System Design Description (SyDD) — ISO/IEC/IEEE 15289 — Description | IEEE 29148 §6.5
Generated 2026-03-27 — UHT Journal / universalhex.org
flowchart TB n0["subsystem<br>Diesel Engine Assembly"] n1["subsystem<br>Synchronous Generator"] n2["subsystem<br>Fuel Oil System"] n3["subsystem<br>Engine Cooling System"] n4["subsystem<br>Lubrication Oil System"] n5["subsystem<br>Starting Air System"] n6["subsystem<br>EDG Instrumentation and Control System"] n7["subsystem<br>Electrical Switchgear and Load Sequencer"] n8["subsystem<br>EDG Building and Support Systems"] n5 -->|Compressed air for cranking| n0 n2 -->|Diesel fuel supply| n0 n3 -->|Jacket water coolant| n0 n4 -->|Lubricating oil| n0 n0 -->|Mechanical torque via shaft coupling| n1 n1 -->|6.6kV 3-phase AC output| n7 n0 -->|Speed, temp, pressure signals| n6 n6 -->|Auto-start initiation| n5 n6 -->|Governor control / trip| n0 n6 -->|Breaker control commands| n7
Emergency Diesel Generator — Decomposition
| Subsystem | Diagram | SIL | Status |
|---|---|---|---|
| Diesel Engine Assembly | diagram-1774489045070 | SIL 3 | complete |
| Synchronous Generator | diagram-1774512337659 | — | in-progress |
| Fuel Oil System | diagram-1774512336071 | SIL 2 | in-progress |
| Engine Cooling System | diagram-1774512336567 | SIL 2 | in-progress |
| Lubrication Oil System | diagram-1774512337046 | — | in-progress |
| Starting Air System | diagram-1774492500356 | SIL 3 | complete |
| EDG Instrumentation and Control System | diagram-1774492460008 | SIL 3 | complete |
| Electrical Switchgear and Load Sequencer | diagram-1774508666044 | SIL 3 | complete |
| EDG Building and Support Systems | diagram-1774512338118 | SIL 2 | complete |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| SUB-REQ-001 | The Diesel Engine Assembly SHALL achieve self-sustaining engine rotation within 3 seconds of receiving a start signal from the Starting Air System, with cylinder firing confirmed by all cylinders contributing to power output within 5 seconds, to support delivery of rated generator output within the 10-second system requirement. Rationale: The 10-second system start requirement (SYS-REQ-001) is decomposed across the start chain: Starting Air System cranks the engine (0-3s), engine achieves self-sustaining combustion (3-5s), engine accelerates to rated speed and Synchronous Generator reaches rated voltage (5-10s). The 3-second self-sustain budget is consistent with medium-speed diesel cranking at 750 rpm with pre-heated coolant (>10°C). If self-sustaining rotation is not achieved within this window, an automatic start retry is required — not possible within the 10-second window without exceeding air receiver start attempt budget. | Test | subsystem, diesel-engine-assembly, sil-3, session-571, idempotency:sub-dea-start-performance-571 |
| SUB-REQ-002 | The Diesel Engine Assembly SHALL maintain engine speed within 750 rpm ±1.5 rpm (±0.2%) in steady-state operation under all loads from 0% to 110% rated power, and within 750 rpm ±22.5 rpm (±3%) during transient load steps of up to 30% rated power applied or removed in under 1 second. Rationale: The generator output frequency tolerance of 50 Hz ±2% (SYS-REQ-006) maps to engine speed 750 ±15 rpm for a 4-pole generator. The ±1.5 rpm steady-state budget leaves margin for the isochronous governor droop and generator slip. The ±3% transient budget accommodates the governor's response time before the fuel rack settles; IEC 60034-1 allows transient ±10% frequency excursion if recovery is within 5 seconds. The 30% step load case reflects connection of the largest individual safety load (ECCS pump motor) during load sequencing. | Test | subsystem, diesel-engine-assembly, sil-3, session-571, idempotency:sub-dea-speed-stability-571 |
| SUB-REQ-003 | The Diesel Engine Assembly SHALL sustain continuous mechanical power output at 100% rated brake mean effective pressure for a minimum of 720 hours (30 days) between major maintenance interventions, consistent with a 24-hour mission reliability of 0.999 per demand. Rationale: The 30-day between-overhaul endurance requirement derives from the nuclear site's fuel storage capability (SYS-REQ-026: 7-day minimum at 100% load), post-accident monitoring requirements, and refuelling interval planning. MTBF data from qualified medium-speed nuclear diesels (e.g., PAXMAN, MAN, CATERPILLAR nuclear-grade) show B10 lives exceeding 5,000 hours for pistons, liners and bearings at rated BMEP; 720 hours represents a conservative continuous run mission within this envelope. Failure to sustain 24h continuous operation would invalidate the mission reliability figure of 0.999. | Analysis | subsystem, diesel-engine-assembly, sil-3, session-571, idempotency:sub-dea-endurance-571 |
| SUB-REQ-004 | The Engine Protection Relay Package SHALL detect engine overspeed exceeding 863 rpm (115% of rated 750 rpm), and SHALL trip the Diesel Fuel Injection System fuel rack to the minimum position within 1 second of setpoint crossing, independent of the digital control system. Rationale: Overspeed is hazard H-001 in the EDG hazard register — uncontrolled acceleration to destructive speed (>1,200 rpm) can cause catastrophic engine failure including crankcase fragmentation, with potential for radioactive release if co-located safety systems are damaged. The 115% trip setpoint is the nuclear industry standard per IEEE Std 741 (Standard Criteria and Guidelines for the Design, Installation, and Qualification of Emergency Diesel Generators); the 1-second response time ensures the engine is stopped before the mechanical runaway speed range of 130% rated is reached. The hardwired relay implementation ensures this function is immune to digital system faults per ARC-REQ-002 (hardware/software diversity). | Test | subsystem, diesel-engine-assembly, sil-3, safety-trip, session-571, idempotency:sub-dea-overspeed-trip-571 |
| SUB-REQ-005 | The Engine Protection Relay Package SHALL detect engine lubricating oil pressure below 2.0 bar at the main oil gallery, and SHALL initiate an engine trip within 2 seconds of setpoint crossing, with a pre-trip alarm annunciated to the Main Control Room at 2.5 bar. Rationale: Low lubricating oil pressure causes hydrodynamic bearing film collapse within 2-5 seconds of pressure loss, leading to metallic contact, bearing seizure, and crankshaft failure (hazard H-003). The 2.0 bar trip setpoint is established by OEM bearing film requirements at rated speed; 2.5 bar alarm provides 30-60 seconds of operator warning before the trip, consistent with IEEE Std 741. The 2-second trip response must be faster than the bearing-film collapse time to prevent irreversible damage. The pre-trip alarm supports Limiting Condition for Operation assessment by the shift supervisor (STK-REQ-004). | Test | subsystem, diesel-engine-assembly, sil-3, safety-trip, session-571, idempotency:sub-dea-lop-trip-571 |
| SUB-REQ-006 | The Engine Protection Relay Package SHALL detect engine jacket water coolant temperature exceeding 90°C at the cylinder head outlet, and SHALL initiate an engine trip within 2 seconds of setpoint crossing, with a pre-trip alarm annunciated at 85°C. Rationale: Jacket water temperature exceeding 90°C risks coolant boiling with consequent loss of cooling flow and rapid piston seizure (hazard H-006, SIL 2 per the hazard register). The 90°C trip setpoint is at least 10°C below the coolant boiling point at system pressure (typically 110°C at 1.5 bar system pressure), providing margin for continued heat rejection before coolant vaporises. The 85°C alarm setpoint gives operators 2-5 minutes of warning at typical heat-up rates. Consistent with vendor qualification data and IEEE Std 741 guidance for diesel engine protection. | Test | subsystem, diesel-engine-assembly, sil-3, safety-trip, session-571, idempotency:sub-dea-hct-trip-571 |
| SUB-REQ-007 | The Diesel Fuel Injection System SHALL meter fuel delivery with a maximum cylinder-to-cylinder variation of ±3% of mean fuel quantity per injection event, measured under steady-state rated load conditions, to ensure balanced combustion and prevent individual cylinder thermal overload. Rationale: Cylinder-to-cylinder fuel imbalance exceeding ±5% causes differential cylinder thermal loading, accelerated liner wear, and uneven power contribution to the crankshaft — increasing vibration and fatigue loading of the crankshaft (linked to catastrophic failure hazard H-001). The ±3% requirement provides a 2× margin below the OEM tolerance for injection pump wear and is consistent with nuclear-grade diesel maintenance practice. Verification by combustion analyser during pre-operational surveillance testing per Technical Specification monthly test (SYS-REQ-013 / STK-REQ-008). | Test | subsystem, diesel-engine-assembly, sil-3, session-571, idempotency:sub-dea-fuel-metering-571 |
| SUB-REQ-008 | The Diesel Engine Assembly, including all sub-components and their mounting interfaces, SHALL be qualified to remain functional during and after a seismic event with a peak ground acceleration of 0.2g and response spectra consistent with EUR Seismic Category I requirements, with no loss of rated power delivery capability post-event. Rationale: EDG seismic qualification is required by nuclear site licence conditions and ONR Safety Assessment Principles for Seismic Category I equipment per EUR Document EUR 001 Rev. D. The 0.2g PGA represents the UK design basis earthquake for modern nuclear sites; earlier UK sites may use lower values per site-specific PSA. Qualification must cover the engine block mounting bolts (moment loading during horizontal excitation), the turbocharger (cantilevered mass), and the generator coupling alignment (relative displacement). Failure of EDG during the design basis earthquake when offsite power may also be lost represents a simultaneous loss of all AC power sources — a cliff-edge risk to reactor safety. | Analysis | subsystem, diesel-engine-assembly, sil-3, session-571, idempotency:sub-dea-seismic-571 |
| SUB-REQ-009 | When any Engine Protection Relay Package trip setpoint is exceeded, the Diesel Engine Assembly SHALL transition to its safe state (all fuel injection ceased, crankshaft deceleration to standstill) within 5 seconds of the trip signal, with no manual operator action required. Rationale: Safe state for the Diesel Engine Assembly is defined as 'engine stopped with no fuel flow' — the fail-safe condition for all four protection trip functions (overspeed, high coolant temp, low oil pressure, overcurrent). The 5-second transition time encompasses the worst-case governor response, fuel rack travel to minimum stop, and engine deceleration from 115% rated speed to rest (kinetic energy decay at no-load). This safe state is consistent with IEC 61508 (Functional safety of E/E/PE safety-related systems) safe state analysis for SIL 3 protection functions and eliminates the hazardous condition before it can escalate to structural damage. | Test | subsystem, diesel-engine-assembly, sil-3, safety-trip, safe-state, session-571, idempotency:sub-dea-safe-state-571 |
| SUB-REQ-010 | The Electrical Switchgear and Load Sequencer Subsystem SHALL implement a priority-based load sequencer that connects safety loads to the 6.6kV emergency bus in a fixed priority sequence within 10 seconds of generator breaker closure, with each load group delayed by a minimum of 500ms to prevent simultaneous inrush currents from exceeding generator transient overload capacity. Rationale: SYS-REQ-003 requires connection of safety loads via a priority-based load sequencer. The 500ms inter-group delay prevents cumulative inrush currents (typically 6× FLA per motor) from exceeding the generator's short-time overload rating during the critical bus restoration sequence following a LOOP event. This timing is consistent with IEEE 387 load-acceptance test criteria. | Test | session-572, qc, switchgear-load-sequencer, idempotency:sub-els-load-sequencer-572 |
| SUB-REQ-011 | The Fuel Oil System SHALL maintain at least 7,000 litres usable fuel per EDG train across day tanks and bulk storage, meeting CIMAC Class DM specification, sustaining rated-load operation for 7 days. Rationale: SYS-REQ-008 requires 7-day fuel storage capacity. At rated output of a typical nuclear EDG (approximately 2-4 MW), fuel consumption is approximately 800-1200 litres/hour; 7,000 litres per day times 7 days = 49,000 litres minimum. Day tank sizing of 750-1,000 litres provides 1-hour autonomous operation; bulk tank supplies replenishment via transfer pump. CIMAC Class DM is the UK nuclear industry fuel specification for safety-related diesel engines. | Inspection | session-572, qc, fuel-oil-system, idempotency:sub-fos-fuel-storage-572, reqs-eng-session-583 |
| SUB-REQ-012 | The Engine Protection Relay Package SHALL implement a fail-safe de-energise-to-trip relay architecture such that loss of 125VDC control power to any trip relay automatically initiates engine trip to standstill, with a hardware-keyed maintenance inhibit that requires physical key insertion at the relay panel to suppress any individual trip function for maintenance, and automatically cancels on key removal. Rationale: IEC 61513 (Nuclear power plants — Instrumentation and control systems — General requirements for systems) requires safety-related I&C to fail safe. The engine protection relay package classified as Functionally Autonomous (hex D6B73858) requires explicit fail-safe mode definition: de-energise-to-trip ensures DC power loss does not disable protection. The hardware-keyed inhibit (as opposed to software override) prevents cyber attack from disabling engine protection and ensures every inhibit is traceable to a physical human action per ONR SAPs. Without this, the relay package can be de-feated remotely. | Demonstration | session-580, qc, engine-protection, fail-safe, sil-3, idempotency:sub-eprp-failsafe-override-580 |
| SUB-REQ-013 | The Diesel Fuel Injection System SHALL operate from a dedicated 24VDC Class 1E power supply with supply voltage maintained within 24VDC ±10% across all load conditions, with a minimum 4-hour battery-backed autonomy for the fuel injection control module independent of engine cranking loads, to ensure injection function is sustained during EDG start transients and any short-duration DC bus disturbances. Rationale: The diesel fuel injection system is classified as Powered (hex D6D53218, bit 4), requiring explicit power source, voltage range, and consumption requirements per the UHT classification. At nuclear sites, all safety-related powered equipment must have a defined Class 1E power source per IEEE 308 (Criteria for Class 1E Electric Systems for Nuclear Power Generating Stations). The 24VDC ±10% tolerance ensures electronic fuel injection control modules remain within operating specification during DC bus voltage excursions under LOOP conditions. Without a defined power budget, injection failure during a fault-initiated trip creates an unverifiable failure mode. | Test | session-580, qc, fuel-injection, power-supply, class-1e, idempotency:sub-fuel-injection-power-580 |
| SUB-REQ-014 | The Starting Air System Air Receiver Banks (A and B) SHALL each maintain a minimum stored pressure of 25 bar and a maximum operating pressure of 30 bar, providing sufficient capacity for a minimum of three consecutive start attempts at 20°C ambient. Rationale: IEC 61508 (Functional safety of E/E/PE safety-related systems) SIL 3 start function requires redundant air trains. Three start attempts is the ONR-mandated minimum to account for false cranks. 25 bar minimum is the minimum inlet pressure required by the air start distributor valve to achieve the cranking torque needed to overcome diesel engine compression at cold soak (10°C). Derived from SYS-REQ-004 (start reliability 0.975 per demand) — insufficient air receiver capacity is the primary single cause of failed start attempts. | Test | subsystem, starting-air-system, sil-3, session-581, idempotency:sub-sas-receivers-pressure-581 |
| SUB-REQ-015 | The Starting Air System Air Start Valve and Distribution Manifold SHALL fully open and deliver compressed air to all engine cylinders within 0.5 seconds of receiving an electrical start command from the EDG Instrumentation and Control System. Rationale: The 3-second self-sustaining combustion budget (SUB-REQ-001) requires that cranking air reaches the cylinders within 0.5 s of start signal to allow sufficient compression-ignition cycles before the 3-second window expires. Valve actuation latency is the dominant timing contributor in the start chain from signal to first compression stroke. Verified by instrumented start test measuring solenoid energisation to first cylinder pressure rise. | Test | subsystem, starting-air-system, sil-3, session-581, idempotency:sub-sas-startvalve-actuation-581 |
| SUB-REQ-016 | The Starting Air System Air Compressor and Recharge Unit SHALL restore both Air Receiver Banks from a post-three-attempt low (minimum 20 bar) to full operating pressure of 30 bar within 30 minutes of start completion. Rationale: Technical Specifications for nuclear EDGs typically require the EDG to be returned to operability within one hour of a surveillance test. A 30-minute recharge allows 30 minutes for post-test inspection before the operability clock expires. Recharge time is driven by compressor capacity against receiver volume; 30 minutes corresponds to approximately 5 kW of compressor power for a 250-litre dual-receiver installation. | Test | subsystem, starting-air-system, session-581, idempotency:sub-sas-compressor-recharge-581 |
| SUB-REQ-017 | The Starting Air System Moisture Separator and Drain System SHALL maintain compressed air dewpoint at or below minus 40 degrees C at atmospheric pressure throughout the air receiver and distribution manifold. Rationale: Compressed air with dewpoint above minus 40 C risks liquid water formation in the air start distributor valve and manifold at the minimum site ambient temperature of 5 C. Water ingress to engine cylinders can cause hydraulic lock and crankshaft failure on cranking — a catastrophic failure mode that would prevent EDG start and require major engine overhaul. The minus 40 C threshold is derived from EN ISO 8573-1 Quality Class 3 and is consistent with nuclear plant instrument air specifications. | Inspection | subsystem, starting-air-system, session-581, idempotency:sub-sas-moisture-dewpoint-581 |
| SUB-REQ-018 | When Starting Air System receiver pressure drops to 27 bar on either bank, the Pressure Monitoring and Low-Pressure Alarm component SHALL generate a control room annunciation within 5 seconds. When pressure drops to 22 bar, the EDG Instrumentation and Control System SHALL inhibit further start attempts from that bank until pressure is restored to minimum 25 bar. Rationale: 27 bar alarm provides operator time to investigate before reaching the 25 bar start minimum. 22 bar inhibit prevents a start attempt on insufficient air supply, which would cause a failed crank and consume remaining air without achieving engine rotation. The inhibit is the safe state for this failure mode per IEC 61508 SIL 3 requirements — a failed start with depleted air is worse than no start attempt. Aligns with SYS-REQ-010 (independent hardwired trip functions). | Test | subsystem, starting-air-system, sil-3, safe-state, session-581, idempotency:sub-sas-lowpressure-alarm-581 |
| SUB-REQ-019 | The EDG Instrumentation and Control System Automatic Start Logic Controller SHALL detect emergency bus undervoltage below 5.94 kV within 100 ms and issue an air start command to the Starting Air System within 200 ms of detection, confirmed by hardwired LOOP signal from the Plant Protection System. Rationale: SYS-REQ-002 requires automatic start on bus undervoltage below 5.94 kV. The 100 ms detection budget is allocated to the I&C from the total 200 ms LOOP detection budget (SYS-REQ-002), with the remaining 100 ms allocated to the air start valve actuation (SUB-REQ-015). Hardwired confirmation from the Plant Protection System prevents spurious start on transient undervoltage. Derived from SYS-REQ-001 (10-second start) and SYS-REQ-002 (automatic LOOP start). | Test | subsystem, ic-system, sil-3, session-581, idempotency:sub-ic-loop-detection-581 |
| SUB-REQ-020 | The EDG Instrumentation and Control System Engine and Generator Protection Logic SHALL generate a de-energise-to-trip relay output within 200 ms of any monitored parameter exceeding its trip setpoint, and SHALL be designed to IEC 61508 Safety Integrity Level 3 with a Probability of Failure on Demand not exceeding 1x10 to the power minus 3. Rationale: 200 ms trip response is the maximum permissible latency before continued engine operation at overspeed, low oil pressure, or high coolant temperature would cause irreversible mechanical damage. This budget is consistent with medium-speed diesel protection practice and is tighter than the engine mechanical failure time constants (overspeed damage onset approximately 800 ms at 115 percent rated speed). SIL 3 PFD target of 1e-3 per demand derives from the nuclear site safety case requirement for EDG start reliability of at least 0.975 per demand (SYS-REQ-004), apportioning protection logic unavailability to 0.001. | Analysis | subsystem, ic-system, sil-3, safety-critical, session-581, idempotency:sub-ic-protection-trip-response-581 |
| SUB-REQ-021 | The EDG Instrumentation and Control System Qualified I/O Module Assembly SHALL provide Class 1E qualified electrical isolation of at least 1.5 kV RMS between safety-classified inputs and outputs and any non-Class-1E circuit, and SHALL maintain isolation integrity following a design basis seismic event of 0.3g PGA. Rationale: IEC 60780 (Nuclear power plants - Electrical equipment of the safety system) and ONR SAP EKP.4 require Class 1E equipment to be electrically isolated from non-Class-1E circuits to prevent common-cause failure propagation. The 0.3g PGA seismic requirement derives from SYS-REQ-009. Loss of I/O isolation is a common-cause failure mode that could simultaneously disable both EDG trains by coupling a fault from the normal power distribution into the safety bus. | Test | subsystem, ic-system, sil-3, seismic, session-581, idempotency:sub-ic-io-isolation-581 |
| SUB-REQ-022 | The EDG Instrumentation and Control System Plant Communication Gateway SHALL be implemented as a unidirectional data diode transmitting EDG status data to the Main Control Room network, with no return data path capable of propagating a signal to the safety-classified I&C equipment. Rationale: SYS-REQ-012 requires safety-related control and protection systems to be isolated from non-safety networks. A unidirectional data diode is the only hardware-enforced implementation that prevents network-originated signals from reaching the safety bus. Bidirectional gateways with software-enforced isolation have been rejected as they introduce a shared-cause vulnerability where gateway compromise can propagate adversarial commands to the safety logic. Consistent with IEC 62645 (Nuclear power plants - Instrumentation and control systems - Requirements for security programmes). | Inspection | subsystem, ic-system, sil-3, cybersecurity, session-581, idempotency:sub-ic-comms-gateway-isolation-581 |
| SUB-REQ-023 | When the EDG Instrumentation and Control System Automatic Start Logic Controller detects a self-diagnostic fault in any SIL 3 function, the I&C System SHALL transition to a de-energised safe state within 500 ms, initiating engine protection trip and generating a control room fault alarm, while preserving the last-good EDG status data at the Annunciation and HMI Panel. Rationale: IEC 61508 SIL 3 requires defined safe states for all safety function failures. The safe state for I&C logic failure is de-energise-to-trip (engine stopped) rather than latched-run, because an uncontrolled engine running without protection monitoring is the more dangerous failure mode. 500 ms transition budget is chosen to ensure the trip is complete before any monitored protection parameter would reach a damage threshold from the unprotected state. | Test | subsystem, ic-system, sil-3, safe-state, session-581, idempotency:sub-ic-safe-state-581 |
| SUB-REQ-024 | The Bus Undervoltage Sensing Relay SHALL detect 6.6kV emergency bus voltage below 4.6kV (70% nominal) sustained for more than 200ms and issue an EDG automatic start initiation signal within 200ms of threshold crossing, using two-out-of-three voting logic across three independent voltage transformer inputs. Rationale: 200ms detection threshold is derived from the maximum permissible bus blackout time before safety systems (RCP seal injection, EFWS) deplete their Class 1E UPS reserves. The 4.6kV setpoint (70% nominal) discriminates credible LOOP from transient voltage dips caused by motor starts on the emergency bus. Two-out-of-three voting prevents spurious EDG starts on single VT failure while ensuring detection on dual-channel loss. Drives SYS-REQ-002. | Test | subsystem, electrical-switchgear-and-load-sequencer, sil-3, safety-critical, session-582, idempotency:sub-swgr-buvr-loop-detection-582 |
| SUB-REQ-025 | The Generator Circuit Breaker SHALL close onto the 6.6kV emergency bus within 100ms of receiving a close command from the Synchronising Check Relay (live-bus condition) or within 100ms of receiving a dead-bus close command, and SHALL trip open within 100ms of receiving a trip command from the Generator Electrical Protection Relay Package or from the I&C system emergency trip. Rationale: 100ms close time is derived from the 10-second full bus restoration budget (SYS-REQ-001): generator acceleration 8s, GCB mechanical operation 0.1s, leaving margin for sequencer timing. 100ms trip time is the maximum permissible to limit fault energy on the emergency bus during a generator electrical fault; longer trip times risk thermal damage to bus conductors at 25kA fault level. Class 1E spring-charged mechanism provides deterministic operating time independent of DC supply voltage variation ±20%. | Test | subsystem, electrical-switchgear-and-load-sequencer, sil-3, safety-critical, session-582, idempotency:sub-swgr-gcb-close-trip-time-582 |
| SUB-REQ-026 | The Synchronising Check Relay SHALL permit Generator Circuit Breaker closure only when EDG output voltage is within ±10% of 6.6kV, frequency is within ±0.5Hz of 50Hz, and phase angle difference is within ±10 degrees, and SHALL issue an unconditional dead-bus close permission when bus voltage is below 20% of nominal (1.32kV) for more than 500ms without requiring frequency or phase angle synchronisation. Rationale: ±10% voltage and ±0.5Hz frequency windows represent the limits within which out-of-phase closing transient currents remain below the generator's mechanical endurance rating (typically 3 per unit peak for 100ms). ±10 degree phase angle limit bounds the closing transient to less than 0.5 per unit. Dead-bus override threshold of 20% nominal ensures the relay distinguishes a truly de-energised bus (LOOP condition requiring immediate connection) from a very low-voltage live bus. Without the dead-bus override the EDG could not connect during a LOOP, defeating its safety function. | Test | subsystem, electrical-switchgear-and-load-sequencer, sil-3, safety-critical, session-582, idempotency:sub-swgr-sync-check-relay-582 |
| SUB-REQ-027 | The Generator Electrical Protection Relay Package SHALL provide differential protection (87G) with a minimum operating current of 10% rated generator current, overcurrent protection (51) with time-inverse characteristic, loss-of-excitation protection (40) with offset-mho impedance characteristic, and reverse power protection (32) with 2% of rated power pickup, each issuing an independent hardwired trip signal to the Generator Circuit Breaker within 100ms of fault detection. Rationale: The 87G minimum operating threshold of 10% rated current detects internal generator faults while remaining insensitive to CT mismatch (typically 1-2%). Loss-of-excitation (40) protection prevents generator motoring and loss of reactive power support to the safety bus, which would cause bus voltage collapse. Reverse power (32) at 2% pickup detects engine failure with the generator motoring from the bus. Each protection function is independent per IEEE C37.102 (Guide for AC Generator Protection) to prevent common-cause failure disabling all electrical protection. Hardwired trip path ensures operation independent of I&C system availability. | Test | subsystem, electrical-switchgear-and-load-sequencer, sil-3, safety-critical, session-582, idempotency:sub-swgr-gen-elec-protection-582 |
| SUB-REQ-028 | When the Generator Electrical Protection Relay Package detects a protection trip condition or when the Class 1E Switchgear Control Power Supply falls below 95VDC, the Electrical Switchgear and Load Sequencer Subsystem SHALL open the Generator Circuit Breaker within 200ms and inhibit all close commands until the fault condition is cleared and a manual reset is performed by a licensed operator. Rationale: Safe state requirement per IEC 61508 (Functional safety of E/E/PE safety-related systems) for SIL 3 subsystem. Generator electrical fault requires immediate isolation to prevent propagation to the Class 1E emergency bus. 200ms safe state transition time allows for GCB mechanical operation (100ms) plus protection relay operate time (100ms). Control power undervoltage at 95VDC (76% of 125VDC nominal) ensures the GCB trip coil receives sufficient energy for reliable operation even at battery end-of-discharge. Manual reset requirement prevents automatic reconnection after a fault, requiring a licensed operator to assess cause and authorise restart per nuclear site licence condition. | Test | subsystem, electrical-switchgear-and-load-sequencer, sil-3, safe-state, safety-critical, session-582, idempotency:sub-swgr-safe-state-582 |
| SUB-REQ-029 | The EDG Building and Support Systems SHALL incorporate an automatic gaseous total-flood fire suppression system (HFC-227ea or CO2 with pre-discharge alarm) rated to extinguish a Class B diesel fuel fire within 30 seconds of actuation, with a two-hour fire-rated separation barrier between Train A and Train B EDG rooms to maintain operability of the alternate train during a single-train fire event. Rationale: SYS-REQ-011 derives from hazard H-004 (fire in EDG building, SIL 2). The 30-second suppression criterion is taken from NFPA 750 (Standard on Water Mist Fire Protection Systems) and BS EN 15004 (Fixed firefighting systems — Gas extinguishing systems) for unattended machinery spaces with flammable liquid hazards. The two-hour barrier rating satisfies BS 476 Part 22 (Fire tests on building materials and structures) for Class B fire separation between redundant safety-classified rooms, ensuring that a single fire event cannot disable both EDG trains simultaneously. | Inspection | session-585, qc, edg-building, fire-protection, sil-2, idempotency:sub-building-fire-585 |
| SUB-REQ-030 | The Category 1 Building Structure SHALL maintain structural integrity and continue to house and protect all installed EDG equipment during and following a design basis earthquake of 0.2g PGA, with no structural deformation exceeding 10mm at any equipment anchor point. Rationale: SYS-REQ-009 requires EDG operability at 0.2g PGA; the building is the primary seismic protection boundary. The 10mm anchor-point deformation limit is derived from engine skid anchor bolt clearance tolerances specified by the engine OEM to prevent bearing misalignment during post-seismic operation. Seismic Category I classification follows BS EN 1998-1 and ONR Safety Assessment Principles. | Test | subsystem, edg-building, sil-2, seismic, session-586, idempotency:sub-building-seismic-struct-586 |
| SUB-REQ-031 | The Category 1 Building Structure SHALL provide physical separation between EDG trains by a minimum 2-hour rated fire barrier, such that a design basis fire in one train enclosure cannot propagate to the redundant train enclosure. Rationale: SYS-REQ-007 requires two independent redundant trains; SYS-REQ-011 requires fire barriers maintaining alternate train operability. The 2-hour fire rating is derived from UK ONR technical guidance on nuclear fire safety and the maximum credible fire duration in an EDG enclosure containing a 4,000L fuel day tank. Physical train separation is preferred over shared space with fire barriers alone, as it eliminates common-cause fire-suppression-agent discharge scenarios. | Inspection | subsystem, edg-building, sil-2, fire, session-586, idempotency:sub-building-train-sep-586 |
| SUB-REQ-032 | The Ventilation and Combustion Air System SHALL supply a minimum of 0.55 kg/s of combustion air per MW of rated engine output at an inlet temperature not exceeding 40°C and maintain engine room ambient temperature below 45°C during continuous full-load operation. Rationale: The 0.55 kg/s per MW combustion air figure is derived from the engine manufacturer's fuel-air ratio at rated output plus 10% margin for combustion efficiency degradation over service life. The 45°C engine room limit is the upper ambient limit specified in the engine qualification envelope; exceedance causes derating of the turbocharger and reduces start-on-demand margin. The inlet 40°C limit reflects the UK nuclear site extreme summer ambient design temperature per CIBSE Guide A. | Test | subsystem, edg-building, sil-2, hvac, session-586, idempotency:sub-building-hvac-airflow-586 |
| SUB-REQ-033 | When the EDG receives an automatic start signal, the Ventilation and Combustion Air System SHALL initiate fan motor start within 5 seconds and achieve rated airflow within 30 seconds of the engine start signal. Rationale: SYS-REQ-001 requires the EDG to reach rated voltage within 10 seconds of start signal. The HVAC must reach rated airflow before the engine reaches rated speed at approximately 15-20 seconds. The 5-second fan start and 30-second rated airflow time allows the fan to be running when the engine reaches full combustion load, preventing thermal stress from inadequate air exchange during the critical ramp-up phase. | Test | subsystem, edg-building, sil-2, hvac, session-586, idempotency:sub-building-hvac-start-586 |
| SUB-REQ-034 | The Exhaust Silencer and Discharge Stack SHALL limit exhaust gas backpressure to not more than 50 mbar at the turbocharger outlet under all operating conditions from no-load to 110% rated load, and remain structurally intact following a design basis earthquake of 0.2g PGA. Rationale: The 50 mbar backpressure limit is specified by the diesel engine OEM as the maximum permissible backpressure for rated power output without turbocharger surge or thermal overloading. Exceedance reduces available output power and risks turbocharger damage; below this threshold the silencer can be designed for adequate noise attenuation. Seismic qualification prevents stack collapse blocking the exhaust and stalling the engine after the earthquake mission begins. | Test | subsystem, edg-building, sil-2, exhaust, session-586, idempotency:sub-building-exhaust-back-586 |
| SUB-REQ-035 | The Drain and Spill Containment System SHALL provide bunded containment with a minimum capacity of 110% of the largest single fluid inventory within the building (diesel day tank: 4,000 litres), with sump high-level alarm annunciation to the main control room within 60 seconds of breach detection. Rationale: The 110% bunded capacity rule follows UK Environment Agency Pollution Prevention Guidance PPG2 for above-ground oil storage. The 4,000L day tank is the dominant spill risk; containing 110% prevents secondary containment overflow under worst-case scenario. 60-second control room annunciation enables operator response before a spill migrates to an uncontained area, and derives from the same alarm response time budget used in the fire detection system design. | Inspection | subsystem, edg-building, flood, sil-2, session-586, idempotency:sub-building-drain-cap-586 |
| SUB-REQ-036 | When a Category 1 Building Structure breach is detected by the structural monitoring system, the EDG Building and Support Systems SHALL automatically isolate the affected train and generate a control room alarm within 30 seconds, while maintaining operability of the redundant train. Rationale: SIL 2 safety function requires a defined safe state on failure. A structural breach (seismic damage, impact) that degrades protection for one train must not cascade to the redundant train. The 30-second alarm response time allows operators to take manual action before secondary effects (flooding, fire) propagate. This requirement implements the safe state for the EDG Building Structure SIL 2 function as required by IEC 61508 (Functional Safety of E/E/PE Safety-Related Systems). | Demonstration | subsystem, edg-building, sil-2, safe-state, session-586, idempotency:sub-building-safe-state-586 |
| SUB-REQ-037 | The Engine Cooling System SHALL maintain engine jacket water outlet temperature within 75°C to 85°C during continuous operation at any load from 25% to 110% of rated power. Rationale: IEC 61508 SIL 2 derived from SYS-REQ-005. Jacket water temperature band of 75–85°C is the manufacturer-specified operating envelope for medium-speed 4-stroke diesel engines in standby duty; operation above 85°C degrades lubricant film viscosity and risks liner cavitation, while operation below 75°C increases fuel consumption and causes condensation-related cylinder corrosion. Failure to maintain this band during the 24-hour rated-load run risks premature engine failure. | Test | subsystem, engine-cooling, sil-2, session-591 |
| SUB-REQ-038 | While in standby, the Engine Cooling System SHALL maintain jacket water temperature at not less than 35°C using the Engine Pre-heat System to ensure the engine is capable of reaching rated speed within 10 seconds of start signal. Rationale: Derived from SYS-REQ-001 (10-second start-to-rated-speed requirement). A cold engine at ambient -10°C has insufficient lubricant film and may fail to fire reliably; 35°C is the minimum jacket water temperature at which the OEM guarantees start reliability consistent with the 0.975 start-on-demand probability in SYS-REQ-004. Below 35°C, start transient torque and lube oil flow rates fall outside the OEM qualification envelope. | Demonstration | subsystem, engine-cooling, sil-2, session-591 |
| SUB-REQ-039 | The Engine Cooling System SHALL dissipate engine thermal rejection at not less than 110% of rated thermal load at a maximum ambient temperature of 35°C without exceeding the jacket water temperature limit defined in SUB-REQ-036. Rationale: Derived from SYS-REQ-005 (24-hour continuous operation) and SYS-REQ-017 (35°C maximum ambient). The 110% margin accounts for fouling of the heat exchanger surface during extended operation and provides headroom against ambient temperature excursions. Without this margin, summer ambient conditions combined with heat exchanger fouling could cause sustained coolant temperature exceedance during multi-day operation in a LOOP event. | Test | subsystem, engine-cooling, sil-2, session-591 |
| SUB-REQ-040 | When jacket water outlet temperature exceeds 95°C or jacket water circuit pressure falls below 0.5 bar gauge, the Engine Cooling System SHALL generate a hardwired engine trip signal to the EDG Instrumentation and Control System within 200 milliseconds. Rationale: SIL 2 safe-state requirement derived from SYS-REQ-010 (hardwired engine trip circuits). The 95°C threshold is set 10°C above the 85°C upper operating limit to allow brief transients without spurious trip, while preventing sustained overtemperature that causes head gasket failure. The 0.5 bar pressure threshold detects coolant loss before dry-running engine damage occurs. The 200 ms trip response is required by IEC 61511 (Functional safety of SIS in the process industry) SIL 2 to ensure the safe state is reached before coolant system damage propagates to piston seizure. | Test | subsystem, engine-cooling, sil-2, safety-trip, safe-state, session-591 |
| SUB-REQ-041 | The Coolant Circulation Pump SHALL maintain a minimum coolant flow rate of 150 L/min at 0.8 bar differential pressure throughout the engine load range from 25% to 110% of rated power. Rationale: Derived from SYS-REQ-005. Flow rate of 150 L/min at 0.8 bar is determined by the OEM heat balance for a medium-speed diesel in this power range; below this flow, the jacket water outlet temperature differential across the engine block exceeds 10°C, creating thermal gradients that cause head distortion over extended operation. The pump is engine-driven, so performance must be verified across the full engine speed range. | Test | subsystem, engine-cooling, sil-2, session-591 |
| SUB-REQ-042 | The Thermostatic Control Valve SHALL modulate bypass coolant flow to maintain jacket water temperature within ±3°C of the 80°C setpoint during steady-state engine operation at rated load. Rationale: Derived from SYS-REQ-006 (voltage and frequency stability). Jacket water temperature stability directly affects fuel injection timing and cylinder firing consistency; a ±3°C band ensures combustion stability within the OEM governor envelope. Wider temperature excursions during steady-state operation indicate valve hysteresis and are a precursor to temperature hunting, which has caused premature valve failure in comparable standby diesel applications (UK nuclear site operating experience). | Test | subsystem, engine-cooling, sil-2, session-591 |
| SUB-REQ-043 | The Engine Cooling System pressure boundary, including the Engine Jacket Water Circuit, Coolant Circulation Pump, and Radiator/Heat Exchanger, SHALL remain leak-free and functional following a Design Basis Earthquake of 0.25g PGA as specified in SYS-REQ-009, with post-seismic coolant flow re-established within 30 seconds. Rationale: SIL 2 seismic requirement derived from SYS-REQ-009. The Engine Cooling System must survive the DBE because loss of cooling following a seismic event would prevent the EDG from fulfilling its post-earthquake safe shutdown function. Analysis (rather than test) is used because shake-table testing of a full cooling system assembly is impractical; seismic qualification by analysis per ASCE 4 (Seismic Analysis of Safety-Related Nuclear Structures) and IEEE 344 (Recommended practice for seismic qualification of Class 1E equipment for nuclear power generating stations) provides equivalent evidence. | Analysis | subsystem, engine-cooling, sil-2, seismic, session-591 |
| SUB-REQ-044 | The Fuel Oil System SHALL supply diesel fuel to the engine injection system at a pressure of 0.3 bar to 0.7 bar gauge and a flow rate sufficient for rated engine power output throughout the full 24-hour operating duration specified in SYS-REQ-005. Rationale: IEC 61511 SIL 2 derived from SYS-REQ-005. The 0.3–0.7 bar delivery pressure range is determined by the OEM fuel injection pump inlet specification; pressures outside this range cause either injector dribble (low pressure) or premature injection pump seal failure (high pressure). Flow rate adequacy at rated power must be demonstrated under fuel temperature extremes since viscosity variation of up to 20% affects pump volumetric efficiency. | Test | subsystem, fuel-oil, sil-2, session-591 |
| SUB-REQ-045 | The Bulk Storage Tank SHALL maintain a minimum fuel inventory of 110% of the 7-day fuel demand at 100% rated load as specified in SYS-REQ-008, with a high-level alarm at 95% fill and a low-level alarm at 20% fill providing warning before reserve depletion. Rationale: The 110% margin over the SYS-REQ-008 7-day inventory provides one day of additional reserve for extended LOOP events or unexpected consumption increases from abnormal engine loading. The alarm thresholds are set to provide sufficient time for a refuelling team to respond before approaching the minimum reserve, based on typical fuel delivery response times at UK nuclear sites (4–8 hours). | Inspection | subsystem, fuel-oil, sil-2, session-591 |
| SUB-REQ-046 | The Day Tank SHALL maintain a working inventory of not less than 4 hours of fuel at rated engine load to provide autonomous operation during a Bulk Storage Tank refuelling transfer interruption, with a low-level alarm at 60 minutes remaining inventory. Rationale: The 4-hour Day Tank autonomy decouples the engine from the Bulk Storage Tank transfer system, ensuring that a transfer pump failure or valve seizure does not immediately starve the engine. The 60-minute low-level alarm provides the operating crew sufficient time to initiate corrective action (transfer pump restart or backup transfer) before engine fuel starvation occurs. | Test | subsystem, fuel-oil, sil-2, session-591 |
| SUB-REQ-047 | The Fuel Oil Strainer and Filter Assembly SHALL maintain fuel particle contamination downstream of the filter element at ISO 4406 cleanliness code 16/13/10 or better under maximum flow conditions, with a differential pressure alarm at 0.5 bar indicating filter blockage requiring maintenance. Rationale: ISO 4406 cleanliness code 16/13/10 is the maximum fuel contamination level specified by the OEM for the injection pump and injector nozzles; exceeding this level causes accelerated injector wear and nozzle blockage that degrades fuel spray quality and reduces available power. The 0.5 bar differential pressure alarm threshold is set 50% above the clean filter pressure drop of 0.3 bar, providing adequate warning before the bypass valve opens and unfiltered fuel reaches the injectors. | Test | subsystem, fuel-oil, sil-2, session-591 |
| SUB-REQ-048 | When Day Tank level falls below the transfer initiation setpoint, the Fuel Transfer Pump SHALL automatically start and transfer fuel from the Bulk Storage Tank to the Day Tank within 30 minutes, with automatic stop on high level alarm and manual override capability from the EDG local control panel. Rationale: Automatic transfer control ensures the Day Tank is replenished without operator intervention during sustained LOOP events when control room operator workload may be high. The 30-minute transfer time is derived from the Day Tank volume and transfer pump rated flow rate; this must be less than the 60-minute low-level alarm-to-starvation window to ensure reliable autonomous refill. | Demonstration | subsystem, fuel-oil, sil-2, session-591 |
| SUB-REQ-049 | When Day Tank fuel level falls below the engine fuel inlet connection height, the Fuel Oil System SHALL generate a hardwired low-fuel trip signal to the EDG Instrumentation and Control System and the engine SHALL be shut down in a controlled manner to prevent injection pump dry-running damage. Rationale: SIL 2 safe-state requirement derived from SYS-REQ-010. Dry-running of the fuel injection pump for more than 30 seconds causes irreversible pump damage. A controlled shutdown (rather than sudden cutoff) is specified to allow the engine governor to reduce load before fuel cut-off, preventing electrical transients on the emergency bus. The trip signal follows the same hardwired, fail-safe discrete output architecture as the cooling loss trip. | Test | subsystem, fuel-oil, sil-2, safety-trip, safe-state, session-591 |
| SUB-REQ-050 | The Fuel Oil System bulk storage tank, day tank, pipework, and filter assembly SHALL comply with ATEX Directive 2014/34/EU Zone 2 classification, include double-walled bund containment capable of retaining 110% of the bulk tank volume, and be equipped with fuel leak detection with annunciation to the EDG control panel. Rationale: Diesel fuel storage at nuclear licensed sites is regulated under the ONR (Office for Nuclear Regulation) SA-EAF standard for fire and explosion prevention. ATEX Zone 2 classification is required because diesel vapour release in the EDG building during refuelling creates an intermittent flammable atmosphere. Double-walled bunding and leak detection are required by Environment Agency guidance on oil storage (PPG 2) to prevent fuel release into the nuclear site drainage system. | Inspection | subsystem, fuel-oil, sil-2, safety, atex, session-591 |
| SUB-REQ-051 | The Pre-Lube and Post-Lube Pump SHALL establish a minimum lubricating oil pressure of 1.5 bar at the engine main gallery within 20 seconds of receiving the pre-lubrication command, prior to the start air valve opening, to ensure all main and big-end bearings are wetted before cranking begins. Rationale: Dry start bearing damage is the primary engine wear failure mode for standby diesel engines. A minimum 1.5 bar gallery pressure confirmed before air start valve energisation ensures oil film thickness on all critical bearing surfaces; IEEE Std 387 and BS EN 12601 require pre-lubrication as a condition precedent to starting for standby EDGs. | Test | |
| SUB-REQ-052 | The Engine-Driven Lube Oil Pump SHALL maintain engine main gallery oil pressure within 3.5 bar to 5.5 bar at rated engine speed (750 rpm) and all operating temperatures within the normal range of 60°C to 100°C. Rationale: Sustained bearing film integrity requires oil pressure to exceed the hydrodynamic minimum across the full thermal operating range. The 3.5–5.5 bar band is derived from OEM bearing clearance analysis; pressures below 3.5 bar trigger thin-film conditions at operating temperature, and pressures above 5.5 bar risk seal extrusion on the crankshaft front and rear seals. | Test | |
| SUB-REQ-053 | The Lube Oil Cooler SHALL maintain engine lubricating oil outlet temperature within 80°C to 100°C at 100% rated engine load and maximum ambient design temperature of 40°C, using the closed-circuit engine jacket water as the cooling medium. Rationale: Oil viscosity falls non-linearly above 100°C; at temperatures exceeding 105°C, multigrade oil viscosity index is insufficient to prevent metal-to-metal contact in the turbocharger bearings. 80°C lower bound is set to prevent oil condensation and sludging during warm-up transients. Jacket water as cooling medium avoids the need for an independent cooler circuit, consistent with ARC-REQ-006. | Test | |
| SUB-REQ-054 | The Lube Oil Filter and Strainer SHALL maintain lubricating oil particle contamination downstream of the filter to ISO 4406 Class 17/15/12 or better throughout the EDG operational life, with an integral differential pressure indicator and high-differential-pressure alarm at 1.0 bar to alert operators before bypass valve opening. Rationale: Turbocharger bearing clearances on high-speed turbines are in the 20–30 micron range; contamination above ISO 4406 Class 17 introduces particulates large enough to score bearing surfaces. The 1.0 bar differential alarm provides advance warning at 50% of the bypass-open setpoint (2.0 bar), allowing a maintenance window without forced shutdown. | Test | |
| SUB-REQ-055 | The Pre-Lube and Post-Lube Pump SHALL continue post-shutdown lubrication circulation for a minimum of 10 minutes following EDG shutdown, maintaining oil gallery pressure above 0.8 bar to purge residual heat from the turbocharger bearing cartridge and prevent oil coking. Rationale: Turbocharger bearing cartridges retain thermal mass after shutdown; without continued lubrication, residual heat oxidises oil in the bearing clearances (oil coking), producing deposits that can block the oil feed bore on the next start. A 10-minute post-lube duration at 0.8 bar gallery pressure is consistent with OEM turbocharger specifications for medium-speed diesel engines at this power rating. | Test | |
| SUB-REQ-056 | When engine lubricating oil gallery pressure falls below 2.0 bar at any time during engine operation, the Engine Protection Relay Package SHALL initiate a hardwired engine trip within 500 ms, consistent with SUB-REQ-005, and the Lubrication and Bearing System SHALL shed all non-essential electrical consumers to prevent secondary damage. Rationale: 2.0 bar is the minimum hydrodynamic film-forming pressure at operating temperature for the main bearings; sustained operation below this threshold causes bearing wiping within 10–30 seconds. The 500 ms trip time limit is consistent with SUB-REQ-005 and provides a conservative margin above the estimated bearing failure time. | Test | |
| SUB-REQ-057 | The Automatic Voltage Regulator SHALL maintain the Synchronous Generator terminal voltage within ±1% of 6.6kV in steady-state at any load from 0% to 100% rated output current and power factor between 0.8 lagging and unity. Rationale: The 6.6kV emergency bus supplies Class 1E switchgear and motor starters with a declared operating voltage window of 6.6kV ±10%; maintaining AVR regulation to ±1% allocates a conservative tolerance budget that prevents motor starting problems even when the bus is at the low-voltage limit. Tighter regulation than the ±10% load-shedding protection window ensures stable operation under load sequencer step changes. | Test | |
| SUB-REQ-058 | The Automatic Voltage Regulator SHALL restore terminal voltage to within ±3% of 6.6kV within 1.5 seconds following a step load application of any individual safety load group connected by the load sequencer, without causing a generator protection trip. Rationale: Each load sequencer step applies a block load to the generator bus. The 1.5-second recovery window is derived from the motor starting immunity characteristic of downstream Class 1E motor starters; voltage dips exceeding 20% (i.e., below 5.28kV) lasting longer than 1.5 seconds can cause contactor dropout and loss of safety function. The AVR transient response specification directly supports SUB-REQ-010 load sequencer timing. | Test | |
| SUB-REQ-059 | The Generator Neutral Earthing Unit SHALL limit the earth fault current at the generator terminals to not more than 5 amperes (high-impedance earthing), using a resistor-loaded distribution transformer connected between the generator neutral point and earth, to restrict stator core damage during a phase-to-earth fault. Rationale: Unrestricted earth fault currents on medium-voltage generators cause stator core lamination burning that requires costly rewinding or core replacement. 5A high-impedance earthing is the standard approach for class I generators per IEC 60034-3; it limits core damage to the faulted slot only, allowing repair rather than replacement, and is consistent with the generator protection relay differential and earth-fault scheme in SUB-REQ-027. | Analysis | |
| SUB-REQ-060 | The Generator Cooling Fan SHALL start automatically upon engine rotation exceeding 50 rpm, maintain airflow through the stator winding and rotor end-turns throughout the operating period, and continue to rotate by inertia for not less than 5 minutes following engine shutdown to remove residual stator winding heat. Rationale: Stator winding insulation class H (maximum 180°C hotspot) requires continuous forced cooling during and immediately after rated-load operation. The 50 rpm start threshold ensures cooling airflow is established before excitation is applied; the 5-minute coasting period is derived from the thermal time constant of the stator winding insulation system at rated load, preventing insulation ageing by capping post-load hotspot temperature rise. | Test | |
| SUB-REQ-061 | The Automatic Voltage Regulator SHALL be classified as Class 1E I&C equipment per IEC 60780 and IEEE Std 603, and SHALL be qualified to operate across the seismic demand of the EDG site (0.5g peak spectral acceleration at 5 Hz) per IEEE Std 344, with at least one full operational test cycle performed under simulated seismic conditions. Rationale: The AVR is an active I&C function whose failure during a seismic event would deprive the site of AC power at the moment it is most needed (post-earthquake station blackout). IEEE Std 603 and IEC 60780 require Class 1E qualification for I&C elements that are credited in the safety case; IEEE Std 344 seismic qualification is mandated by the ONR ENSREG SSE design basis, consistent with SYS-REQ-009 and ARC-REQ-002. | Inspection |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| IFC-REQ-001 | The interface between the Emergency Diesel Generator and the National Grid SHALL detect loss of offsite power via redundant undervoltage relays monitoring 6.6kV bus voltage, with relay pickup at 90% nominal (5.94kV) and dropout at 70% nominal (4.62kV), and a time delay of no more than 100ms to discriminate between LOOP and transient voltage dips. Rationale: External interface with National Grid. MoP basis: 90% nominal (5.94 kV) relay pickup is the IEEE C37.90 (Relays and Relay Systems Associated with Electric Power Apparatus) minimum undervoltage threshold for safety bus protection, confirmed as the ONR-preferred discrimination point between LOOP and motor starting voltage dips (typically 85-90% nominal). 70% dropout (4.62 kV) provides hysteresis to prevent relay chatter during voltage recovery. The 100 ms discrimination delay is derived from the maximum duration of a motor-starting voltage dip on the 6.6 kV bus; false positives consume reliability margin and trigger unnecessary maintenance entries. | Test | interface, external, session-570, idempotency:ifc-ext-grid-570, reqs-eng-session-577 |
| IFC-REQ-002 | The interface between the Emergency Diesel Generator and the Emergency AC Bus SHALL deliver 6.6kV 3-phase 50Hz power through a generator output breaker rated for the full fault current of the bus, with the generator breaker closing within 500ms of the EDG reaching rated voltage and frequency. Rationale: External interface with Emergency AC Bus: the generator breaker is the boundary between EDG output and plant safety loads. Breaker closing time directly adds to the total power restoration time. | Test | interface, external, session-570, idempotency:ifc-ext-bus-570 |
| IFC-REQ-003 | The interface between the Emergency Diesel Generator and the Ultimate Heat Sink SHALL provide cooling water flow of at least 150 m3/h at a maximum inlet temperature of 30°C for engine jacket water and aftercooler heat rejection, when a water-cooled design is selected. Rationale: External interface with Ultimate Heat Sink. MoP basis: 150 m3/h cooling water flow rate is derived from the engine OEM thermal balance calculation: at rated brake power, jacket water heat rejection is approximately 1.2 MW requiring this flow at a 5°C temperature rise across the heat exchanger. The 30°C maximum inlet temperature is the UK coastal site 99th percentile sea/river water temperature from UK Met Office climatological data; exceeding this would reduce heat exchanger effectiveness and drive coolant temperature above the 88°C jacket water thermostat setpoint under sustained full-load operation. | Test | interface, external, session-570, idempotency:ifc-ext-uhs-570, reqs-eng-session-577 |
| IFC-REQ-004 | The interface between the Emergency Diesel Generator and the Plant Protection System SHALL accept a hardwired LOOP start signal (24VDC energise-to-start) and provide EDG status feedback signals (running, loaded, tripped, available) to the protection system safeguards logic. Rationale: External interface with Plant Protection System: the start signal is the safety-critical command that initiates EDG response. Hardwired implementation per IEC 61513 (Nuclear power plants — Instrumentation and control important to safety) ensures independence from digital system common cause failure. | Test | interface, external, session-570, idempotency:ifc-ext-pps-570 |
| IFC-REQ-005 | The interface between the Emergency Diesel Generator and the Main Control Room SHALL provide continuous analogue and digital signals for display of EDG operating parameters, alarm inputs for all abnormal conditions, and command outputs for manual start/stop and transfer authorisation, over qualified Class 1E cabling. Rationale: External interface with Main Control Room: operator situational awareness depends on real-time parameter display. All scenarios require operator monitoring and command capability from MCR. | Demonstration | interface, external, session-570, idempotency:ifc-ext-mcr-570 |
| IFC-REQ-006 | The interface between the Emergency Diesel Generator and the Fuel Supply infrastructure SHALL accept diesel fuel delivery via road tanker to bulk storage tanks through a fill connection with overfill protection, with automatic day tank level management maintaining a minimum 2-hour fuel reserve at all times. Rationale: External interface with Fuel Supply: the fill connection and overfill protection are the boundary between off-site logistics and on-site fuel management. The 2-hour day tank reserve ensures EDG continues running even if bulk transfer pump fails temporarily. | Inspection | interface, external, session-570, idempotency:ifc-ext-fuel-570 |
| IFC-REQ-007 | The interface between the Emergency Diesel Generator and the DC Battery System SHALL provide 125VDC Class 1E control power for EDG instrumentation and control, and 24VDC starting battery power for air start solenoid valves, with battery chargers powered from the EDG output bus to maintain charge during LOOP. Rationale: External interface with DC Battery System: DC power is essential for EDG control and starting. The battery charger feedback loop (EDG powers charger, charger maintains battery, battery enables next start) must be validated for extended LOOP scenarios. | Test | interface, external, session-570, idempotency:ifc-ext-dc-570 |
| IFC-REQ-008 | The interface between the Diesel Engine Assembly (Fuel Injection System) and the Fuel Oil System SHALL deliver filtered diesel fuel at 3.0 to 5.0 bar gauge feed pressure at the injection pump inlet, with fuel cleanliness compliant with ISO 4406 cleanliness class 18/16/13, and a minimum flow rate of 1.5× maximum injection pump demand at rated power. Rationale: The injection pump requires minimum feed pressure to prevent vapour locking and maintain injection accuracy; 3.0 bar provides a positive pressure margin above injection pump inlet requirements even at maximum ambient temperature. ISO 4406 cleanliness class 18/16/13 is consistent with the injection pump manufacturer's requirement for particulate cleanliness; contamination above this level causes accelerated pump barrel-plunger wear. The 1.5× flow factor accounts for fuel return flow from the overflow valve and provides margin during transient load demand. | Test | interface, diesel-engine-assembly, sil-3, session-571, idempotency:ifc-dea-fuel-supply-571 |
| IFC-REQ-009 | The interface between the Diesel Engine Assembly (Engine Block) and the Engine Cooling System SHALL accept coolant flow at the engine inlet at a minimum of 120 m3/h at 70°C to 85°C inlet temperature, with jacket water pressure at the engine block coolant ports maintained between 0.5 and 2.0 bar gauge to prevent cavitation erosion of the wet-liner cylinder bores. Rationale: Jacket water temperature range and flow rate are set by the engine OEM thermal model to keep metal temperatures within allowable limits: cylinder liner temperature must remain below 180°C to prevent lubricant film breakdown; below 70°C inlet temperature causes condensation and acid corrosion in the liner bores. Jacket water pressure must be positive to prevent cavitation erosion of aluminium-bronze liners during high-frequency combustion pressure pulses — a known failure mode in medium-speed diesels operating below minimum specified flow. Interface defined here because the cooling system is a separate SIL-2 subsystem per ARC-REQ-006. | Test | interface, diesel-engine-assembly, sil-3, session-571, idempotency:ifc-dea-cooling-571 |
| IFC-REQ-010 | The interface between the Diesel Engine Assembly (Engine Block, Turbocharger) and the Lubrication Oil System SHALL provide lubricating oil at the main gallery entry at 4.0 to 6.5 bar gauge and oil temperature between 60°C and 90°C, with oil cleanliness compliant with ISO 4406 class 16/14/11, sustained from cold start until the engine reaches rated speed. Rationale: Main gallery oil pressure of 4.0-6.5 bar is the OEM requirement for hydrodynamic bearing film formation at 750 rpm; the low-pressure trip at 2.0 bar (SUB-REQ-005) provides a 2 bar margin below minimum operating pressure. Oil temperature below 60°C causes high viscosity and reduced flow to the turbocharger bearings, risking coking during start-up; above 90°C the oil viscosity drops below the minimum for bearing film formation. The ISO 4406 cleanliness class is tighter than the fuel requirement because the turbocharger bearings at 30,000+ rpm are more sensitive to particulate contamination than the injection pump. | Test | interface, diesel-engine-assembly, sil-3, session-571, idempotency:ifc-dea-lubrication-571 |
| IFC-REQ-011 | The Starting Air System–Engine Assembly interface SHALL supply 25–30 bar compressed air to the air start distributor inlet, cranking the engine to at least 120 rpm within 1.5 seconds of start signal at -10°C ambient. Rationale: Air start distributor inlet pressure of 25-30 bar is the OEM cranking design pressure, providing enough torque to overcome cold-oil viscosity at -10°C ambient; below 20 bar the cranking torque is insufficient for reliable self-sustaining combustion achievement within the 3-second budget (SUB-REQ-001). The 120 rpm minimum cranking speed is the threshold at which compression-ignition diesels reliably achieve first combustion on qualified nuclear-grade engines. Per ARC-REQ-004, the compressed air starting choice is driven by consistent cold-weather cranking torque versus battery starting alternatives. | Test | interface, diesel-engine-assembly, sil-3, session-571, idempotency:ifc-dea-starting-air-571, reqs-eng-session-583 |
| IFC-REQ-012 | The interface between the Diesel Engine Assembly and the EDG Instrumentation and Control System SHALL provide continuous 4-20 mA analogue signals for: engine speed (0-1000 rpm), jacket water outlet temperature (0-120°C), lubricating oil pressure (0-10 bar), and fuel rack position (0-100%); and SHALL provide hardwired 24VDC discrete inputs from the Engine Protection Relay Package to the I&C for each trip function status (overspeed, high coolant temp, low oil pressure, overcurrent), with signal cable rated for Class 1E nuclear service per IEEE Std 383 (Standard for Type Testing of Class 1E Electric Cables, Field Splices, and Connections for Nuclear Power Generating Stations). Rationale: The 4-20 mA standard loop signal is the nuclear industry standard for qualified analogue instrumentation — it is immune to common mode voltage, allows wire-break detection (open = 0 mA), and is compatible with Class 1E qualified transmitters and I&C input cards. The parameter ranges are set to span the full operating and alarm ranges with 10% headroom. The hardwired discrete inputs for protection status ensure the I&C system receives protection status via a deterministic path, not via network communication which could be disrupted. Class 1E cable qualification per IEEE Std 383 is required for safety system cabling in nuclear plants. | Inspection | interface, diesel-engine-assembly, sil-3, session-571, idempotency:ifc-dea-ic-signals-571 |
| IFC-REQ-013 | The interface between the Diesel Engine Assembly (Crankshaft and Flexible Shaft Coupling) and the Synchronous Generator rotor shaft SHALL transmit rated mechanical power at 750 rpm with maximum torsional vibration amplitude not exceeding ±5% of rated torque at any harmonic order, and SHALL accommodate misalignment of up to 0.3 mm parallel offset and 0.1° angular without transmitting bending loads to either crankshaft or generator shaft bearing. Rationale: The torsional vibration limit of ±5% is derived from the synchronous generator's design basis for oscillatory torque on the rotor shaft and drive-end bearing — exceeding this causes cyclic fatigue in the shaft key and coupling hub. The misalignment tolerance of 0.3 mm / 0.1° is the flexible coupling manufacturer's specification for the expected thermal growth differential between the engine and generator frames under operating conditions; rigidly coupling without misalignment accommodation would transmit bending moments to the crankshaft main bearings, violating their design load case. | Test | interface, diesel-engine-assembly, sil-3, session-571, idempotency:ifc-dea-generator-coupling-571 |
| IFC-REQ-014 | The interface between the EDG Instrumentation and Control System and the Starting Air System Air Start Valve SHALL transmit a 125VDC Class 1E start command via a dedicated hardwired discrete signal, energising the solenoid valve within 200 ms of LOOP detection to initiate engine cranking. Rationale: The start command interface is on the critical timing path between LOOP detection and engine cranking. A hardwired discrete signal (not networked) is required to achieve the deterministic 200 ms timing budget and to maintain SIL 3 integrity — network-routed commands introduce non-deterministic latency and shared-cause vulnerability. 125VDC Class 1E power ensures the interface remains functional under loss of normal AC power, which is the exact condition requiring EDG start. | Test | interface, starting-air-system, ic-system, sil-3, session-581, idempotency:ifc-ic-sas-start-command-581 |
| IFC-REQ-015 | The interface between the Starting Air System Pressure Monitoring and Low-Pressure Alarm and the EDG Instrumentation and Control System SHALL transmit continuous 4-20 mA analogue pressure signals from each receiver bank at a minimum scan rate of 1 Hz, with hardwired discrete alarm contacts closing within 5 seconds of low-pressure threshold being reached. Rationale: Continuous pressure monitoring enables trend-based maintenance scheduling and early detection of receiver leakage. The 1 Hz scan rate is sufficient to track pressure decay curves between start attempts. The hardwired alarm contact is required independently of the analogue signal so that the alarm function is not defeated by I&C software failure — consistent with SIL 3 architecture requiring independence of alarm and control paths. | Test | interface, starting-air-system, ic-system, session-581, idempotency:ifc-sas-pressure-to-ic-581 |
| IFC-REQ-016 | The interface between the Bus Undervoltage Sensing Relay and the Generator Circuit Breaker shall carry a hardwired Class 1E 125VDC discrete start initiation signal; the signal shall be current-limited to 50mA, the cable routing shall be segregated from non-Class 1E cabling per IEEE 384, and signal transmission shall be failsafe such that an open-circuit condition is interpreted as a start demand. Rationale: Hardwired 125VDC discrete interface prevents cyber interference with the LOOP initiation path per SYS-REQ-012. 50mA current limit prevents cable insulation damage from a ground fault causing an inadvertent start. IEEE 384 segregation ensures a fire or cable fault cannot simultaneously disable both the signal and the return circuit. Open-circuit failsafe ensures cable damage generates a conservative start demand rather than silently defeating the safety function. | Test | interface, electrical-switchgear-and-load-sequencer, sil-3, safety-critical, session-582, idempotency:ifc-buvr-gcb-start-582 |
| IFC-REQ-017 | The interface between the Synchronising Check Relay and the Generator Circuit Breaker SHALL carry a hardwired 125VDC discrete close-permission signal active only when synchronising conditions are satisfied or dead-bus override is active; the interface SHALL include a mechanical anti-pumping interlock preventing more than one close attempt per close command, and the permissive signal SHALL be removed within 50ms of a synchronising condition violation. Rationale: Hardwired close permission keeps the synchronising function independent of digital control systems. Anti-pumping interlock prevents repeated GCB close-open-close cycles on a marginal synchronising condition, which would mechanically stress the GCB mechanism and risk weld failure of contacts. 50ms permissive withdrawal time ensures the GCB cannot complete a close operation outside the synchronising window given its 100ms mechanical close time, preventing out-of-phase closure. | Test | interface, electrical-switchgear-and-load-sequencer, sil-3, session-582, idempotency:ifc-scr-gcb-close-permission-582 |
| IFC-REQ-018 | The interface between the Generator Electrical Protection Relay Package and the Generator Circuit Breaker SHALL deliver a hardwired trip signal via a dedicated Class 1E trip coil circuit with a maximum resistance of 10 ohms total (cable plus coil), the trip contact shall be rated for interrupting 5A inductive DC load at 125VDC, and the trip circuit shall be continuously supervised such that a broken or high-resistance circuit triggers an alarm to the Main Control Room within 5 seconds. Rationale: Maximum 10 ohm trip circuit resistance ensures the GCB trip coil receives minimum 11.9A at lowest battery voltage (95VDC), exceeding the minimum trip coil pick-up current. Trip contact 5A inductive DC rating matches the GCB trip coil inrush current at 125VDC. Continuous trip circuit supervision (wiring integrity monitoring) detects broken trip wires before a protection demand occurs; the 5-second alarm delay filters transient monitoring glitches without leaving the generator unprotected. Required per BS EN 60947-2 circuit breaker protection application. | Test | interface, electrical-switchgear-and-load-sequencer, sil-3, safety-critical, session-582, idempotency:ifc-geprp-gcb-trip-582 |
| IFC-REQ-019 | The interface between the Ventilation and Combustion Air System and the Diesel Engine Assembly SHALL supply combustion air at a velocity not exceeding 8 m/s at the engine air intake plenum, with particulate filtration to ISO 16890 ePM1 55% efficiency to prevent ingestion of construction debris or environmental particulates. Rationale: Excessive inlet velocity causes turbulent losses in the engine air intake, degrading volumetric efficiency and potentially raising intake manifold temperature. The 8 m/s limit matches engine OEM intake ductwork design constraints. ISO 16890 ePM1 55% filtration is the minimum grade that prevents turbocharger fouling during the expected 7-day extended run period per nuclear ConOps. | Test | interface, edg-building, hvac, session-586, idempotency:ifc-hvac-engine-air-586 |
| IFC-REQ-020 | The interface between the Fire Detection and Suppression System and the Ventilation and Combustion Air System SHALL transmit a hardwired ventilation isolation signal within 5 seconds of confirmed fire detection, causing the Ventilation and Combustion Air System to close all dampers and shut off fans to prevent gaseous suppression agent dilution. Rationale: Gaseous total-flood fire suppression (CO2 or FM200) requires isolation of all air paths into the protected enclosure to maintain agent concentration above the minimum extinguishing design concentration for 10 minutes per NFPA 2001 and BS EN 15004. If ventilation continues, the agent disperses below minimum concentration before the fire is extinguished. The 5-second isolation time precedes typical suppression discharge delay of 30-60 seconds, ensuring ventilation is off before agent release. | Test | interface, edg-building, fire, hvac, session-586, idempotency:ifc-fire-hvac-shutdown-586 |
| IFC-REQ-021 | The interface between the Drain and Spill Containment System and the Fuel Oil System SHALL provide a continuous bunded collection path for all Fuel Oil System components within the EDG building, such that any fuel release up to the full day-tank volume (4,000 litres) is captured within the sump without reaching an ignition source or drainage to uncontrolled discharge. Rationale: The Fuel Oil System day tank is the largest single flammable fluid inventory in the EDG building. Without a continuous bunded path from every fuel connection to the sump, a pipe joint failure or tank overflow would flow across an unprotected floor to the engine exhaust system, which operates at 600-700°C and provides an ignition source. This interface requirement enforces the physical routing of drains established by the fire risk assessment per UK HSE Process Safety Management standards. | Inspection | interface, edg-building, flood, fuel, session-586, idempotency:ifc-drain-fuel-contain-586 |
| IFC-REQ-022 | The interface between the Coolant Circulation Pump and the Engine Jacket Water Circuit SHALL transmit coolant at a minimum flow rate of 150 L/min at 0.8 bar gauge pressure, with pump suction pressure maintained above 0.2 bar to prevent cavitation across the full engine load range. Rationale: Cavitation at pump inlet during high-speed engine operation is a known failure mode in standby diesel cooling circuits; the 0.2 bar suction minimum is derived from pump NPSH data and the circuit head loss at maximum flow. Loss of this interface during a LOOP event would cause engine overtemperature within minutes. | Test | interface, engine-cooling, sil-2, session-591 |
| IFC-REQ-023 | The interface between the Engine Pre-heat System and the Engine Jacket Water Circuit SHALL maintain standby jacket water temperature at ≥35°C using a 3 kW electric immersion heater circuit controlled by a thermostat with ±2°C hysteresis, supplied from the station UPS to remain active during AC blackout conditions. Rationale: The pre-heat circuit must operate during blackout to maintain start readiness — this is precisely the scenario in which the EDG is required. AC supply from the UPS (rather than normal supply) ensures the heater remains energised during the bus blackout that triggers the EDG start demand. The ±2°C thermostat hysteresis prevents rapid cycling that degrades the heater element. | Demonstration | interface, engine-cooling, sil-2, session-591 |
| IFC-REQ-024 | The interface between the Thermostatic Control Valve and the Radiator/Heat Exchanger SHALL route hot-side coolant flow to the heat exchanger at 0% to 100% of pump flow as a linear function of jacket water temperature between 75°C (full bypass) and 82°C (full radiator flow), with valve stroke response time not exceeding 5 seconds. Rationale: A 5-second stroke response is required to prevent the coolant temperature overshooting the 85°C upper limit during load step changes; faster valves introduce hunting. The 75–82°C operating band is set to provide a 10°C margin above the 75°C warm-up floor and a 3°C margin below the 85°C operating limit. | Test | interface, engine-cooling, sil-2, session-591 |
| IFC-REQ-025 | The interface between the Engine Cooling System and the EDG Instrumentation and Control System SHALL provide two independent 4-20 mA Pt100 temperature signals from the jacket water outlet header, a hardwired discrete trip output on cooling loss (active low, fail-safe), and a 4-20 mA coolant pressure signal, all routed on SIL 2 qualified cable with physical segregation from non-safety circuits. Rationale: Two independent temperature signals provide 1-of-2 voting logic in the I&C system for the engine overtemperature trip, consistent with IEC 61511 SIL 2 diagnostic coverage requirements. The fail-safe active-low trip output ensures that loss of signal (cable break) defaults to the safe state (engine trip). Physical segregation is required by BS EN 61000 (Electromagnetic compatibility) to prevent I&C trip spurious actuation from EMI generated by engine ignition circuits. | Inspection | interface, engine-cooling, sil-2, safety-critical, session-591 |
| IFC-REQ-026 | The interface between the Fuel Transfer Pump and the Day Tank SHALL deliver fuel at a minimum transfer rate of 50 L/min from the Bulk Storage Tank, controlled by a float-switch level signal from the Day Tank Level Control and Alarm unit, with transfer pump status (running/fault) monitored by the EDG I&C system. Rationale: 50 L/min transfer rate is derived from the Day Tank volume and the 30-minute refill requirement in SUB-REQ-048; lower rates risk delayed refill that allows the Day Tank to reach the low-fuel alarm threshold before transfer completes. Pump status monitoring is required for operator awareness during sustained LOOP events. | Test | interface, fuel-oil, sil-2, session-591 |
| IFC-REQ-027 | The interface between the Day Tank and the engine fuel injection system SHALL provide a continuous, uninterrupted fuel supply at 0.3 bar to 0.7 bar gauge with fuel temperature maintained between 10°C and 40°C to ensure fuel viscosity remains within the OEM injection pump specification throughout the engine operating range. Rationale: Fuel temperature limits are required because marine diesel viscosity varies by a factor of three between -5°C and 50°C; at the extremes, pump volumetric efficiency and atomisation quality degrade to the point where governor control authority is insufficient to maintain rated frequency. Tank heating and insulation are required in the EDG building HVAC design to maintain the 10°C lower limit at the -10°C ambient design minimum. | Test | interface, fuel-oil, sil-2, session-591 |
| IFC-REQ-028 | The interface between the Fuel Oil Strainer and Filter Assembly and the engine fuel injection system SHALL provide clean fuel at ISO 4406 ≤16/13/10, with differential pressure measurement across the filter element transmitted as a 4-20 mA signal to the EDG I&C panel, and a mechanical bypass valve set to open at 1.0 bar differential to protect the injection pump in the event of filter blockage. Rationale: The bypass valve protects the injection pump from starvation caused by a blocked filter during an unattended LOOP event. The bypass set-point of 1.0 bar is set above the 0.5 bar alarm threshold (SUB-REQ-047) to allow the alarm to trigger before bypass occurs, so the shift supervisor can initiate maintenance before unfiltered fuel reaches the injectors. | Inspection | interface, fuel-oil, sil-2, session-591 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| ARC-REQ-001 | The Emergency Diesel Generator design SHALL employ a medium-speed 4-stroke turbocharged diesel engine operating at 750 rpm or 1,000 rpm, achieving a start-on-demand probability of not less than 0.975. Rationale: Medium-speed 4-stroke turbocharged diesels (750/1000 rpm) are the established nuclear-grade choice for emergency power: they achieve >0.975 start-on-demand probability, are qualified under IEEE 387 and IEC 60034 by multiple OEMs, and have 5,000+ hour overhaul intervals compatible with refuelling outage maintenance cycles. High-speed units achieve faster start but exhibit inferior long-term reliability; 2-stroke diesels are not available at the required power class. | Inspection | architecture, engine, session-570, idempotency:arc-engine-570, informational, session-572, reqs-eng-session-577 |
| ARC-REQ-002 | The Emergency Diesel Generator design SHALL implement engine protection trip functions (overspeed, overtemperature, low oil pressure) as hardwired relay circuits physically independent of the digital monitoring and control system. Rationale: Separation of protection and control is mandated by IEC 61513 (Nuclear power plants — I&C systems — General requirements for systems) and UK ONR Safety Assessment Principles (SAPs). Hardwired relay protection provides deterministic, software-independent trip response and eliminates common-cause software failure and cyber vulnerabilities (hazard H-010) from the safety-critical trip path. | Inspection | architecture, ic-system, session-570, idempotency:arc-ic-separation-570, informational, session-572, reqs-eng-session-577 |
| ARC-REQ-003 | The Emergency Diesel Generator design SHALL provide two fully independent trains (Train A and Train B), each with dedicated engine, generator, fuel storage, cooling, starting air, I&C, and switchgear housed in separate fire-rated buildings. Rationale: Train independence is required by UK GDA process and ONR SAPs to meet single-failure criterion: any active failure in one train must not prevent the other train from fulfilling its safety function. Physical separation in fire-rated buildings eliminates propagating hazards (fire, flood) and directly supports the N+1 redundancy allocation across EDG trains A and B. | Inspection | architecture, redundancy, session-570, idempotency:arc-train-independence-570, informational, session-572, reqs-eng-session-577 |
| ARC-REQ-004 | The Emergency Diesel Generator design SHALL use compressed-air starting with air receivers sized for not fewer than 5 consecutive start attempts without recharge. Rationale: Compressed air starting is the industry standard for diesel engines above 500 kW. It provides consistent cranking torque (15-25 bar) independent of ambient temperature, whereas battery cold-cranking capacity degrades by ~40% below 0°C. Five consecutive starts per demand event are consistent with IEEE 387 starting-reliability requirements. | Demonstration | architecture, starting-air, session-570, idempotency:arc-starting-570, informational, session-572, reqs-eng-session-577 |
| ARC-REQ-005 | The Emergency Diesel Generator design SHALL integrate LOOP detection, generator breaker control, and load sequencing within a single Electrical Switchgear and Load Sequencer subsystem sharing the 6.6 kV bus environment. Rationale: Grouping these functions in one subsystem reduces the interface count and eliminates race conditions from distribution across I&C and power subsystems. All three functions share the 6.6 kV bus environment, common failure modes, and are tested together under IEEE 387 load-acceptance tests. A single subsystem boundary simplifies post-event audit trails for nuclear post-event analysis. | Inspection | architecture, switchgear, session-570, idempotency:arc-switchgear-570, informational, session-572, reqs-eng-session-577 |
| ARC-REQ-006 | The Emergency Diesel Generator design SHALL implement engine cooling as a dedicated subsystem independent of the Diesel Engine Assembly, with a separate fault tree analysis satisfying SIL 2 targets for hazard H-006. Rationale: Hazard H-006 (cooling system failure) is classified SIL 2 under IEC 61508 (Functional safety of E/E/PE safety-related systems), requiring independent fault tree analysis. The cooling subsystem has distinct failure modes (fan belt, radiator blockage, coolant chemistry degradation) not correlated with engine mechanical failure, interfaces externally to a separate heat sink, and requires a distinct maintenance regime. | Inspection | architecture, cooling, session-570, idempotency:arc-cooling-570, informational, session-572, reqs-eng-session-577 |
| ARC-REQ-007 | ARC: EDG Building and Support Systems — Seismic Category I dedicated enclosure with four integrated sub-functions. The building is decomposed into: (1) EDG Building Structure (Seismic Cat I reinforced concrete providing missile/blast protection and inter-train physical separation); (2) EDG Building HVAC System (Class 1E ventilation providing combustion air and room cooling, auto-starting with engine); (3) EDG Flood and Drainage System (passive barriers plus active bunded sump providing worst-case flood containment without affecting engine operability); (4) EDG Building Access Control System (security zone management, SIL 0, backed by Class 1E 125VDC). Alternatives considered: (a) shared HVAC between trains — rejected because common-cause HVAC failure could disable both trains; (b) active flood pumps as primary barrier — rejected because passive first-line protection is more reliable during LOOP when pump power may be interrupted. The SIL 2 allocation applies to Structure, HVAC, and Flood systems; Access Control is SIL 0 (security function, not safety). Rationale: Decomposition decision required to prevent common-cause structural, thermal, and flood failure paths from coupling the two EDG trains. Each component has distinct failure modes and testing intervals, necessitating separate classification and independent requirement derivation. SIL 2 is inherited from SYS-REQ-009 (seismic) and SYS-REQ-011 (fire/flood) which bound the building safety functions. | Inspection | architecture, edg-building, session-586, idempotency:arc-edg-building-586, informational, qc-session-589 |
| ARC-REQ-008 | ARC: Fuel Oil System — Gravity-fed Day Tank with automatic transfer from bulk storage. The system uses a two-level storage architecture (Bulk Storage Tank → Day Tank → engine) to decouple the engine from the bulk transfer system. The Day Tank is elevated to provide gravity-fed fuel supply to the injection pump without a booster pump, eliminating a potential single-point failure in the fuel supply path. Fuel transfer is controlled by float-switch automation rather than a timed sequence to accommodate variable engine fuel consumption rates across the load range. The Bulk Storage Tank is sized at 110% of the 7-day SYS requirement to provide operating margin for the gravity-feed architecture's inability to fully drain to zero. Rationale: The two-level gravity-feed architecture was selected over a direct single-tank pumped supply because: (1) Day Tank gravity feed eliminates pump failure as an engine starvation cause; (2) the architectural separation allows the bulk transfer pump to be maintained or replaced without interrupting engine operation; (3) float-switch control is simpler and more reliable than timed or flow-metered control in a nuclear qualified environment. | Inspection | architecture, fuel-oil, session-591, idempotency:arc-fuel-oil-system-591 |
flowchart TB n0["component<br>Diesel Engine Block and Crankcase"] n1["component<br>Diesel Fuel Injection System"] n2["component<br>Diesel Engine Turbocharger"] n3["component<br>Engine Governor and Speed Control Unit"] n4["component<br>Engine Protection Relay Package"] n5["component<br>Engine Exhaust System"] n6["component<br>Crankshaft and Flexible Shaft Coupling"] n1 -->|Metered high-pressure fuel| n0 n2 -->|Charged combustion air| n0 n0 -->|Exhaust gas to turbine| n2 n0 -->|Post-turbine exhaust gases| n5 n3 -->|Fuel rack position signal| n0 n0 -->|Engine speed feedback| n3 n4 -->|Protective trip signal| n0 n0 -->|Reciprocating to rotary torque| n6
Diesel Engine Assembly — Internal
flowchart TB n0["component<br>Automatic Start Logic Controller"] n1["component<br>Load Management and AVR Interface"] n2["component<br>Engine and Generator Protection Logic"] n3["component<br>Annunciation and HMI Panel"] n4["component<br>Qualified I/O Module Assembly"] n5["component<br>Plant Communication Gateway"] n4 -->|Field start signals and interlocks| n0 n4 -->|Speed, temp, pressure, power measurements| n2 n0 -->|Air start valve commands| n4 n2 -->|Trip and alarm relay outputs| n4 n2 -->|Alarm and trip annunciation| n3 n1 -->|AVR voltage set-point output| n4 n0 -->|EDG operating status data| n5 n1 -->|Load and voltage parameters| n3
EDG Instrumentation and Control System — Internal
flowchart TB n0["component<br>Air Receiver Bank A"] n1["component<br>Air Receiver Bank B"] n2["component<br>Air Start Valve and Distribution Manifold"] n3["component<br>Air Compressor and Recharge Unit"] n4["component<br>Moisture Separator and Drain System"] n5["component<br>Pressure Monitoring and Low-Pressure Alarm"] n0 -->|30-bar air train A| n2 n1 -->|30-bar air train B| n2 n3 -->|Recharge to 30 bar| n0 n3 -->|Recharge to 30 bar| n1 n4 -->|Dehumidified compressed air| n0 n0 -->|Receiver pressure signal| n5 n1 -->|Receiver pressure signal| n5
Starting Air System — Internal
flowchart TB n0["component<br>Generator Circuit Breaker"] n1["component<br>Bus Undervoltage Sensing Relay"] n2["component<br>Load Sequencer Logic Controller"] n3["component<br>Generator Electrical Protection Relay Package"] n4["component<br>Synchronising Check Relay"] n5["component<br>Class 1E Switchgear Control Power Supply"] n1 -->|LOOP trip signal| n0 n4 -->|close permissive| n0 n3 -->|protection trip| n0 n5 -->|125VDC control power| n0 n5 -->|125VDC control power| n2 n2 -->|load pickup command| n0
Electrical Switchgear and Load Sequencer — Internal
flowchart TB n0["component<br>Bulk Storage Tank"] n1["component<br>Day Tank"] n2["component<br>Fuel Transfer Pump"] n3["component<br>Fuel Oil Strainer and Filter Assembly"] n4["component<br>Day Tank Level Control and Alarm"] n0 -->|bulk fuel supply| n2 n2 -->|filtered fuel| n3 n4 -->|start/stop signal| n2 n2 -->|fuel delivery| n1 n3 -->|clean fuel to day tank| n1
Fuel Oil System — Internal Components
flowchart TB n0["component<br>Engine Jacket Water Circuit"] n1["component<br>Radiator/Heat Exchanger"] n2["component<br>Coolant Circulation Pump"] n3["component<br>Thermostatic Control Valve"] n4["component<br>Engine Pre-heat System"] n2 -->|coolant flow| n0 n0 -->|hot coolant return| n3 n3 -->|coolant to cooler| n1 n1 -->|cooled coolant| n2 n4 -->|standby heat| n0
Engine Cooling System — Internal Components
flowchart TB n0["component<br>Engine Lube Oil Sump"] n1["component<br>Engine-Driven Lube Oil Pump"] n2["component<br>Pre-Lube and Post-Lube Pump"] n3["component<br>Lube Oil Cooler"] n4["component<br>Lube Oil Filter and Strainer"] n0 -->|oil draw| n1 n1 -->|pressurised oil| n3 n3 -->|cooled oil| n4 n2 -->|pre/post-lube flow| n0
Lubrication Oil System — Internal Components
flowchart TB n0["component<br>Stator and Stator Winding Assembly"] n1["component<br>Rotor and Field Winding"] n2["component<br>Automatic Voltage Regulator"] n3["component<br>Generator Neutral Earthing Unit"] n4["component<br>Generator Cooling Fan"] n2 -->|excitation current| n1 n1 -->|rotating magnetic field| n0 n0 -->|neutral connection| n3 n4 -->|cooling airflow| n0 n0 -->|terminal voltage feedback| n2
Synchronous Generator — Internal Components
flowchart TB n0["component<br>Ventilation and Combustion Air System"] n1["component<br>Exhaust Silencer and Discharge Stack"] n2["component<br>Fire Detection and Suppression System"] n3["component<br>Category 1 Building Structure"] n4["component<br>Drain and Spill Containment System"] n3 -->|air intake penetrations| n0 n3 -->|exhaust penetration| n1 n2 -->|fire/shutdown signal| n0 n3 -->|floor drain collection| n4
EDG Building and Support Systems — Internal Components
| Entity | Hex Code | Description |
|---|---|---|
| Bus Undervoltage Sensing Relay | D5B77818 | Hardwired solid-state relay monitoring 6.6kV Class 1E emergency AC bus voltage. Initiates EDG automatic start sequence and opens tie breaker to grid on detection of bus voltage dropping below 70% of nominal (4.6kV) for more than 0.2 seconds (LOOP condition). De-energise-to-trip logic for fail-safe operation. Powered from Class 1E 125VDC battery. Seismic-qualified. Two-out-of-three voting logic with redundant voltage transformers to prevent spurious trips. |
| Class 1E Switchgear Control Power Supply | D6851058 | Dedicated 125VDC Class 1E battery-backed DC distribution panel supplying control power to the Generator Circuit Breaker close/trip coils, Bus Undervoltage Sensing Relay, Load Sequencer Logic Controller, and Generator Electrical Protection Relay Package. Powered from the Class 1E 125VDC battery system with automatic changeover from normal AC rectifier on loss of AC. Battery autonomy minimum 8 hours at full switchgear control load. Seismic-qualified. Provides Class 1E/non-Class 1E isolation barriers per IEEE 384. |
| Common cause failure of redundant diesel generators hazard | 10040211 | Simultaneous failure of multiple redundant EDGs due to shared vulnerability: common fuel supply contamination, common design defect, common maintenance error, seismic event exceeding design basis, flooding. Nuclear sites typically have 2-4 redundant EDGs but common cause failures defeat redundancy. Consequence: station blackout with no AC power, potentially leading to core damage within hours. Defence requires diversity (e.g., gas turbine alternative) and protection against external hazards. |
| Cool Diesel Engine | 56D51000 | System function of nuclear EDG: removes waste heat from engine block, cylinder heads, and turbocharger aftercooler via closed-loop jacket water circuit. Heat rejection to atmosphere via radiator/fan units or to raw water via heat exchanger. Must maintain coolant temperature below 95°C at full load in 40°C ambient. Failure mode: engine trip on high temperature (H-006). |
| Cooldown Shutdown mode of Emergency Diesel Generator | 50943A10 | Controlled unloading and stopping after emergency mission complete. Loads transferred back to restored grid supply, EDG runs unloaded for cooldown period (typically 10-30 minutes) to prevent thermal shock to turbocharger and engine components. Gradual reduction of fuel, engine stops, post-lube pump maintains oil circulation. Entry: offsite power restored and verified stable. Exit: engine stopped, transition to post-shutdown checks. Operator involvement typically required for shutdown authorisation in nuclear context. |
| Crankshaft and Flexible Shaft Coupling | CEC51018 | Forged alloy steel crankshaft and flexible coupling assembly transmitting mechanical power from the diesel engine to the synchronous generator rotor. Crankshaft journals run at 750 rpm with hydrodynamic oil-film bearings at 4-6 bar oil pressure. Flexible coupling accommodates axial and angular misalignment (typically ±2mm axial, ±0.5° angular) and provides torsional damping to protect generator shaft from engine combustion impulses. Coupling rated for instantaneous torques up to 3× nominal during short-circuit events. Seismically qualified. SIL 3 via parent — coupling failure results in immediate loss of electrical output. |
| Cyber attack on diesel generator control system hazard | 40043B59 | Malicious interference with EDG digital control or protection systems. Potential attack vectors: maintenance laptop, compromised firmware, network intrusion if connected. Consequences: prevent start, cause spurious trip, mask alarms, alter setpoints. IEC 62645 and ONR guidance require cyber security assessment and hardening of nuclear I&C. Air-gapping and secure development processes required. |
| Degraded Operation mode of Emergency Diesel Generator | 50541A51 | EDG running but with reduced capability or margin due to equipment fault or environmental condition. Examples: one turbocharger failed (reduced max power), cooling system degraded (reduced continuous rating), fuel quality degraded (reduced reliability). Operator must assess whether degraded EDG satisfies minimum safety function. May trigger entry into Limiting Condition for Operation requiring shutdown if not restored. Automatic protection trips may be bypassed with operator authorisation to maintain core cooling during genuine emergency. |
| Detect Loss of Offsite Power | 44F77811 | System function of nuclear EDG: detects grid undervoltage below 5.94kV (90% nominal) within 100ms using redundant undervoltage relays on the 6.6kV safety bus. Input: grid voltage from potential transformers. Output: LOOP signal to EDG start circuit. Safety-critical function — false negative delays start, false positive causes unnecessary start. |
| Diesel Engine Assembly | DEC51018 | Subsystem of nuclear EDG: medium-speed 4-stroke turbocharged diesel engine (typically 12-18 cylinders, 1000-3000 kW class). Functions: cranking/starting, fuel injection and combustion, mechanical power output to alternator shaft. Key components: engine block, crankshaft, pistons, cylinder liners, turbocharger, exhaust manifold, flywheel coupling. Operating at 750 or 1000 rpm depending on generator pole count. Must start reliably from -10°C to +40°C. Seismic Category I qualified mounting. |
| Diesel Engine Block and Crankcase | DE851018 | Main structural casting of a medium-speed (750 rpm) 4-stroke turbocharged diesel engine rated ~2-4 MW for nuclear emergency power generation. Houses crankshaft, cylinder liners, piston assemblies, and main bearing journals. Cast ductile iron construction, seismically qualified per EUR Category I (0.2g PGA). Key interfaces: cylinder liners receive fuel/air charge, crankshaft transfers mechanical energy to generator shaft coupling, sump provides oil reservoir for lubrication system, coolant passages interface to engine cooling system. SIL 3 via parent. Failure mode: catastrophic crankcase fracture (seismic), cylinder liner scoring (lubrication failure). |
| Diesel Engine Turbocharger | C6C51018 | Exhaust-gas driven centrifugal turbocharger on a medium-speed nuclear-grade diesel engine. Compresses combustion air from atmospheric to ~2.5 bar absolute, enabling full rated power output. Coupled to aftercooler (intercooler) to reduce charge air temperature and increase air density. Turbocharger rotor speed typically 20,000-40,000 rpm. No lubrication from external systems — bearing oil supplied from engine main oil gallery at 4-6 bar. Seismically qualified. Failure mode: turbine blade failure causes loss of boost pressure and 60-70% derated output; bearing failure causes oil fire risk. |
| Diesel Fuel Injection System | D6D53218 | High-pressure mechanical fuel injection system for a nuclear-grade medium-speed diesel engine, comprising a camshaft-driven injection pump, high-pressure fuel lines (up to 1500 bar), and injector nozzles per cylinder. Receives filtered diesel fuel from the day tank at 3-5 bar feed pressure. Injection timing and quantity controlled by mechanical governor in low-load and by electronic governor overlay at rated speed. No software in the safety-critical injection path. Failure mode: injector nozzle wear causes misfiring, injection pump seizure causes engine stop. SIL 3 via parent — loss of injection results in loss of power generation. |
| Diesel Fuel Supply Infrastructure | 46851259 | External fuel delivery system: road tanker access, bulk storage tanks, fuel transfer pumps, day tank replenishment. Must provide diverse supply routes and 7-day inventory. Interface with site fuel management system for inventory monitoring and reorder. |
| Diesel Generator Original Equipment Manufacturer | 40805098 | Company that designed and supplied the diesel generator set. Provides technical support, spare parts, engineering change notices, and service bulletins. May provide long-term service agreement. Source of design basis information and qualification documentation. Key supplier for life extension and obsolescence management. |
| EDG Building Access Control System | 54AD7859 | Physical security and access management for a nuclear-licensed EDG building. Card-reader and keypad entry to nuclear security zone; CCTV covering all entry points and engine room; intruder detection (PIR and door contacts) linked to site security alarm system. Emergency exit routes with break-glass release. Visitor/contractor management via permit-to-work system. Access control power backed by Class 1E 125VDC to maintain security logging during LOOP. Not safety-related (SIL 0) but interfacing with site physical protection plan under ONR security assessment principles. |
| EDG Building and Support Systems | DE851018 | Subsystem of nuclear EDG: physical enclosure housing one EDG train with associated support systems. Functions: provide Seismic Category I building structure (reinforced concrete), fire detection and CO2/foam suppression, building HVAC for combustion air and heat removal, lighting, seismic mounting for engine-generator skid, personnel access with radiological/industrial safety provisions. Each train housed in separate fire-rated building to prevent common cause failure. Building must withstand 0.2g PGA DBE and external hazards (flooding, missile protection per site safety case). |
| EDG Building HVAC System | 55F73018 | Engine room ventilation system for a nuclear-grade EDG building. Supplies combustion air at ≥0.5 kg/s per MW rated output through louvred intakes; exhausts engine room heat via thermostatically controlled roof fans to maintain ambient ≤40°C at full load; maintains slight negative pressure in engine room to prevent fuel vapour accumulation in occupied areas. Fan motors are Class 1E-qualified at SIL 2. Controls integrated with EDG control panel: fans auto-start on engine start signal, fail-safe open on loss of control power. Seismically qualified to same standard as building structure. |
| EDG Building Structure | CE851058 | Seismic Category I reinforced concrete building housing one EDG train on a UK nuclear licensed site. Provides missile and blast protection to NUREG-0800/BS EN 1998-1 standards; floor-to-roof height ~8m to accommodate engine exhaust routing; mass concrete walls ≥600mm thick; tornado-missile-proof louvres on combustion air intake and exhaust openings. Building maintains structural integrity at 0.2g PGA design basis earthquake. Provides physical separation between EDG trains to prevent common-cause structural failure. |
| EDG Failure to Start scenario | 00841200 | Failure scenario: one EDG fails to start on LOOP signal. Tests redundancy and operator response. Scenario involves diagnosis of failure cause, reliance on redundant EDG, entry into limiting condition for operation, maintenance mobilisation. |
| EDG Flood and Drainage System | CE851018 | Passive and active flood protection for the EDG building. Ground-level flood barriers (kerbs and door seals) to 600mm above external finished floor level matching the site design basis flood. Internal bunded sump to contain maximum fuel day-tank volume (4,000L) plus lube oil system volume with no external spillage. Sump pump with high-level alarm to main control room. Drainage routed to controlled discharge point. Designed to maintain EDG operability during and after design basis external flood event (concurrent with LOOP per nuclear ConOps). Seismically qualified Class 1E instrumentation. |
| EDG Instrumentation and Control System | 55F77858 | Subsystem of nuclear EDG: provides monitoring, control, and protection functions for diesel engine and generator. Functions: measure all operating parameters (kW, Hz, V, A, oil pressure, coolant temp, exhaust temp, vibration), transmit to main control room, process operator commands, manage AVR and governor setpoints, execute hardwired protection trips (overspeed >115%, high coolant temp, low oil pressure, overcurrent). Safety-critical trip functions are hardwired and independent of digital control. Local control panel in EDG building, remote interface to MCR. Must comply with IEC 62645 cyber security and IEC 61513 nuclear I&C standards. |
| EDG Instrumentation and Control Technician | 00A530F8 | Specialist in control systems, protection logic, and instrumentation. Calibrates sensors, tests protection relays, maintains PLC/DCS systems, troubleshoots electrical faults. Works under nuclear I&C quality programme. Requires specific training on EDG control system architecture. Responds to spurious alarms and control faults. |
| EDG Mechanical Maintenance Technician | 018C28F8 | Skilled tradesperson responsible for mechanical maintenance of diesel engines. Performs oil changes, filter replacement, injector servicing, turbocharger maintenance, coolant system work. Works under work permit system with LOTO. Must be trained on nuclear safety culture and EDG-specific procedures. Responds to call-outs for emergency repairs. |
| EDG Trip During Operation scenario | 00040200 | Running EDG trips unexpectedly mid-mission due to genuine or spurious protection actuation. Tests transfer to redundant EDG and diagnosis under pressure. |
| Electrical Switchgear and Load Sequencer | 55F73A58 | Subsystem of nuclear EDG: manages electrical connections between EDG output, 6.6kV emergency bus, and normal grid supply. Functions: detect LOOP via undervoltage relays, open/close generator output breaker, sequence safety load breakers in priority order (charging pumps → component cooling → HVAC) over 60s, manage return-to-grid transfer with synchronisation check, prevent paralleling with degraded grid. Key components: generator breaker, bus section breakers, load breakers, undervoltage relays, synch-check relay, load sequencer logic (PLC or relay-based), CTs and PTs. SIL 3 for LOOP detection function. |
| Emergency Diesel Generator for a UK Nuclear Licensed Site | DFF73A59 | Standby electrical power generation system installed at a UK nuclear licensed site, providing emergency AC power to safety-critical loads when normal grid supply is lost. Must comply with Office for Nuclear Regulation (ONR) Safety Assessment Principles, IEC 61513 for I&C, IEC 62645 for cybersecurity, and UK Nuclear Site Licence Conditions. Operates in seismic Category I environment, designed to withstand design basis earthquake. Comprises diesel engine, alternator, fuel system, cooling system, starting system, and control/protection systems. Must achieve defined reliability targets (e.g., 0.999 start-on-demand) and reach rated power within specified time (typically 10-15 seconds). Safety function: maintain cooling of reactor fuel during loss-of-offsite-power events to prevent core damage. |
| Emergency Start mode of Emergency Diesel Generator | 55F73A58 | Automatic start sequence initiated by loss-of-offsite-power detection or manual emergency start. Air motor cranks engine, fuel injection begins, engine fires and accelerates to rated speed. Parallel sequence energises field excitation, builds voltage, synchronises to emergency bus. Duration: 10-15 seconds from start signal to rated voltage and frequency. Critical window where start failure constitutes safety system unavailability. Multiple redundant start air receivers and starting motors for reliability. |
| Engine Cooling System | 57D73010 | Subsystem of nuclear EDG: removes 30-40% of engine thermal output via closed-loop jacket water circuit. Functions: circulate coolant through engine block and heads, reject heat via radiator/fan units (air-cooled design) or raw water heat exchanger (water-cooled), regulate temperature via thermostatic valves, cool turbocharger aftercooler. Must maintain coolant below 95°C at full load in 40°C ambient. Failure leads to engine trip (H-006, SIL 2). Includes pre-heater to keep engine warm in standby. |
| Engine cooling system failure hazard | 00050200 | Loss of coolant, pump failure, radiator blockage, or ultimate heat sink unavailability. Diesel engines generate significant waste heat requiring continuous removal. Consequence: engine overheats, trips on high temperature, or seizes. Particularly critical in extended run scenarios. Some EDGs use raw water cooling from ultimate heat sink; failure of that sink affects EDG. |
| Engine Exhaust System | CEC51018 | Exhaust gas routing system for a nuclear-grade medium-speed diesel engine in an enclosed EDG building. Comprises: turbine-side exhaust manifold, expansion bellows (seismic isolation), silencer/muffler, and insulated exhaust stack penetrating the EDG building roof. Exhaust gas temperature at manifold 400-550°C. Stack sized to prevent exhaust recirculation into engine air intake under all wind directions. Equipped with spark arrestor for fire safety (diesel fuel environment). Seismically qualified supports per EUR Category I. Failure mode: exhaust manifold crack causes hot gas release in building, silencer blockage causes backpressure and engine trip. |
| Engine Governor and Speed Control Unit | D5F73A18 | Isochronous speed governor for a nuclear-grade emergency diesel generator engine. Maintains 50 Hz ±2% output frequency under transient loads by controlling fuel injection rack position via electro-hydraulic actuator. Incorporates: (1) mechanical overspeed trip at 115% rated speed (750 rpm nominal → trip at ~863 rpm) — hardwired, not software; (2) electronic speed sensor providing speed feedback to digital governor processor; (3) speed setpoint adjustment for synchronisation. Receives 24VDC from Class 1E battery. SIL 3 via parent — loss of speed control can cause overspeed trip or frequency deviation outside ±2%. |
| Engine overspeed hazard | 00011211 | Governor failure causes engine to accelerate beyond safe speed. Consequences: mechanical destruction of engine, projectile hazard from disintegrating components, fire from fuel spray. Diesel engines have stored kinetic energy in flywheel and reciprocating mass. Overspeed protection must be diverse (mechanical and electronic). |
| Engine Protection Relay Package | D6B73858 | Hardwired relay-based protection package for a nuclear-grade emergency diesel engine. Implements four independent trip functions per ARC-REQ-002 (SYS-REQ-010 in prior numbering): (1) overspeed trip (>115% rated speed, 2s response), (2) high coolant temperature (>90°C on jacket water, 2s response), (3) low lubricating oil pressure (<2.0 bar, 2s response), (4) overcurrent/overload (electrical, 2s response). Each trip channel is physically separate with independent sensors and relay coils. Hardwired circuits prevent defeat by software or cyber attack. Powered from 125VDC Class 1E battery. SIL 3 — directly implements engine safety trips for H-001 (engine overspeed), H-003 (lubrication failure), H-006 (cooling failure). |
| Exhaust Silencer and Discharge Stack | CE851018 | Engineered exhaust gas routing system for a nuclear-grade medium-speed diesel engine within a Category I building on a UK nuclear site. Routes hot exhaust gases (600-700°C) from the turbocharger outlet through a purpose-built silencer vessel and vertical discharge stack to atmosphere. Silencer maintains engine backpressure below 50 mbar at rated load; stack penetrates building roof with missile-proof flanged rain cap. Both silencer vessel and stack are seismically restrained to Seismic Category I standards. Stainless steel construction; thermal insulation prevents surface temperatures exceeding 60°C at accessible surfaces per UK Health and Safety Executive guidance. |
| Failure to start on demand hazard | 00051219 | EDG fails to start when LOOP signal received. Causes: air start system failure, fuel system blockage, control logic fault, battery failure. Consequence: no AC power to safety loads, potential loss of reactor cooling, core damage within hours if not recovered. This is the primary safety concern for nuclear EDGs. |
| Fire in diesel generator building hazard | 04000211 | Fire originating from fuel leak, lube oil leak, exhaust system failure, or electrical fault. Large fuel inventory (thousands of litres), hot exhaust surfaces, and electrical equipment create fire triangle. Consequence: loss of EDG, potential common-cause failure if fire spreads to adjacent EDG, personnel injury. Nuclear sites require fire barriers between redundant safety systems. |
| Fuel contamination or exhaustion hazard | 00010218 | Fuel unusable due to water ingress, microbial growth, or simply running out during extended LOOP. Day tank depletion, bulk tank depletion, fuel transfer pump failure, or blocked fuel lines. Consequence: engine stops mid-mission. Nuclear sites typically require 7 days fuel inventory with diverse supply arrangements. Fuel quality monitoring is ongoing requirement. |
| Fuel Oil System | 5E951018 | Subsystem of nuclear EDG: stores, conditions, and delivers EN 590 diesel fuel to engine injection system. Functions: bulk storage (50,000L capacity per train, 7-day inventory), automatic day tank transfer, water/contamination monitoring, fuel filtering (10-micron), fuel heating in cold weather. Key components: bulk storage tanks, day tank, transfer pumps (redundant), duplex filters, fuel oil cooler, water separator, level instrumentation. Seismic Category I piping and tank anchorage. |
| Generate Electrical Power | 54D53218 | System function of nuclear EDG: converts diesel engine mechanical rotation to 6.6kV 50Hz 3-phase electrical power via synchronous alternator with automatic voltage regulator. Input: shaft rotation at rated speed. Output: 6.6kV ±10%, 50Hz ±2% electrical power up to rated kW. Continuous duty for minimum 7 days. |
| Generator Circuit Breaker | D6B53018 | 6.6kV vacuum circuit breaker connecting the EDG synchronous generator to the Class 1E emergency AC bus. Motor-operated mechanism with spring-charged close/trip coils powered from Class 1E 125VDC. Rated fault current interruption capacity approximately 25kA symmetrical at 6.6kV. Receives close command from synchronising check relay and trip command from generator protection relay package and I&C system. Operates in the nuclear-grade switchgear environment at up to 40°C ambient with seismic qualification to OBE/SSE requirements. Must trip within 100ms on protection command. |
| Generator Electrical Protection Relay Package | D0F57058 | Numerical protection relay providing electrical protection for the 6.6kV synchronous generator and its interconnection to the emergency bus. Functions include: differential protection (87G), overcurrent (51), loss-of-excitation (40), reverse power (32), overvoltage (59), undervoltage (27), negative sequence (46). Trip output to Generator Circuit Breaker within 100ms. Class 1E qualified, seismic-qualified to OBE/SSE. Powered from Class 1E 125VDC. Isolated from non-Class 1E systems via qualified isolation devices. |
| Load Sequencer Logic Controller | D4B53A58 | Hardwired relay logic controller (or qualified PLC for SIL 3) that sequences connection of safety loads to the 6.6kV emergency AC bus following generator breaker closure. Implements fixed priority table: Group 1 (reactor cooling pump, RCP seal injection), Group 2 (emergency feedwater), Group 3 (auxiliary systems). Inter-group time delay 500ms minimum to prevent simultaneous inrush exceeding generator transient capability. Powered from Class 1E 125VDC. Seismic-qualified. No software modifications permitted without Class 1E qualification. |
| Local Community near Nuclear Site | 000412BD | Residents and businesses within the emergency planning zone around the nuclear site. Concerned about nuclear safety and environmental impact. Represented through Site Stakeholder Group and local authority liaison. Could be affected by accident or emergency requiring evacuation. Expects reliable backup power to prevent accidents. |
| Loss of Offsite Power Response scenario | 51F77A10 | Primary ConOps scenario for EDG: grid failure triggers automatic start sequence. Scenario begins with stable reactor operation at power, EDG in standby ready. Grid voltage drops below threshold, LOOP relays actuate, start signal sent to EDG. Air motors crank engine, fuel injection begins, engine fires within 3 seconds. Voltage builds, synchronises to emergency bus within 10 seconds. Safety loads sequenced onto bus. Operator verifies EDG parameters from control room. EDG runs continuously until grid restored hours or days later. Controlled transfer back to grid, EDG cooldown, return to standby. |
| Loss of output during operation hazard | 00010209 | EDG stops or trips while supplying safety loads during LOOP event. Causes: fuel exhaustion, cooling failure, protection trip (overspeed, low oil pressure, high temperature). Consequence: loss of AC power during event when offsite power unavailable, potential core damage. More severe than failure to start because loads were relying on EDG. |
| Lubrication Oil System | 56951218 | Subsystem of nuclear EDG: provides pressurised lubricating oil to engine bearings, turbocharger bearings, and valve train. Functions: pre-lube in standby (electric pump), main lube during operation (engine-driven pump), oil filtering (25-micron duplex), oil cooling via heat exchanger, oil level and pressure monitoring. Key components: engine-driven oil pump, electric pre-lube pump, duplex oil filter, oil cooler, sump/wet sump, pressure relief valve, low-pressure trip switch. Oil quality degrades with runtime — condition monitoring drives maintenance intervals. |
| Maintenance Out-of-Service mode of Emergency Diesel Generator | 40843A58 | Controlled isolation for preventive or corrective maintenance. Engine de-energised, fuel isolated, start inhibited, lockout-tagout applied. Work includes oil changes, filter replacement, injector servicing, overhauls. Entry requires formal work control process and approval considering reactor state and redundancy. Duration limited by Technical Specifications (e.g., 72 hours with reactor at power). Return-to-service requires post-maintenance testing before declaring operable. Multiple EDGs ensure at least one remains available during maintenance of another. |
| Monitor and Control EDG | 55F57818 | System function of nuclear EDG: provides instrumentation for all operating parameters (kW, Hz, V, oil pressure, coolant temp, exhaust temp), transmits to main control room displays, processes operator commands (manual start/stop, transfer authorisation), manages automatic voltage regulator and governor. Includes local control panel in EDG building and remote interface to MCR. |
| Monthly Surveillance Test scenario | 00802A50 | Routine periodic testing to demonstrate EDG availability per Technical Specifications. Tests start reliability, load capacity, and transfer time without challenging system during genuine emergency. |
| National Grid Transmission System | 54F77258 | UK 400kV/275kV transmission network operated by National Grid ESO. Primary power source for nuclear site. EDG function is to replace this when unavailable. Interface via site grid connection (typically 400kV or 132kV). LOOP detection based on grid voltage/frequency monitoring. |
| Nuclear Plant Control Room Operator | 00AD6AF9 | Licensed operator responsible for monitoring and controlling reactor and safety systems from main control room. Initiates manual EDG starts, monitors EDG status, authorises transfers between power sources. Works 12-hour rotating shifts. Must hold valid Site Licence Condition 12 authorisation. Primary human interface with EDG during normal and emergency operations. |
| Nuclear Plant Protection System | 51F77859 | Safety I&C system that detects unsafe conditions and initiates reactor trip and engineered safeguards actuation. Sends LOOP signal to EDG start logic. Receives confirmation of EDG availability for logic decisions. Class 1E, qualified to IEC 61513. |
| Nuclear Plant Shift Supervisor | 01857AF9 | Senior authorised person with overall responsibility for safe plant operation during shift. Makes decisions on LCO entry/exit, authorises EDG maintenance, directs emergency response. Reports to Site Manager. Required to approve any non-routine EDG operation. Accountable for compliance with Operating Technical Specifications. |
| Nuclear Safety Bus Electrical Distribution | 54853059 | Class 1E electrical distribution bus supplying power to nuclear safety-related loads: reactor coolant pumps, emergency feedwater pumps, HVAC, essential lighting, safety I&C. Receives power from grid or EDG via automatic transfer. Voltage typically 6.6kV or 11kV for large motors, stepped down for smaller loads. |
| Nuclear Site Licence Company | 008538FD | Organisation holding the nuclear site licence from ONR, responsible for nuclear safety. Owns and operates the nuclear power station. Bears ultimate responsibility for EDG availability and compliance. Funds maintenance, modifications, and life extension. Employs all site personnel. Must demonstrate adequate financial and technical resources to maintain nuclear safety. |
| Nuclear Ultimate Heat Sink | 02850011 | Final repository for decay heat removal: sea, river, cooling pond, or atmosphere. EDG cooling system may use raw water from ultimate heat sink for engine jacket cooling. Loss of UHS affects both reactor cooling and EDG cooling. Design must consider UHS availability under accident conditions. |
| Office for Nuclear Regulation | 008578FD | UK independent nuclear safety regulator. Enforces compliance with Nuclear Installations Act 1965 and Site Licence Conditions. Reviews and approves safety cases. Conducts inspections. Can issue improvement notices or prohibit unsafe operations. Requires demonstration of EDG reliability and adequacy of emergency power provisions. Key regulatory stakeholder whose approval is required for design changes. |
| Planned Major Maintenance scenario | 40843A59 | Scheduled overhaul of EDG during reactor outage. Tests maintenance isolation, return-to-service process, and configuration control. |
| Protect Engine from Damage | 41B73800 | System function of nuclear EDG: monitors engine parameters and triggers protective shutdown on overspeed (>115% rated), high coolant temperature, low oil pressure, and overcurrent. Hardwired trip circuits independent of digital control system. Must act within 2 seconds of setpoint. Includes mechanical overspeed trip as ultimate backup. H-003 (overspeed) and H-006 (cooling failure). |
| Provide Starting Energy | 56C51018 | System function of nuclear EDG: stores and delivers compressed air at 30 bar to pneumatic starting motors that crank the diesel engine to firing speed (150 rpm). Includes air compressor, receiver tanks (sized for 5 consecutive start attempts without recharge), moisture separator, and solenoid-operated start valves. Must function at -10°C. Battery backup for start valve control. |
| Running Loaded mode of Emergency Diesel Generator | 55F73A18 | Full-power operation supplying emergency AC bus with safety loads connected. Engine running at rated speed (typically 750 or 1000 rpm for 50Hz), alternator producing rated voltage (typically 6.6kV or 11kV) and frequency (50Hz). Continuous monitoring of oil pressure, coolant temperature, exhaust temperature, vibration, output power quality. Automatic load shedding if overload detected. Duration: potentially hours to days depending on grid restoration. The EDG must run continuously without human intervention until offsite power is restored or reactor reaches cold shutdown. |
| Seismic damage to diesel generator hazard | 10000259 | Earthquake exceeding design basis damages EDG structure, piping, or anchorage. Diesel engines are heavy rotating machinery requiring robust mounting. Fuel and cooling pipes can fail at supports. Control cabinets can fall. UK seismic hazard is low but not negligible; design basis earthquake for nuclear sites is typically 0.1-0.25g PGA. Post-earthquake inspection may be required before relying on EDG. |
| Sequence Safety Loads | 40B53A10 | System function of nuclear EDG: connects safety loads to emergency bus in priority order to prevent generator overload during cold start. Sequence: charging pumps first, then component cooling water pumps, then HVAC. Input: EDG at rated voltage. Output: timed closure of load breakers over 60-second window. Load acceptance must not cause voltage dip below 75% nominal. |
| Spurious start or protection trip hazard | 00000010 | EDG starts when not required (wasting fuel, causing wear, creating noise) or protection trips when not justified (causing loss of power during genuine emergency). Causes: sensor drift, EMI, software bugs, wiring faults. Consequence: reduced reliability, reduced remaining life, potential loss of power during actual LOOP if spurious trip. Nuclear-grade I&C requires extensive verification and fail-safe design. |
| Standby Ready mode of Emergency Diesel Generator | 50B43218 | Quiescent state where the EDG is not running but is pre-heated, pre-lubricated, and maintained ready for immediate start. Fuel tanks full, batteries charged, jacket water heaters maintaining engine block at 40-50°C for cold-start prevention. Continuous monitoring via supervisory system. Entry: post-maintenance return-to-service or post-test shutdown. Exit: start signal from LOOP detection or manual initiation. Duration: 99%+ of operational life. The EDG must be capable of transitioning to running within 10-15 seconds from this state. |
| Start and Accelerate Diesel Engine | 55F53218 | System function of nuclear EDG: cranks diesel engine using compressed air starting motors to 150 rpm, initiates fuel injection, accelerates to rated speed (750 or 1000 rpm depending on pole count). Input: LOOP start signal, starting air at 30 bar. Output: mechanical shaft rotation at rated speed within 8-10 seconds. Must achieve reliable ignition across -10°C to +40°C ambient range. |
| Starting Air System | 56D51018 | Subsystem of nuclear EDG: stores and delivers compressed air at 25-30 bar to pneumatic starting motors for engine cranking. Functions: compress and store starting air (sized for 5 consecutive start attempts without recharge), deliver via solenoid valves to air motors, crank engine to 150 rpm firing speed. Key components: air compressor (electric-driven), two air receiver tanks per train, moisture separator, solenoid start valves, air start motor/distributor, pressure instruments. Must function at -10°C — moisture in air lines is a common cause of failure to start. |
| Station Blackout scenario | 00000201 | Worst-case scenario: LOOP coincides with failure of all EDGs (common cause). Tests diverse backup power, coping time, and emergency procedures. |
| Supply and Manage Fuel | 42973218 | System function of nuclear EDG: stores, transfers, filters, and delivers diesel fuel from 50,000L bulk tanks through day tank to engine injection system. Automatic bulk-to-day-tank transfer on level. Fuel quality monitoring for water contamination per EN 590. Must sustain 7-day operation at 100% load without external replenishment. |
| Surveillance Test mode of Emergency Diesel Generator | 54C43A50 | Periodic testing to demonstrate EDG availability and reliability per Technical Specifications. Includes monthly start tests, load run tests, 24-hour endurance runs. Testing must minimise challenge to the system while providing confidence in start-on-demand probability. Test procedure requires pre-test checks, controlled start (either fast or slow depending on test type), load application, parameter monitoring, and controlled shutdown. ONR requires demonstration of 0.975+ start reliability. Testing creates temporary unavailability risk managed through limiting conditions for operation. |
| Synchronising Check Relay | D4B73810 | Relay verifying voltage magnitude, frequency, and phase angle match between the EDG output and a live emergency bus before permitting Generator Circuit Breaker closure. Voltage match window: ±10% of 6.6kV. Frequency match window: ±0.5Hz. Phase angle window: ±10 degrees. Includes dead-bus override: when bus is de-energised (LOOP condition), closes GCB without synchronising check. Class 1E qualified. Powered from Class 1E 125VDC. Critical for preventing out-of-phase closing which could damage the generator. |
| Synchronous Generator | D6F53018 | Subsystem of nuclear EDG: brushless synchronous alternator rated for continuous duty at 6.6kV 50Hz 3-phase output. Functions: convert shaft rotation to electrical power, regulate voltage via automatic voltage regulator (AVR) and excitation system. Key components: stator windings, rotor, brushless exciter, AVR, output terminals, neutral grounding. Must maintain ±10% voltage and ±2% frequency from no-load to 110% rated. Directly coupled to diesel engine flywheel. |
| Transfer Power to Grid and Back | 40B53A18 | System function of nuclear EDG: manages electrical connection between EDG output, emergency bus, and normal grid supply. Includes generator output breaker, bus tie breaker, LOOP detection relays, and synchronising equipment for return-to-grid transfer. Must prevent paralleling EDG with degraded grid. Return-to-service requires 30-minute grid stability verification. |
| UK nuclear site seismic qualification environment | 40853851 | Seismic Category I qualification required for nuclear safety-related SSCs. UK design basis earthquake typically 0.1-0.25g peak ground acceleration. EDG must remain functional during and after DBE. Requires seismic analysis, anchorage design, and qualification testing. |
| Component | Belongs To |
|---|---|
| Diesel Engine Assembly | Emergency Diesel Generator for a UK Nuclear Licensed Site |
| Synchronous Generator | Emergency Diesel Generator for a UK Nuclear Licensed Site |
| Fuel Oil System | Emergency Diesel Generator for a UK Nuclear Licensed Site |
| Engine Cooling System | Emergency Diesel Generator for a UK Nuclear Licensed Site |
| Lubrication Oil System | Emergency Diesel Generator for a UK Nuclear Licensed Site |
| Starting Air System | Emergency Diesel Generator for a UK Nuclear Licensed Site |
| EDG Instrumentation and Control System | Emergency Diesel Generator for a UK Nuclear Licensed Site |
| Electrical Switchgear and Load Sequencer | Emergency Diesel Generator for a UK Nuclear Licensed Site |
| EDG Building and Support Systems | Emergency Diesel Generator for a UK Nuclear Licensed Site |
| Diesel Engine Block and Crankcase | Diesel Engine Assembly |
| Diesel Fuel Injection System | Diesel Engine Assembly |
| Diesel Engine Turbocharger | Diesel Engine Assembly |
| Engine Governor and Speed Control Unit | Diesel Engine Assembly |
| Engine Protection Relay Package | Diesel Engine Assembly |
| Engine Exhaust System | Diesel Engine Assembly |
| Crankshaft and Flexible Shaft Coupling | Diesel Engine Assembly |
| Generator Circuit Breaker | Electrical Switchgear and Load Sequencer |
| Bus Undervoltage Sensing Relay | Electrical Switchgear and Load Sequencer |
| Load Sequencer Logic Controller | Electrical Switchgear and Load Sequencer |
| Generator Electrical Protection Relay Package | Electrical Switchgear and Load Sequencer |
| Synchronising Check Relay | Electrical Switchgear and Load Sequencer |
| Class 1E Switchgear Control Power Supply | Electrical Switchgear and Load Sequencer |
| Stator and Stator Winding Assembly | Synchronous Generator |
| Rotor and Field Winding | Synchronous Generator |
| Automatic Voltage Regulator | Synchronous Generator |
| Generator Neutral Earthing Unit | Synchronous Generator |
| Generator Cooling Fan | Synchronous Generator |
| Bulk Storage Tank | Fuel Oil System |
| Day Tank | Fuel Oil System |
| Fuel Transfer Pump | Fuel Oil System |
| Fuel Oil Strainer and Filter Assembly | Fuel Oil System |
| Day Tank Level Control and Alarm | Fuel Oil System |
| Engine Jacket Water Circuit | Engine Cooling System |
| Radiator/Heat Exchanger | Engine Cooling System |
| Coolant Circulation Pump | Engine Cooling System |
| Thermostatic Control Valve | Engine Cooling System |
| Engine Pre-heat System | Engine Cooling System |
| Engine Lube Oil Sump | Lubrication Oil System |
| Engine-Driven Lube Oil Pump | Lubrication Oil System |
| Pre-Lube and Post-Lube Pump | Lubrication Oil System |
| Lube Oil Cooler | Lubrication Oil System |
| Lube Oil Filter and Strainer | Lubrication Oil System |
| Ventilation and Combustion Air System | EDG Building and Support Systems |
| Exhaust Silencer and Discharge Stack | EDG Building and Support Systems |
| Fire Detection and Suppression System | EDG Building and Support Systems |
| Category 1 Building Structure | EDG Building and Support Systems |
| Drain and Spill Containment System | EDG Building and Support Systems |
| EDG Building Structure | EDG Building and Support Systems |
| EDG Building HVAC System | EDG Building and Support Systems |
| EDG Flood and Drainage System | EDG Building and Support Systems |
| EDG Building Access Control System | EDG Building and Support Systems |
| From | To |
|---|---|
| Bus Undervoltage Sensing Relay | Generator Circuit Breaker |
| Synchronising Check Relay | Generator Circuit Breaker |
| Generator Electrical Protection Relay Package | Generator Circuit Breaker |
| Class 1E Switchgear Control Power Supply | Generator Circuit Breaker |
| Class 1E Switchgear Control Power Supply | Load Sequencer Logic Controller |
| EDG Building HVAC System | Diesel Engine Assembly |
| EDG Flood and Drainage System | Fuel Oil System |
| Coolant Circulation Pump | Engine Jacket Water Circuit |
| Engine Pre-heat System | Engine Jacket Water Circuit |
| Thermostatic Control Valve | Radiator/Heat Exchanger |
| Engine Cooling System | EDG Instrumentation and Control System |
| Fuel Transfer Pump | Day Tank |
| Day Tank Level Control and Alarm | Fuel Transfer Pump |
| Day Tank | Diesel Fuel Injection System |
| Fuel Oil Strainer and Filter Assembly | Diesel Fuel Injection System |
| Bulk Storage Tank | Fuel Transfer Pump |
| Component | Output |
|---|---|
| Diesel Engine Block and Crankcase | mechanical rotation at crankshaft |
| Diesel Fuel Injection System | metered fuel charge to cylinders |
| Diesel Engine Turbocharger | pressurised combustion air |
| Engine Governor and Speed Control Unit | fuel rack position signal at constant 50Hz |
| Engine Protection Relay Package | engine trip signal on fault |
| Engine Exhaust System | routed exhaust gas to atmosphere |
| Crankshaft and Flexible Shaft Coupling | mechanical power transfer to generator |
| Bus Undervoltage Sensing Relay | LOOP initiation signal |
| Generator Circuit Breaker | 6.6kV supply to emergency bus |
| Load Sequencer Logic Controller | sequenced load connect commands |
| Generator Electrical Protection Relay Package | GCB trip command |