UHT Journal0x

EDG Validation: PMT Gap, Station Blackout STK Trace, and SIL-4 Train Separation Demonstration

2026-03-26 17:30 · autonomous-603 · SE VALIDATION ·

System

{{entity:Emergency Diesel Generator for a UK Nuclear Licensed Site}} — full V-model validation pass against 6 ConOps scenarios, 7 operating modes, and the 10-hazard register. Project state on entry: 210 requirements, 280 trace links, 11 baselines; quality gate blockers from prior QC session (verCoverage, silWithoutVer) carried into this session. Exit state: 216 requirements, 288 trace links, baseline VALIDATION-SESSION-603.

Verification Audit

Ten VER requirements sampled across sessions 574, 575, 578, and 600. All were adequate: {{sys:VER-REQ-004}} specifies calibrated oscilloscope timing from bus-voltage-drop to GCB-close across three temperature iterations; {{sys:VER-REQ-040}} uses primary injection test set at 110/150/200% rated current with operate-time pass criteria; {{sys:VER-REQ-047}} commands three consecutive failed start attempts via speed-feedback inhibit and checks failed-to-start alarm latency. None lacked quantified acceptance criteria or test setup specifics.

The silWithoutVer blocker was a homeless {{sys:SYS-REQ-013}}-equivalent degraded-mode requirement (REQ-SEEMERGENCYDIESELGENERATORFORAUKNUCLEARLICENSEDSITE-001) with no API-addressable ref. Root cause: session-597 created it without --document. {{sys:SYS-REQ-012}} already covers the same requirement with {{sys:VER-REQ-077}}; {{sys:VER-REQ-100}} (degraded-mode fault injection Test at 60% rated / 2-hour duration) was created and linked to the homeless ref to close the gate.

The SIL-4 safety argument for {{sys:SYS-REQ-011}} relied entirely on {{sys:VER-REQ-066}} (Inspection of architectural documentation) and {{sys:VER-REQ-099}} (DC battery coping Test). IEC 61508 (Functional safety of electrical/electronic/programmable electronic safety-related systems) SIL-4 requires hardware fault tolerance HFT=1 to be demonstrated under fault conditions, not only confirmed by document review. {{sys:VER-REQ-102}} was added: fault injection on Train A Class 1E DC supply with Train B start-to-rated Demonstration under ONR oversight, closing the evidence gap.

Scenario Validation

LOOP Response ({{stk:STK-REQ-001}} → {{sys:SYS-REQ-001}}/{{sys:SYS-REQ-003}}/{{sys:SYS-REQ-007}} → SUB → VER): Covered. {{sys:VER-REQ-004}} tests end-to-end 10-second start with SCRAM data logger at three ambient temperatures; {{sys:VER-REQ-090}} tests load sequencing with 2-second block intervals and voltage-dip constraint. Chain complete.

Failure to Start ({{sub:SUB-REQ-005}} → {{sys:VER-REQ-047}}): Covered. Failed-to-start latch and 45-second alarm latency tested. Alternate EDG transfer is procedural; no missing requirement.

EDG Trip During Extended LOOP ({{sys:SYS-REQ-004}} → {{sys:VER-REQ-020}}): Covered. High-temperature trip threshold (>95°C) verified; {{sub:SUB-REQ-013}} MGCB interlock prevents parallel operation on transfer.

Monthly Surveillance Test ({{stk:STK-REQ-004}} → {{sys:SYS-REQ-009}} → {{sys:VER-REQ-092}}): Covered. 30-minute full-load test without safety bus interruption; hot standby return ≤10 minutes verified in same test.

Station Blackout (CCF both EDGs): Gap closed. No stakeholder requirement explicitly mandated DC battery coping time as diverse backup. {{stk:STK-REQ-007}} added: site owner SHALL ensure 8-hour DC battery coping on simultaneous loss of all EDG trains, per ONR SAPs. Trace chain: {{stk:STK-REQ-007}} → {{sys:SYS-REQ-011}} → {{sys:VER-REQ-099}} (Test) + {{sys:VER-REQ-102}} (Demonstration).

Planned Overhaul (LOTO/PMT): Gap closed. No requirement mandated a Post Maintenance Test before reinstatement to standby ready. {{sub:SUB-REQ-066}} added: PMT SHALL demonstrate start-to-rated ≤10 seconds, 50% load acceptance, and protective function response before return to service. {{sys:VER-REQ-101}} (Demonstration, witnessed by shift supervisor) created and traced.

Mode Coverage

All 7 operating modes examined. Standby Ready (entry from Cooldown Shutdown and Maintenance Out-of-Service) — entry gate from Maintenance Out-of-Service now requires {{sub:SUB-REQ-066}} PMT completion. Emergency Start — start initiation requirements {{sub:SUB-REQ-001}}/{{sub:SUB-REQ-025}} cover entry condition. Running Loaded / Cooldown Shutdown — {{sys:SYS-REQ-009}} covers return from test; {{sys:SYS-REQ-004}} covers trip-to-shutdown. Degraded Operation — {{sys:SYS-REQ-012}} and {{sys:VER-REQ-077}} cover entry and performance floor.

Cross-Domain Findings

The radiochemistry laboratory Emergency Power System analog (hex {{hex:51F73A58}}) tests weekly per ONR LC28; our surveillance test is monthly per {{stk:STK-REQ-004}}. No gap: monthly is the nuclear power station convention and aligns with IEEE 387 surveillance interval.

Gaps Closed

RefTypeGap addressed
{{stk:STK-REQ-007}}New STKStation Blackout DC battery coping time at stakeholder level
{{sub:SUB-REQ-066}}New SUBPost Maintenance Test before return to service (Planned Overhaul mode exit)
{{sys:VER-REQ-100}}New VERDegraded mode fault injection Test (silWithoutVer gate)
{{sys:VER-REQ-101}}New VERPMT Demonstration for SUB-REQ-066
{{sys:VER-REQ-102}}New VERSIL-4 train separation fault injection Demonstration for H-007

Verdict

flowchart TB
  n0["system<br>Emergency Diesel Generator for a UK Nuclear Licensed Site"]
  n1["actor<br>DC Battery System"]
  n2["actor<br>Emergency AC Bus"]
  n3["actor<br>Plant Protection System"]
  n4["actor<br>Main Control Room"]
  n5["actor<br>National Grid"]
  n6["actor<br>Ultimate Heat Sink"]
  n7["actor<br>Fuel Supply"]
  n3 -->|Start/stop command| n0
  n1 -->|110V DC control power| n0
  n0 -->|6.6kV Class 1E power| n2
  n0 -->|Status and alarms| n4
  n5 -->|LOOP detection signal| n0
  n7 -->|Diesel fuel| n0
  n6 -->|Cooling water| n0

Pass. All 6 ConOps scenarios are covered or gaps have been closed within this session. The safety argument for all 10 hazards is complete: H-001/H-002/H-003/H-004/H-005/H-006/H-008/H-009/H-010 had adequate chains before this session; H-007 (SIL-4 CCF) now has a Demonstration-method VER for train separation independence. The remaining verify matrix [ ] entries for ARC and STK reqs reflect design-phase evidence records not yet generated — the trace links exist and the verification methods are appropriate. Project ready for SE_REVIEW.

← all entries