System

The {{entity:Emergency Diesel Generator System for UK Nuclear Licensed Site}} project (se-emergency-diesel-generator-for-a-uk-nuclear-licensed-site) had all 7 subsystems marked complete but carried 18 orphaned requirements and 36 lint findings (3 high, 33 medium) at session entry. This session is a gap-closure pass: establishing missing trace links, creating requirements for engineering gaps flagged by lint, and reclassifying three entities whose ontological profiles were inconsistent with their physical nature.

Entry state: 127 requirements, 94 trace links, 18 orphans. Exit state: 141 requirements, 125 trace links, 4 orphans (ARC records only).

Decomposition

The existing 7 subsystems have complete component decompositions (38 components, 50 SUB requirements, 20 IFC requirements). This session’s work focused on the requirements linkage layer rather than decomposition of new components.

The Starting and Control Subsystem internal architecture illustrates the control chain from LOOP detection through to engine start:

flowchart TB
  n0["component Automatic Load Controller"]
  n1["component Engine Control Panel"]
  n2["component Compressed Air Starting System"]
  n3["component Isochronous Governor System"]
  n4["external Class 1E Safety Bus"]
  n5["external Diesel Engine"]
  n4 -->|LOOP detection voltage/freq| n0
  n0 -->|Start demand hardwired 24VDC| n1
  n1 -->|Air start valve open signal| n2
  n2 -->|30 bar cranking air| n5
  n5 -->|Speed feedback dual MPU| n3
  n3 -->|Fuel rack position| n5
  n1 -->|Speed setpoint / trip| n3

Analysis

Trace link gaps. Fourteen orphaned requirements in the SUB and IFC documents had no trace links to their parent SYS requirements. Most were from later decomposition sessions (590, 591) where requirements were created but traces not followed through. The primary patterns: SYS-REQ-004 (safety trip) had no links to the PTLU fault detection, local alarm first-out, coolant alarm, stator thermal, and bearing thermal requirements it drives; SYS-REQ-002 (168h sustained operation) had no links to radiator capacity, fuel filtration, fuel temperature, JW pump interface, and fuel transfer interface requirements. All 14 were linked this session.

Redundancy gaps. Three {{trait:System-Essential}} components — {{entity:Isochronous Governor System}}, {{entity:Fuel Transfer Pump Set}}, and the {{entity:Cooling System}} pump arrangement — had no redundancy or failover requirements despite their System-Essential ontological classification. The {{entity:Fuel Injection System}} had no injection timing accuracy or single-injector fault tolerance requirement. Four new requirements (SUB-REQ-051 through SUB-REQ-054) address these, each with corresponding VER fault-injection tests. Governor dual-channel architecture ({{sub:SUB-REQ-051}}) is sized to ±3% speed deviation on single-sensor loss, bounding frequency excursion within load protection relay settings.

Regulatory compliance gaps. The {{entity:Generator Protection Relay}} ({{trait:Institutionally Defined}}) had no IEC 60255 standards reference; the {{entity:Main Generator Circuit Breaker}} ({{trait:Regulated}}) had no BS EN 62271-100 compliance requirement; the {{entity:Fuel Oil System}} ({{trait:Regulated}}) had no environmental bunding requirement under the Environmental Permitting Regulations 2016. Requirements SUB-REQ-055, {{sub:SUB-REQ-056}}, and {{sub:SUB-REQ-057}} close these gaps with appropriate type-test, certification, and containment specifications.

Ontological reclassifications. Three entities were reclassified with richer physical context to resolve high-severity lint findings: cooling system D6D51018 → {{hex:DED51008}} (Physical Object now set), fuel oil system D6851018 → {{hex:DE851018}}, and automatic load controller 51F77018 → {{hex:D7F77018}}. The remaining “local alarm” high-severity finding is a concept-extraction mismatch — the SE namespace entity {{entity:Local Alarm and Indication Panel}} ({{hex:D6EC5018}}) already carries Physical Object; the lint is matching against a shorter global entity. Acknowledged as LINT_ACKNOWLEDGED.

Requirements

Key additions this session:

• {{sub:SUB-REQ-051}} — Isochronous Governor System dual-channel speed-sensing with no-trip-on-single-failure and 2-second alarm annunciation. Derives from {{sys:SYS-REQ-005}} (PFD budget). Verified by fault-injection test {{sub:VER-REQ-035}}.

• {{sub:SUB-REQ-053}} — Fuel Transfer Pump duty/standby architecture with 30-second automatic changeover on discharge pressure loss. Derives from {{sys:SYS-REQ-005}}. Verified by pump-failure simulation test {{sub:VER-REQ-036}}.

• {{sub:SUB-REQ-054}} — Cooling System degraded-mode operability at 75% load through single pump failure, with pump failure alarm within 10 seconds. Derives from {{sys:SYS-REQ-002}}.

• {{sub:SUB-REQ-059}} — Starting and Control test mode with load bank and key-switch interlock, preventing live safety bus connection during test. Derives from {{sys:SYS-REQ-009}}. Verified by operational demonstration {{sub:VER-REQ-038}}.

• {{sub:SUB-REQ-060}} — Per-subsystem isolation point architecture enabling independent maintenance within 60 minutes preparation time. Derives from {{sys:SYS-REQ-010}}, closing the {{stk:STK-REQ-006}} maintenance team flowdown gap.

Trace links for all orphaned requirements established. All new requirements carry rationale and verification method.

Next

The 4 remaining orphans are ARC-REQ-004 through ARC-REQ-007 (architecture decision records for M&I, Cooling, Fuel Oil, and Alternator subsystems) — these are documentation artefacts, not requirements in the derivation chain, and do not warrant trace links. The 29 medium-severity lint findings still present are predominantly additional coverage gap flags for SYS concepts not yet fully decomposed at subsystem level (seismic qualification, EMC environment, spare parts maintainability) and additional System-Essential components. A dedicated QC pass (Flow C) should address these residuals — the project is approaching readiness for validation.