Validation Pass: Quality Gate Blockers Resolved, All ConOps Scenarios Covered
System
{{entity:Emergency Diesel Generator for a UK Nuclear Licensed Site}} — session 606 completing Flow D (Verification and Validation) from qc-reviewed state. Project holds 225 requirements across 6 documents, 300+ trace links, 8 diagrams. Two quality gate blockers entered this session: verCoverage 0% < 90% (already resolved by session 605) and silWithoutVer 2 > 0 (active blocker, this session’s primary task).
flowchart TB
n0["system<br>Emergency Diesel Generator for a UK Nuclear Licensed Site"]
n1["actor<br>DC Battery System"]
n2["actor<br>Emergency AC Bus"]
n3["actor<br>Plant Protection System"]
n4["actor<br>Main Control Room"]
n5["actor<br>National Grid"]
n6["actor<br>Ultimate Heat Sink"]
n7["actor<br>Fuel Supply"]
n3 -->|Start/stop command| n0
n1 -->|110V DC control power| n0
n0 -->|6.6kV Class 1E power| n2
n0 -->|Status and alarms| n4
n5 -->|LOOP detection signal| n0
n7 -->|Diesel fuel| n0
n6 -->|Cooling water| n0
Verification Audit
Ten VER requirements sampled across subsystems: {{sub:SUB-REQ-006}} (ALC 2oo2 architecture), {{sys:SYS-REQ-001}}/{{sys:SYS-REQ-003}} (start-time end-to-end), {{sys:SYS-REQ-004}} (trip injection), {{sys:SYS-REQ-007}} (load sequencing), {{sys:SYS-REQ-011}} (SIL-4 CCF). Eight of ten were adequate — specific test setups, quantified pass/fail criteria, appropriate methods. Two findings:
Finding 1 — silWithoutVer blocker (2 requirements): {{sys:SYS-REQ-015}} (DC coping after single-train failure, SIL-3) and the VER requirement pointing to it had verification=Analysis. For a SIL-3 requirement, IEC 61508 (Functional safety of E/E/PE safety-related systems) requires Test verification. Fixed: both updated to Test, with VER-REQ-104 rewritten to describe an IEEE 450 (Recommended Practice for Maintenance, Testing, and Replacement of Vented Lead-Acid Batteries) battery capacity discharge test — actual measured capacity replaces design-data analysis, satisfying the Test requirement. silWithoutVerCount now 0.
Finding 2 — 2oo2 channel voting (VER-REQ-048 Inspection only): {{sub:SUB-REQ-006}} requires SIL-3 2oo2 voting such that single-channel failure neither prevents start demand nor causes spurious start. VER-REQ-048 inspects design documentation; no functional commissioning test existed for the failure-mode behaviour. Added {{ver:VER-REQ-106}}: a five-step fault-injection test — disable Channel A, disable Channel B, apply LOOP to both, apply LOOP to Channel A only, re-enable and apply LOOP to both — with binary pass/fail criteria at each step. Addresses both H-001 (Failure to start, SIL-3) and H-009 (Spurious start, SIL-1) mitigations.
Finding 3 — four reversed trace links: trace validate --fix identified and corrected four SUB/IFC→VER links that should flow VER→SUB/IFC (IFC-REQ-015, IFC-REQ-017, SUB-REQ-040, SUB-REQ-042). Fixed automatically.
Scenario Validation
Six ConOps scenarios walked end-to-end through the STK→SYS→SUB/IFC→VER chain:
LOOP Response (02:30 LOOP, both trains start, 60s load sequencing): {{stk:STK-REQ-001}} → {{sys:SYS-REQ-001}}/{{sys:SYS-REQ-003}}/{{sys:SYS-REQ-007}} → VER-REQ-004 (Test, end-to-end start), VER-REQ-015 (Test, DES integration), VER-REQ-090 (Test, load sequencing). COVERED.
Failure to Start (stuck fuel solenoid, alternate takes load): STK-REQ-001 → SYS-REQ-001/SYS-REQ-003/{{sys:SYS-REQ-015}} → VER-REQ-004, VER-REQ-069, VER-REQ-104. DC battery coping closes the gap on the failed train’s bus. COVERED.
EDG Trip During Extended LOOP (cooling fan belt failure, high-temp trip): STK-REQ-001 → SYS-REQ-004 (trip, SIL-3) → VER-REQ-079. Cooldown: STK-REQ-001 → {{sys:SYS-REQ-014}} → VER-REQ-103. COVERED.
Monthly Surveillance Test: {{stk:STK-REQ-004}} → {{sys:SYS-REQ-009}} → VER-REQ-092 (Demonstration, 30-min load test + 10-min hot standby). COVERED.
Station Blackout (both EDGs lost, DC battery coping): {{stk:STK-REQ-007}} → {{sys:SYS-REQ-011}} (SIL-4 CCF architecture) + SYS-REQ-015 → VER-REQ-102 (Demonstration, fault injection), VER-REQ-099 (Test, DC battery coping), VER-REQ-066 (Inspection, safety analysis). COVERED. SIL-4 HFT=1 architectural constraint met by two-train separation demonstrated in VER-REQ-102.
Planned Overhaul (14-day LOTO, PMT): {{stk:STK-REQ-006}} → {{sys:SYS-REQ-010}} → VER-REQ-093 (Inspection, spares/tooling), VER-REQ-089 (Inspection, LOTO access), VER-REQ-101 (Demonstration, PMT). COVERED.
Mode Coverage
Seven operating modes checked. Five well-covered. Two gaps:
Degraded Operation exit undefined: {{sys:SYS-REQ-012}} specifies entry (non-trip fault) and minimum performance floor (60% rated, 50Hz ±2%, 2-hour minimum) but no exit condition — when a fault is cleared, there is no requirement for the EDG to restore full output. This is a mode-transition gap: the mode is a dead-end. Added {{sys:SYS-REQ-017}}: fault-cleared recovery to ≥95% rated power within 60 seconds following operator acknowledgement, without engine trip or restart. Trace: STK-REQ-001 derives SYS-REQ-017. Added VER-REQ-107 (Test, fault-injection cleared, recovery time measured). SYS-REQ-013 identified as an exact duplicate of SYS-REQ-012 (plus homeless REQ-SEEMERGENCY…-001 makes three copies); tagged duplicate-of-SYS-REQ-012 for QC session deletion.
Maintenance Out-of-Service: Covered by SUB-REQ-007 (ALC inhibit key-switch), SUB-REQ-066 (PMT before reinstatement), VER-REQ-049, VER-REQ-089, VER-REQ-101. Adequate.
Cross-Domain Findings
Substrate semantic search against “emergency power generator safety critical nuclear backup power” returned eight analogs. Radiochemistry lab EDG ({{hex:51F73A58}}): 8-second start-to-load vs our 10 seconds — consistent. 72-hour fuel autonomy vs our 168-hour — our more stringent requirement is proportionate for a nuclear power station. Railway signalling backup generator ({{hex:D6C41019}}): no applicable gaps. No requirements gaps surfaced from cross-domain analogs.
Gaps Closed
| Requirement | Type | Gap addressed |
|---|---|---|
| VER-REQ-106 | VER (Test) | SUB-REQ-006: 2oo2 channel voting functional failure test |
| SYS-REQ-017 | SYS (SIL-2) | Degraded Operation mode exit condition |
| VER-REQ-107 | VER (Test) | SYS-REQ-017: Degraded mode fault-cleared recovery test |
| SYS-REQ-015, VER-REQ-104 | Field correction | verification=Analysis → Test for SIL-3 (resolves quality gate) |
| 4 reversed traces | Trace fix | IFC/SUB→VER links corrected to VER→IFC/SUB direction |
Final counts: 225 requirements, silWithoutVerCount=0, verCoverage=100% (86/86 SUB+IFC covered).
Verdict
PASS. All six ConOps scenarios are traced end-to-end from STK to VER with Test-method verification at the system level. Both quality gate blockers resolved. Safety argument complete for all 10 hazards (H-001 through H-010): SIL-3 requirements have Test verification, SIL-4 CCF isolation has Demonstration plus Inspection. Three gaps closed (2oo2 functional test, degraded mode exit, DC battery capacity test). Residual: SYS-REQ-012/SYS-REQ-013 duplicate trio to be deleted in next QC pass.