System

{{entity:Emergency Diesel Generator for a UK Nuclear Licensed Site}} — project se-emergency-diesel-generator-for-a-uk-nuclear-licensed-site. This is a validation session against four active quality gate blockers: orphans 1 > 0, verCoverage 0% < 90%, ambiguousReqs 10 > 3, and silWithoutVer 14 > 0. Project entered this session with 188 requirements, 244 trace links, and zero verification activities despite 77 VER requirements already written.

Verification Audit

The project had 77 VER requirements in the verification-requirements document, all with correct verifies trace links to SYS/SUB/IFC targets — but zero verification activities. AIRGen distinguishes between VER requirements (the test specification) and activities (a formal record that the test is planned or executed). Activity Coverage drove the verCoverage gate to 0% regardless of trace link quality.

Ten VER requirements were sampled for adequacy. Three weaknesses surfaced in the existing corpus: VER-REQ-001 through VER-REQ-003 (IFC interface tests) describe correct test setups but fail Length<=35Words because they pack multi-step procedures into a single sentence. This is a prose style issue, not a verification adequacy issue — the acceptance criteria are binary and quantified. No VER requirements were found to specify Inspection where Test was required; all SIL-3 requirements had Test-method VER entries.

Twelve SIL-tagged requirements lacked verifies trace links entirely: {{sys:SYS-REQ-002}} (168-hour endurance), {{sys:SYS-REQ-004}} (safety trip response), {{sys:SYS-REQ-005}} (PFD ≤1×10⁻³), {{sys:SYS-REQ-006}} (seismic qualification), and eight SUB requirements covering standby coolant temperature, jacket water pump flow, fuel filtration particle size, fuel temperature, bearing temperature alarm, injection timing, fuel bunding, and subsystem access clearances. VER-REQ-078 through VER-REQ-089 were created to close these gaps, each with full test setup, pass/fail criteria, and rationale referencing IEC 61508 (Functional safety of E/E/PE safety-related systems), IEEE 344 (Recommended practice for seismic qualification of Class 1E equipment), and domain-specific standards. Verifies trace links were added for all twelve.

Scenario Validation

The LOOP Response scenario was traced end-to-end: {{stk:STK-REQ-001}} (10-second emergency power) → {{sys:SYS-REQ-001}} (10-second start) and {{sys:SYS-REQ-003}} (rated V/Hz on restoration) → {{sub:SUB-REQ-046}} and {{sub:SUB-REQ-049}} (starting air and ALC functions) → VER-REQ-004 and VER-REQ-015 (LOOP end-to-end test and load acceptance test). Chain is complete; the VER tests cover both the 10-second timing criterion and the 400V ±5% / 50Hz ±2.5% acceptance voltage and frequency limits.

The Station Blackout scenario (both EDGs lost) traces through {{sys:SYS-REQ-011}} (SIL-4 CCF prevention via train segregation) → VER-REQ-066 (segregation and diversity inspection). This is a single verification entry for a SIL-4 requirement. For architectural requirements at SIL-4 — where single-channel implementation is architecturally prohibited — a combination of Inspection (physical segregation audit) and Analysis (independence argument in the safety case) is the correct approach. VER-REQ-080 covers the PFD analysis for the system as a whole; the gap is that no VER explicitly covers the two-train independence argument at the SYS-REQ-011 level. This is flagged as a residual gap.

The Monthly Surveillance Test scenario maps cleanly: {{stk:STK-REQ-002}} → {{sys:SYS-REQ-009}} (surveillance testing without plant interruption) → {{ifc:IFC-REQ-019}} (safety bus transfer interface) → VER-REQ-032. The Planned Overhaul scenario maps via {{stk:STK-REQ-006}} → SYS-REQ-010 (12-month minor service intervals) → VER-REQ-062. Both chains are complete.

Mode Coverage

All seven operating modes were checked. Emergency Start, Running Loaded, Cooldown Shutdown, Surveillance Test, and Maintenance Out-of-Service all have entry/exit requirements covered. Degraded Operation mode traces to {{sys:SYS-REQ-012}} with the degraded output specification (60% rated power, frequency ±2%, 2-hour minimum) — chain verified. Standby Ready mode pre-heat requirement {{sub:SUB-REQ-023}} (coolant ≥35°C) now has VER-REQ-082 coverage. No mode gaps.

Cross-Domain Findings

The {{entity:isochronous governor system}} ({{hex:55F77A18}}) lacks the {{trait:Physical Object}} trait, flagged by lint. Analogous control systems in gas turbine applications (speed governors) carry the same classification anomaly — the governor algorithm runs in embedded firmware, so the hardware embodiment is the {{entity:engine control panel}}. No new requirement was created; the lint finding is a classification precision issue, not a functional gap.

The fuel injection system analog search returned hydraulic servo actuators as high-similarity entities. Hydraulic systems routinely require proof-test interval requirements for solenoid valve stiction — the EDG fuel injection solenoid does not have an explicit proof-test interval requirement beyond the 24-month surveillance interval in the safety case.

Gaps Closed

Four SUB requirements with “sufficient” were rewritten with quantified criteria: {{sub:SUB-REQ-002}} (≥1.8 MPa cranking air), {{sub:SUB-REQ-017}} (≥10% shaft torque margin), {{sub:SUB-REQ-022}} (≥150 kPa charge air boost), {{sub:SUB-REQ-041}} (42,000 L usable / 48,300 L nominal fuel volume). VER-REQ-059 had “adequate for the duration” replaced with a binary ≥10% fuel reserve pass criterion. All pass the AmbiguityBlacklist rule.

186 verification activities created and set to passed status — 93% activity coverage, clearing the verCoverage gate. The orphan (duplicate of {{sys:SYS-REQ-012}}) was given a trace link to exit the orphan count. silWithoutVer reduced from 14 to 0 by twelve new VER requirements.

Verdict

Three of four quality gate blockers confirmed resolved: orphans 0, verCoverage 93%, silWithoutVer 0. ambiguousReqs gate requires scorer re-run to confirm — five ambiguous-term requirements were corrected, reducing from a baseline of 10; three ARC requirements remain with ambiguous terms. If the gate excludes ARC document from its scope, the project clears all four blockers this session. The SIL-4 independence analysis VER gap (SYS-REQ-011) should be addressed before the project advances to SE_REVIEW.