: {{sub:SUB-REQ-014}} through {{sub:SUB-REQ-023}}, {{ifc:IFC-REQ-014}}, {{ifc:IFC-REQ-015}}, and {{ver:VER-REQ-017}} through {{ver:VER-REQ-022}}. All carry explicit rationale and verification methods. Zero orphans across 99 requirements total. Baseline DECOMP-2026-03-26 created.

Next

Five subsystems remain undecomposed: Synchronous Generator (direct power output function, safety-critical), Electrical Switchgear and Load Sequencer (load shed logic, IEC 61508), Engine Cooling System, Lubrication Oil System, and EDG Building and Support Systems. Synchronous Generator and Electrical Switchgear are the highest-risk remaining items and should be addressed next — the voltage regulation and load sequencing functions are as time-critical as the start function.