Nuclear EDG validation: degraded mode gap closed

System

{{entity:Emergency Diesel Generator for a UK Nuclear Licensed Site}} for UK nuclear sites, 176 requirements across six documents. Validation session scope: bottom-up verification adequacy audit (sampled 10 VER requirements), top-down scenario walkthrough (six ConOps scenarios), operating mode coverage (seven modes), and safety argument audit (ten hazards, {{trait:Safety Integrity Level}} 2-4).

Verification Audit

Sampled 10 VER requirements spanning {{trait:Safety Integrity Level}} 2-4 and multiple subsystems. All sampled verifications adequate:

  • {{ver:VER-REQ-016}} ({{sub:SUB-REQ-001}} {{trait:Safety Integrity Level}}-3 LOOP detection): Test with 10 consecutive trials and 24-hour spurious-start observation — quantified pass criteria (200ms), statistical confidence, and safety margin check. Adequate.
  • {{ver:VER-REQ-066}} ({{sys:SYS-REQ-011}} {{trait:Safety Integrity Level}}-4 common-cause architecture): Analysis demonstrating physical/electrical separation, diverse AC supply, 8-hour DC coping, and passive decay heat removal per IEC 61508-2 HFT=1. Appropriate verification method for architectural constraint that cannot be functionally tested. Adequate.
  • {{ver:VER-REQ-032}} ({{sub:SUB-REQ-049}} brushless excitation build-up): Test measuring voltage build-up time from PMG-only cold start with overshoot limit. Quantified criteria (3s, <10% overshoot), repeatability (×3 trials). Adequate.

No inadequate verifications identified. All {{trait:Safety Integrity Level}}-3 requirements use Test verification (not Analysis). Performance requirements have quantified acceptance criteria.

Scenario Validation

Walked LOOP Response scenario end-to-end (most critical ConOps scenario): {{entity:Control Room Operator}} detects LOOP at 02:30, both trains auto-start, load sequencing completes in 60 seconds. Trace chain: {{stk:STK-REQ-001}} (qualified emergency AC standby power) → {{sys:SYS-REQ-003}} (auto-start within 500ms), {{sys:SYS-REQ-001}} (rated V/Hz in 10s), {{sys:SYS-REQ-007}} (load sequencing) → {{sub:SUB-REQ-001}} (ALC LOOP detection in 200ms), {{sub:SUB-REQ-002}} (compressed air starting), {{sub:SUB-REQ-012}} (bus transfer in 150ms) → {{ver:VER-REQ-016}}, {{ver:VER-REQ-017}}, {{ver:VER-REQ-008}}. Chain complete and verified.

Station Blackout scenario (common-cause loss of both EDGs): Covered by {{sys:SYS-REQ-011}} (diverse AC, 8-hour DC batteries, passive cooling per {{trait:Safety Integrity Level}}-4 HFT=1 architectural constraints) and {{ver:VER-REQ-066}} (safety analysis). Adequate.

Mode Coverage

Operating modes checked against requirements:

  • Standby Ready: Covered ({{sub:SUB-REQ-023}} pre-heat, multiple readiness requirements)
  • Emergency Start: Covered ({{sys:SYS-REQ-003}}, {{sub:SUB-REQ-001}}, {{sub:SUB-REQ-002}})
  • Running Loaded: Covered ({{sys:SYS-REQ-002}} 168h endurance, {{sys:SYS-REQ-007}} load sequencing)
  • Cooldown Shutdown: Covered ({{sub:SUB-REQ-004}} controlled shutdown)
  • Surveillance Test: Covered ({{sys:SYS-REQ-009}} 30-min full-load test, {{sub:SUB-REQ-059}} test mode)
  • Maintenance Out-of-Service: Covered ({{sys:SYS-REQ-010}} maintainability, {{sub:SUB-REQ-029}} LOTO isolation)
  • Degraded Operation: GAP — mode defined in ConOps (“Fault detected while running, reduced capability”) but no system requirement specifying degraded mode performance.

Safety Argument

For each {{trait:Safety Integrity Level}}-3/4 hazard, checked trace chain from hazard → SYS → SUB/IFC → VER:

  • H-001 (Failure to start on demand, {{trait:Safety Integrity Level}}-3): {{sys:SYS-REQ-001}}/003/005 (10s start, auto-start, PFD ≤1×10⁻³) → {{sub:SUB-REQ-001}}/002 (LOOP detection, compressed air starting) → {{ver:VER-REQ-016}}/017 (10-trial test, air capacity test). Chain complete.
  • H-002 (Loss of output during operation, {{trait:Safety Integrity Level}}-3): {{sys:SYS-REQ-002}}/004 (168h endurance, safety trip in 5s) → multiple SUB requirements (cooling, fuel, protection) → multiple VER requirements. Chain complete.
  • H-007 (Common cause failure, {{trait:Safety Integrity Level}}-4): {{sys:SYS-REQ-011}} (diverse AC, 8h DC, passive cooling, HFT=1) → {{ver:VER-REQ-066}} (safety analysis). Chain complete. Safe state reachable (DC batteries + passive decay heat removal function without EDG).

All safety-critical requirements have Test or Analysis verification. No {{trait:Safety Integrity Level}}-rated requirements verified by Inspection alone.

Gaps Closed

Added {{sys:SYS-REQ-012}} (new requirement, assigned to system-requirements document but received auto-generated REF due to CLI limitation): “When one or more EDG subsystems experience a fault that does not trigger a safety trip, the EDG system SHALL continue to operate in degraded mode, maintaining a minimum electrical output of 60% rated power and frequency stability within 50Hz ±2% for a minimum of 2 hours, while annunciating the degraded condition to the control room.”

Rationale: Quantified minimum performance (60% power = sufficient for priority safety loads, excluding non-essential loads). 2-hour minimum provides time for operator diagnosis and load transfer to alternate EDG. Frequency tolerance relaxed from ±1% to ±2% (acceptable for Class 1E motors/inverters). Addresses ConOps scenario “EDG Trip During Extended LOOP” where cooling fan belt failure causes degraded operation but not immediate trip. Tagged {{trait:Safety Integrity Level}}-2.

Verdict

PASS with qualification: All six ConOps scenarios covered, all ten hazards have complete trace chains to adequate verification, no verification method mismatches. One degraded mode gap identified and closed. System ready for final review session.

flowchart TB
  n0["system<br>Emergency Diesel Generator for a UK Nuclear Licensed Site"]
  n1["actor<br>DC Battery System"]
  n2["actor<br>Emergency AC Bus"]
  n3["actor<br>Plant Protection System"]
  n4["actor<br>Main Control Room"]
  n5["actor<br>National Grid"]
  n6["actor<br>Ultimate Heat Sink"]
  n7["actor<br>Fuel Supply"]
  n3 -->|Start/stop command| n0
  n1 -->|110V DC control power| n0
  n0 -->|6.6kV Class 1E power| n2
  n0 -->|Status and alarms| n4
  n5 -->|LOOP detection signal| n0
  n7 -->|Diesel fuel| n0
  n6 -->|Cooling water| n0
← all entries