EDG Specification Accepted — Complete Trace Chain From Stakeholder Needs to SIL-4 Verification
System
{{entity:Emergency Diesel Generator for a UK Nuclear Licensed Site}} — final review and acceptance assessment. The specification enters review with 225 requirements across 6 documents (7 STK, 16 SYS, 66 SUB, 20 IFC, 7 ARC, 109 VER), 302 trace links, 8 block diagrams, and 42 classified entities in the {{hex:00840000}} system namespace. The system has passed through concept, scaffold, decomposition, QC, validation, and red-team phases across sessions 585–609.
Coherence
The seven-subsystem decomposition partitions the EDG cleanly: {{entity:Starting and Control}}, {{entity:Electrical Protection and Switchgear}}, {{entity:Diesel Engine}}, {{entity:Monitoring and Instrumentation}}, {{entity:Cooling System}}, {{entity:Fuel Oil System}}, and {{entity:Alternator Subsystem}}. Each subsystem has a dedicated architecture decision (ARC-REQ-001 through ARC-REQ-007) specifying component decomposition with UHT-classified entities. No functional overlap was found between subsystems. The trace chain tells a consistent story: stakeholder needs (nuclear safety, 7-day endurance, seismic qualification) flow through quantified system requirements to subsystem allocations. Architecture decisions are consistent — the hardwired safety trip philosophy (SYS-REQ-004) propagates correctly through the {{entity:Protective Trip Logic Unit}} ({{hex:D0F77858}}) and {{entity:Generator Protection Relay}} ({{hex:D5F77858}}) without contradicting the cyber isolation requirement ({{sys:SYS-REQ-016}}).
flowchart TB
n0["system<br>Emergency Diesel Generator for a UK Nuclear Licensed Site"]
n1["actor<br>DC Battery System"]
n2["actor<br>Emergency AC Bus"]
n3["actor<br>Plant Protection System"]
n4["actor<br>Main Control Room"]
n5["actor<br>National Grid"]
n6["actor<br>Ultimate Heat Sink"]
n7["actor<br>Fuel Supply"]
n3 -->|Start/stop command| n0
n1 -->|110V DC control power| n0
n0 -->|6.6kV Class 1E power| n2
n0 -->|Status and alarms| n4
n5 -->|LOOP detection signal| n0
n7 -->|Diesel fuel| n0
n6 -->|Cooling water| n0
Completeness
All 7 STK requirements trace to at least one SYS requirement. All 16 SYS requirements trace to SUB or IFC requirements, with {{sys:SYS-REQ-012}} (degraded mode) now linked to {{sub:SUB-REQ-031}} and {{sub:SUB-REQ-039}}. All 6 ConOps scenarios confirmed covered by VALIDATION_FINDING facts: LOOP Response (STK-REQ-001 → VER-REQ-004 end-to-end), Failure to Start (SUB-REQ-005 → VER-REQ-047), EDG Trip During Extended LOOP (SUB-REQ-039 → VER-REQ-070/079), Monthly Surveillance (SYS-REQ-009 → VER-REQ-092), Station Blackout (STK-REQ-007 → SYS-REQ-011 → VER-REQ-099/102, SIL-4), and Planned Overhaul (SUB-REQ-066/067 → VER-REQ-101/109). Zero orphan requirements. Zero missing rationale or verification fields.
Acceptance Assessment
Procurement authority: Yes — every requirement uses EARS SHALL pattern with quantified acceptance criteria. A contractor could price and deliver against this specification. Performance budgets (10-second start, 415V ±6%, 50Hz ±1%, 168-hour endurance) are unambiguous. Test organisation: Yes — 109 VER requirements specify method (84 Test, 14 Inspection, 7 Demonstration, 4 Analysis) with measurable pass criteria. The verification matrix covers all SUB and IFC requirements. Safety authority: Yes — SIL-3 PFD target ({{sys:SYS-REQ-005}}), SIL-4 CCF architecture ({{sys:SYS-REQ-011}}), hardwired safety trips independent of software ({{sys:SYS-REQ-004}}), and cyber air-gap isolation ({{sys:SYS-REQ-016}}) form a coherent safety argument traceable from hazard register through to verification. IEC 61508 (Functional safety of E/E/PE safety-related systems) and ONR Safety Assessment Principles are referenced throughout.
Per-Subsystem Summary
| Subsystem | SUB Reqs | IFC Reqs | Diagram | VER Coverage |
|---|---|---|---|---|
| Starting and Control | 11 | 7 | Yes | Complete |
| Diesel Engine | 12 | 3 | Yes | Complete |
| Fuel Oil System | 9 | 3 | Yes | Complete |
| Electrical Protection | 8 | 2 | Yes | Complete |
| Monitoring & Instrumentation | 8 | 2 | Yes | Complete |
| Alternator | 5 | 2 | Yes | Complete |
| Cooling System | 4 | 1 | Yes | Complete |
Cross-Domain Insights
Lint identified 15 high-Jaccard entity pairs. {{entity:Isochronous Governor System}} ({{hex:D5F73018}}) shares 84% traits with both {{entity:Generator Protection Relay}} and {{entity:Automatic Load Controller}} — all are {{trait:Powered}}, {{trait:Active}}, electromechanical control devices in safety-critical feedback loops. The similarity confirms the architecture’s consistent treatment of control components. 35 medium-severity lint findings remain, split between ontological mismatches (material property and redundancy requirements absent for 10 components) and coverage gaps (STK concept names not literally repeated in SYS/SUB text). These are appropriate residuals for concept-level specification — material properties and redundancy are detailed design concerns.
Corrections
Deleted homeless duplicate REQ-SEEMERGENCY…-001 (identical text to {{sys:SYS-REQ-012}}). Removed 4 stale trace links: 2 pointing to the deleted homeless requirement, 2 pointing to previously-deleted SYS-REQ-013. VER-REQ-100 retains its valid link to {{sys:SYS-REQ-012}}.
Efficiency
26 sessions (585–610) from concept through acceptance. Concept and scaffold (585–589), decomposition (590–595), QC (595–596), validation (597–604), red-team (605–609), review (610). No sessions were entirely wasted, though validation required multiple passes to close the Station Blackout CCF gap and degraded mode duplicate issue.
Residual
35 medium-severity lint findings accepted: material property requirements for 8 components and redundancy/failover requirements for 7 {{trait:System-Essential}} components are detailed design concerns beyond concept specification scope. Coverage gap findings for STK concepts (“site operator”, “maintenance team”, “peak ground acceleration”) are semantic matches addressed by existing requirements under different terminology. The compliance status fields remain “unset” across all 225 requirements — these are implementation tracking fields, not specification quality indicators.
Verdict
PASS. The Emergency Diesel Generator specification is coherent, complete at concept level, proportionate to its nuclear safety risk profile, and would support procurement contracting, test programme development, and ONR safety authority review. Baseline COMPLETE-2026-03-26 created. All 6 ConOps scenarios verified with unbroken trace chains from stakeholder needs through SIL-4 verification.