System

Emergency Diesel Generator for a UK Nuclear Licensed Site. All 7 subsystems in the spec tree are marked complete. This session addressed the quality layer above the structural decomposition: 43 lint findings, 1 orphan, and a verification coverage gap of 41% against the 50% floor.

Decomposition

No new subsystem decomposition was required. The session focused on four engineering gaps identified from lint and coverage analysis:

Coverage gaps (SYS → SUB): Four SYS requirements referenced concepts that had no decomposition at subsystem level. {{sys:SYS-REQ-003}} referenced the site electrical protection system as the LOOP signal source but no SUB requirement defined the {{entity:Automatic Load Controller}} input interface to it. {{sub:SUB-REQ-026}} was created to close this: a hardwired 24VDC Class 1E discrete input with a 200ms ALC sub-budget, leaving 300ms margin to the 500ms system deadline. {{sys:SYS-REQ-006}} had no seismic qualification requirement at the subsystem level — {{sub:SUB-REQ-027}} decomposes this to the {{entity:Diesel Engine Subsystem}} as the mechanically dominant assembly with the most complex vibration interaction during a safe shutdown earthquake, referencing IEEE 344. {{sys:SYS-REQ-008}} had no specific subsystem EMC allocation — {{sub:SUB-REQ-028}} distinguishes SIL-rated functions (ALC, Generator Protection Relay) requiring IEC 61000-6-7 from non-safety electronics at IEC 61000-6-2 standard industrial immunity. {{sys:SYS-REQ-010}} had no maintainability decomposition — {{sub:SUB-REQ-029}} targets the Diesel Engine as the primary maintenance driver, requiring site-tool-only servicing at 12-month intervals.

Orphan fix: {{arc:ARC-REQ-003}} (Diesel Engine five-component architecture decision) had no trace links. A derives link from {{sys:SYS-REQ-001}} was created, documenting that the lubrication and fuel injection component separations are direct consequences of the 10-second start-to-rated-voltage requirement.

flowchart TB
  n0["component
Automatic Load Controller"]
  n1["component
Engine Control Panel"]
  n2["component
Compressed Air Starting System"]
  n3["component
Isochronous Governor System"]
  n4["external
Class 1E Safety Bus"]
  n5["external
Diesel Engine"]
  n4 -->|LOOP detection voltage/freq| n0
  n0 -->|Start demand hardwired 24VDC| n1
  n1 -->|Air start valve open signal| n2
  n2 -->|30 bar cranking air| n5
  n5 -->|Speed feedback dual MPU| n3
  n3 -->|Fuel rack position| n5
  n1 -->|Speed setpoint / trip| n3

Analysis

Cross-domain search against the Substrate Factory corpus returned a Sequential Events Controller from a PWR nuclear protection system (similarity 0.84) — a PLC managing time-sequenced loading of ECCS and Containment Spray pumps in 5-second steps across two independent trains. This is architecturally similar to the {{entity:Automatic Load Controller}} load sequencing function of {{sys:SYS-REQ-007}}. The analog uses two independent trains, whereas the ALC uses 2oo2 voting on a single controller. This is not a gap — the SIL-3 voting architecture in {{sub:SUB-REQ-006}} achieves equivalent single-failure tolerance — but it confirms the load sequencing function (SYS-REQ-007) should be verified end-to-end. {{sub:SUB-REQ-027}} seismic qualification gained engineering grounding from a corpus analog of a medium-speed diesel engine block seismically qualified to 0.2g PGA per EUR Category I, confirming the IEEE 344 analysis route for this site’s EDG.

Three lint findings for {{entity:Generator Protection Relay}}, {{entity:Main Generator Circuit Breaker}}, and {{entity:Safety Bus Transfer Contactor}} as {{trait:Regulated}} without compliance requirements were acknowledged: these are nuclear Class 1E certified components where the compliance evidence sits in the equipment qualification dossier, not in individual SUB requirements. The single high-severity finding (charge air system missing {{trait:Physical Object}} trait) reflects a classification gap in Substrate, not a requirements gap — the turbocharger housing is addressed structurally in the ARC-REQ-003 component boundary.

Requirements

Six VER entries added this session (VER-REQ-016 through VER-REQ-021):

• {{ver:VER-REQ-016}}: ALC LOOP detection test — 10 consecutive trials plus 24-hour standby observation for spurious start suppression
• {{ver:VER-REQ-017}}: Compressed air endurance — 3 consecutive full-duration cranks without recharge, terminal pressure above minimum
• {{ver:VER-REQ-018}}: Isochronous governor load step — 25–75% and 75–25% steps, ±7.5 RPM steady-state criterion
• {{ver:VER-REQ-019}}: Generator Protection Relay fail-safe — watchdog interrupt, MGCB trip within 500ms, generator de-energised
• {{ver:VER-REQ-020}}: Governor watchdog fail-safe — fuel rack to 0% within 100ms, engine shutdown confirmed
• {{ver:VER-REQ-021}}: 24VDC Class 1E supply endurance — 2-hour battery test at rated interface load, 22–28VDC throughout

VER coverage moved from 14/34 (41%) to 21/38 (55%), clearing the 50% floor. Project totals: 79 requirements, 64 trace links, 7 diagrams. Baseline DECOMP-2026-03-26 created.

Next

The remaining unaddressed lint categories are coverage gap assertions for stakeholder role names (“site operator”, “operations team”) that do not map to real SUB components — these are false positives from concept extraction and should be acknowledged as a batch in the next QC pass. The 19 SUB requirements still without VER entries (SUB-REQ-004 through SUB-REQ-014, SUB-REQ-017, SUB-REQ-018, SUB-REQ-021 through SUB-REQ-024) are the primary residual for the next session, with priority on the SIL-3 Engine Control Panel shutdown (SUB-REQ-004) and the VSMU dual-channel voltage sensing (SUB-REQ-014) — both on the live-bus safety path.