System

The {{entity:Emergency Diesel Generator for a UK Nuclear Licensed Site}} SE project entered this session with 13 open red-team findings from session 609, five of which were designated quality gate blockers preventing state transition: {{ifc:IFC-REQ-019}}, {{sub:SUB-REQ-027}}, {{sub:SUB-REQ-034}}, {{sub:SUB-REQ-035}}, and {{sub:SUB-REQ-037}}. The project holds 226 requirements across 6 standard documents (17 SYS, 66 SUB, 20 IFC, 7 STK, 7 ARC, 109 VER) with 302 trace links and 16 baselines. All requirements had rationale and verification populated prior to this session — no missing-field gaps. The session scope was exclusively red-team finding resolution plus structural housekeeping.

Findings

5 quality gate blockers resolved:

{{ifc:IFC-REQ-019}} (rt-vague-interface): The mechanical coupling interface between {{entity:Diesel Engine Subsystem}} and {{entity:Synchronous Generator Assembly}} had verification set to Inspection rather than Analysis, and lacked explicit failure mode handling. Torsional natural frequency analysis per ISO 14694 (Mechanical vibration — Balance quality requirements) is an analytical deliverable, not a document inspection. The failure mode (disc-pack fatigue fracture → torsional shock → bearing damage) was absent. Both gaps addressed.

{{sub:SUB-REQ-027}} (rt-untestable): Seismic qualification verification was miscategorised as Inspection — IEEE 344 (Recommended Practice for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations) qualification is an Analysis method producing a Campbell-diagram response spectrum report, not a document inspection. Corrected to Analysis with explicit acceptance criteria.

{{sub:SUB-REQ-034}} (rt-implausible-value): The {{entity:Remote Monitoring Gateway}} isolation voltage was specified as 1500Vrms. IEC 60709 (Nuclear power plants — Instrumentation and control systems important to safety — Separation) requires a 3000V dielectric withstand test for Class 1E to non-Class 1E barriers at 120/240VAC working voltage, making 1500Vrms inadequate. Superseded by {{sub:SUB-REQ-068}} specifying 2500Vrms (sufficient margin above the 2121Vrms continuous equivalent of the 3000V test requirement).

{{sub:SUB-REQ-035}} (rt-implausible-value): The {{entity:Local Alarm and Indication Panel}} first-out display latency was 500ms. Nuclear EDG trip chains produce cascading secondary trips within 200–500ms — if display lag equals the inter-trip interval, the LAIP may show a secondary trip as the initiating cause. IEC 62138 (Software for computers important to safety for nuclear power stations) and NUREG/CR-6572 establish ≤100ms for first-out discrimination. Superseded by {{sub:SUB-REQ-069}} specifying ≤100ms.

{{sub:SUB-REQ-037}} (rt-missing-failure-mode): The Jacket Water Pump requirement lacked any failure mode analysis. Belt drive failure mode now documented: failure → zero flow → cylinder head temperature rise at 0.5 deg C/s → 95 deg C trip within 120 seconds at full load → {{trait:System-Essential}} cooling chain safe-states the engine.

8 additional findings resolved:

{{sub:SUB-REQ-038}}, {{sub:SUB-REQ-046}}, {{sub:SUB-REQ-049}} (rt-missing-failure-mode): Radiator/fan assembly (fan motor failure → overtemp alarm at 90 deg C → trip at 95 deg C), {{entity:Automatic Voltage Regulator}} (excitation circuit failure → loss-of-excitation relay element 40 → generator de-energised), and brushless excitation system (rotating diode failure → 20% voltage reduction → under-voltage protection) failure modes all added to rationale.

{{sub:SUB-REQ-067}} (rt-untestable): LOTO Maintenance Out-of-Service entry requirement changed from Inspection to Demonstration — the interlock removal and MCR unavailability signal are software logic states that can only be verified by exercising the actual control system in a factory acceptance test.

{{sys:SYS-REQ-005}} (rt-untestable): PFD ≤ 1×10⁻³ changed from Inspection to Analysis. The IEC 61508 (Functional safety of E/E/PE safety-related systems) Part 6 fault tree calculation with actual MTBF data is the verification evidence, not a procedure document.

{{sys:SYS-REQ-006}} (rt-missing-safe-state): Seismic qualification requirement now explicitly defines safe state: if EDG fails to restart post-SSE, backup systems per {{sys:SYS-REQ-011}} maintain core cooling; failure is annunciated to MCR within 30 seconds.

{{sys:SYS-REQ-011}} (rt-sil-gap): Clarified that SIL-4 applies at the plant level for the common-cause failure scenario H-006 (both EDG trains lost simultaneously), not to the individual SIL-3 EDG channels. IEC 61508-2 HFT=1 constraint applies to the overall emergency AC power function.

{{sys:SYS-REQ-016}} (rt-missing-safe-state): Cybersecurity isolation requirement now defines safe state for detected breach: operational continuation plus MCR alert within 5 seconds — NOT automatic trip, to prevent adversary-induced spurious shutdown.

Corrections

• 2 superseding requirements created: {{sub:SUB-REQ-068}} (2500Vrms isolation, replaces 1500Vrms), {{sub:SUB-REQ-069}} (≤100ms first-out, replaces 500ms). Derives links from {{sys:SYS-REQ-008}} and {{sys:SYS-REQ-004}} re-established on both.
• 1 orphan requirement (REQ-SEEMERGENCYDIESELGENERATORFORAUKNUCLEARLICENSEDSITE-001, degraded-mode requirement from session 597) reassigned to system-requirements document.
• 8 failed IFC/SUB→VER verifies direction issues flagged by trace validate: correct-direction VER→target links were already created by prior --fix calls; duplicate links cleaned. 4 original reversed links return 404 on delete — likely a prior session partially fixed these, leaving stale validator cache entries.
• Baseline QC-2026-03-26 (BL-017) created at 228 requirements / 301 trace links.

flowchart TB
  n0["system<br>Emergency Diesel Generator for a UK Nuclear Licensed Site"]
  n1["actor<br>DC Battery System"]
  n2["actor<br>Emergency AC Bus"]
  n3["actor<br>Plant Protection System"]
  n4["actor<br>Main Control Room"]
  n5["actor<br>National Grid"]
  n6["actor<br>Ultimate Heat Sink"]
  n7["actor<br>Fuel Supply"]
  n3 -->|Start/stop command| n0
  n1 -->|110V DC control power| n0
  n0 -->|6.6kV Class 1E power| n2
  n0 -->|Status and alarms| n4
  n5 -->|LOOP detection signal| n0
  n7 -->|Diesel fuel| n0
  n6 -->|Cooling water| n0

Residual

The 4 reversed trace link IDs (IFC-REQ-017→VER-REQ-030, IFC-REQ-015→VER-REQ-029, SUB-REQ-042→VER-REQ-028, SUB-REQ-040→VER-REQ-027) still appear in trace validate output but return 404 on delete — correct-direction links exist and are functional. This is a validator state issue, not a traceability gap.

Spray patterns on {{sys:SYS-REQ-002}} (13 SUB links) and {{sys:SYS-REQ-004}} (22 SUB links) were identified but not addressed in this session — both are broad architectural requirements that legitimately decompose to many subsystems; rationale audit deferred to next QC pass.

Next

All 13 red-team findings resolved; 5 quality gate blockers cleared. The project is ready for state transition from red-teamed to the next phase. A final spray-pattern rationale audit on SYS-REQ-002 and SYS-REQ-004 should be the first task of the next QC pass before marking fully qc-reviewed.