SIL-4 Gap and Safe-State Holes in EDG Specification
System
Red team adversarial review of the {{entity:Emergency Diesel Generator for a UK Nuclear Licensed Site}} decomposition. At entry: 226 requirements (66 SUB, 20 IFC, 16 SYS, 7 STK, 109 VER, 7 ARC), 306 trace links, 8 diagrams, 42 classified entities, 10 registered hazards. 35 lint findings at medium severity. The system has completed validation — this session stress-tests the specification before it is marked production-grade.
Adversarial Findings
SIL Gap (1 finding). Hazard H-007 (Common Cause Failure of both EDGs) is rated SIL-4 in the hazard register, but no requirement in the project carries a sil-4 tag. The highest SIL allocation on any requirement is SIL-3. {{sys:SYS-REQ-011}} addresses CCF architecturally but is tagged sil-3. IEC 61508 (Functional safety of E/E/PE safety-related systems) requires that a SIL-4 hazard be mitigated by requirements at SIL-4 or by a demonstrated architectural decomposition proving equivalent reliability — neither is present.
Missing Safe States (2 findings). 5/10 hazards lack safe-state tagged SUB requirements: H-002 (loss of output during operation), H-007 (CCF), H-008 (seismic damage), H-009 (spurious start/trip), H-010 (cyber attack). Tagged {{sys:SYS-REQ-006}} and {{sys:SYS-REQ-016}}.
Untestable Requirements (3 findings). {{sys:SYS-REQ-005}} specifies PFD ≤ 1×10⁻³ but sets verification to Inspection — PFD is a probabilistic calculation requiring Analysis (fault tree per IEC 61508 Part 6), not document inspection. {{sub:SUB-REQ-027}} and {{sub:SUB-REQ-067}} are SIL-3 requirements verified by Inspection; SIL-3 functions under IEC 61508 require functional testing or rigorous analysis, not inspection alone.
Missing Failure Modes (4 findings). {{entity:cooling system}} has only 4 SUB requirements (vs 9.4 average), with no failure-mode requirement for the {{entity:Jacket Water Pump}} ({{sub:SUB-REQ-037}}) or {{entity:Radiator and Fan Assembly}} ({{sub:SUB-REQ-038}}). {{entity:alternator-subsystem}} has 5 SUB requirements with no failure-mode handling for AVR ({{sub:SUB-REQ-046}}) or brushless excitation ({{sub:SUB-REQ-049}}). Both subsystems serve safety functions.
Implausible Values (2 findings). 500ms timing appears across 16 requirements spanning overspeed trip, alarm annunciation, Modbus polling, relay response, and LOOP detection — functions with fundamentally different timing constraints. {{sub:SUB-REQ-034}} and {{sub:SUB-REQ-035}} flagged as likely inheriting a default rather than independently derived timing budgets.
Vague Interface (1 finding). {{ifc:IFC-REQ-019}} (crankshaft-to-generator coupling) specifies mechanical parameters but omits dynamic alignment tolerance, vibration transmissibility, and coupling service life — critical for a machine running 168-hour endurance cycles.
Proportion. Requirement density per subsystem ranges from 4 ({{entity:cooling system}}) to 12 ({{entity:diesel engine subsystem}}). Lint identified 7/15 {{trait:System-Essential}} components without redundancy/failover requirements. 18 STK/SYS concepts have no downstream decomposition.
flowchart TB
n0["Emergency Diesel Generator<br>for a UK Nuclear Licensed Site"]
n1["DC Battery System"]
n2["Emergency AC Bus"]
n3["Plant Protection System"]
n4["Main Control Room"]
n5["National Grid"]
n6["Ultimate Heat Sink"]
n7["Fuel Supply"]
n3 -->|Start/stop command| n0
n1 -->|110V DC control power| n0
n0 -->|6.6kV Class 1E power| n2
n0 -->|Status and alarms| n4
n5 -->|LOOP detection signal| n0
n7 -->|Diesel fuel| n0
n6 -->|Cooling water| n0
Flagged Requirements
| Ref | Category | Issue |
|---|---|---|
| {{sys:SYS-REQ-011}} | rt-sil-gap | H-007 is SIL-4 but requirement is SIL-3; no SIL-4 allocation exists |
| {{sys:SYS-REQ-005}} | rt-untestable | PFD ≤ 1×10⁻³ verified by Inspection; requires Analysis per IEC 61508 |
| {{sys:SYS-REQ-006}} | rt-missing-safe-state | Seismic hazard H-008 has no safe-state SUB requirement |
| {{sys:SYS-REQ-016}} | rt-missing-safe-state | Cyber hazard H-010 has no safe-state SUB requirement |
| {{sub:SUB-REQ-027}} | rt-untestable | SIL-3 seismic qualification verified by Inspection only |
| {{sub:SUB-REQ-067}} | rt-untestable | SIL-3 LOTO reinstatement verified by Inspection only |
| {{sub:SUB-REQ-037}} | rt-missing-failure-mode | Jacket Water Pump has no pump failure/degradation requirement |
| {{sub:SUB-REQ-038}} | rt-missing-failure-mode | Radiator assembly has no fan failure or fouling requirement |
| {{sub:SUB-REQ-046}} | rt-missing-failure-mode | AVR has no voltage regulator failure/fallback requirement |
| {{sub:SUB-REQ-049}} | rt-missing-failure-mode | Brushless excitation has no exciter failure requirement |
| {{sub:SUB-REQ-034}} | rt-implausible-value | 500ms Modbus timeout matches unrelated subsystem timing |
| {{sub:SUB-REQ-035}} | rt-implausible-value | 500ms alarm latency identical to safety trip timing |
| {{ifc:IFC-REQ-019}} | rt-vague-interface | Mechanical coupling lacks alignment tolerance and service life |
Domain Analogs Checked
| Analog | Source | Gaps Surfaced |
|---|---|---|
| {{entity:Safety Interlock and Trip System}} | Factory corpus | Confirms need for watchdog and self-test; present in spec |
| {{entity:Nuclear Reactor Protection System}} | Factory corpus | Suggests voting architecture for trip channels; partially present (2oo2 on start, absent on trip) |
| {{entity:Sequential Events Controller}} | Factory corpus | Suggests time-stamped event recording for post-incident analysis; absent from EDG requirements |
| {{entity:Diesel Fuel Supply Infrastructure}} | Factory corpus | Suggests fuel quality monitoring (water, particulate, microbial); only particulate filtration present |
Recommendations
- Resolve SIL-4 gap. Either create a SIL-4 requirement for H-007 CCF mitigation with architectural redundancy justification, or document in ARC why SIL-3 allocation per train is sufficient via IEC 61508 Part 6 architectural decomposition.
- Add safe-state requirements for H-002, H-007, H-008, H-009, H-010. Each hazard safe state is named in the register but has no implementing SUB requirement.
- Fix verification methods on SYS-REQ-005 (change to Analysis), SUB-REQ-027 and SUB-REQ-067 (add Test or Analysis alongside Inspection).
- Expand cooling system requirements: pump failure detection, fan motor failure, coolant leak detection, fouled radiator degradation.
- Expand alternator subsystem requirements: AVR failure fallback, exciter fault detection, bearing temperature trending.
- Justify or differentiate 500ms timing values — independent derivation for alarm annunciation vs safety trip vs communications polling.
- Add event sequence recording requirement (analog gap from Sequential Events Controller).
- Add fuel quality monitoring beyond particulate filtration (water content, microbial growth per BS EN 590).
Verdict
Informational. 13 findings: 1 rt-sil-gap (high), 3 rt-untestable (medium), 4 rt-missing-failure-mode (medium), 2 rt-missing-safe-state (high), 2 rt-implausible-value (low), 1 rt-vague-interface (low). The SIL-4 gap and missing safe-state coverage are the highest-priority items — they represent holes in the safety argument that would be identified during regulatory review. The specification is otherwise well-constructed with strong quantification, good EARS compliance, and thorough verification coverage.