Hazard & Risk Analysis (HRA) — ISO/IEC/IEEE 15289 — Report | IEC 61508 Phase 3
Generated 2026-03-27 — UHT Journal / universalhex.org
| Hazard | Severity | Frequency | SIL | Safe State |
|---|---|---|---|---|
| H-001: Failure to start on demand | catastrophic | low | SIL 3 | Reactor trip with diverse backup power (gas turbine or batteries) or immediate controlled shutdown |
| H-002: Loss of output during operation | catastrophic | rare | SIL 3 | Automatic transfer to alternate EDG or grid restoration with reactor trip if neither available |
| H-003: Engine overspeed | critical | rare | SIL 2 | Engine stopped via mechanical overspeed trip and fuel cutoff |
| H-004: Fire in EDG building | critical | rare | SIL 2 | Fire suppression activated, EDG isolated, alternate EDG available |
| H-005: Fuel contamination or exhaustion | critical | low | SIL 2 | Transfer to alternate fuel tank, activate fuel replenishment, alternate EDG available |
| H-006: Cooling system failure | critical | low | SIL 2 | EDG trips on high temperature, alternate EDG takes load |
| H-007: Common cause failure of multiple EDGs | catastrophic | rare | SIL 4 | Diverse alternate AC source (gas turbine, portable generator), DC battery for essential loads, reactor trip and passive cooling |
| H-008: Seismic damage | critical | rare | SIL 2 | Post-seismic inspection before reliance, seismically qualified to design basis |
| H-009: Spurious start or protection trip | major | medium | SIL 1 | Operator verification, manual override with appropriate authorisation |
| H-010: Cyber attack on control system | catastrophic | rare | SIL 3 | Air-gapped backup controls, hardwired trips, manual local operation capability |
| Ref | SIL | Requirement | V&V |
|---|---|---|---|
| IFC-REQ-008 | SIL 3 | The interface between the Diesel Engine Assembly (Fuel Injection System) and the Fuel Oil System SHALL deliver filtered diesel fuel at 3.0 to 5.0 bar ... | Test |
| IFC-REQ-009 | SIL 3 | The interface between the Diesel Engine Assembly (Engine Block) and the Engine Cooling System SHALL accept coolant flow at the engine inlet at a minim... | Test |
| IFC-REQ-010 | SIL 3 | The interface between the Diesel Engine Assembly (Engine Block, Turbocharger) and the Lubrication Oil System SHALL provide lubricating oil at the main... | Test |
| IFC-REQ-011 | SIL 3 | The Starting Air System–Engine Assembly interface SHALL supply 25–30 bar compressed air to the air start distributor inlet, cranking the engine to at ... | Test |
| IFC-REQ-012 | SIL 3 | The interface between the Diesel Engine Assembly and the EDG Instrumentation and Control System SHALL provide continuous 4-20 mA analogue signals for:... | Inspection |
| IFC-REQ-013 | SIL 3 | The interface between the Diesel Engine Assembly (Crankshaft and Flexible Shaft Coupling) and the Synchronous Generator rotor shaft SHALL transmit rat... | Test |
| IFC-REQ-014 | SIL 3 | The interface between the EDG Instrumentation and Control System and the Starting Air System Air Start Valve SHALL transmit a 125VDC Class 1E start co... | Test |
| IFC-REQ-016 | SIL 3 | The interface between the Bus Undervoltage Sensing Relay and the Generator Circuit Breaker shall carry a hardwired Class 1E 125VDC discrete start init... | Test |
| IFC-REQ-017 | SIL 3 | The interface between the Synchronising Check Relay and the Generator Circuit Breaker SHALL carry a hardwired 125VDC discrete close-permission signal ... | Test |
| IFC-REQ-018 | SIL 3 | The interface between the Generator Electrical Protection Relay Package and the Generator Circuit Breaker SHALL deliver a hardwired trip signal via a ... | Test |
| IFC-REQ-022 | SIL 2 | The interface between the Coolant Circulation Pump and the Engine Jacket Water Circuit SHALL transmit coolant at a minimum flow rate of 150 L/min at 0... | Test |
| IFC-REQ-023 | SIL 2 | The interface between the Engine Pre-heat System and the Engine Jacket Water Circuit SHALL maintain standby jacket water temperature at ≥35°C using a ... | Demonstration |
| IFC-REQ-024 | SIL 2 | The interface between the Thermostatic Control Valve and the Radiator/Heat Exchanger SHALL route hot-side coolant flow to the heat exchanger at 0% to ... | Test |
| IFC-REQ-025 | SIL 2 | The interface between the Engine Cooling System and the EDG Instrumentation and Control System SHALL provide two independent 4-20 mA Pt100 temperature... | Inspection |
| IFC-REQ-026 | SIL 2 | The interface between the Fuel Transfer Pump and the Day Tank SHALL deliver fuel at a minimum transfer rate of 50 L/min from the Bulk Storage Tank, co... | Test |
| IFC-REQ-027 | SIL 2 | The interface between the Day Tank and the engine fuel injection system SHALL provide a continuous, uninterrupted fuel supply at 0.3 bar to 0.7 bar ga... | Test |
| IFC-REQ-028 | SIL 2 | The interface between the Fuel Oil Strainer and Filter Assembly and the engine fuel injection system SHALL provide clean fuel at ISO 4406 ≤16/13/10, w... | Inspection |
| SUB-REQ-001 | SIL 3 | The Diesel Engine Assembly SHALL achieve self-sustaining engine rotation within 3 seconds of receiving a start signal from the Starting Air System, wi... | Test |
| SUB-REQ-002 | SIL 3 | The Diesel Engine Assembly SHALL maintain engine speed within 750 rpm ±1.5 rpm (±0.2%) in steady-state operation under all loads from 0% to 110% rated... | Test |
| SUB-REQ-003 | SIL 3 | The Diesel Engine Assembly SHALL sustain continuous mechanical power output at 100% rated brake mean effective pressure for a minimum of 720 hours (30... | Analysis |
| SUB-REQ-004 | SIL 3 | The Engine Protection Relay Package SHALL detect engine overspeed exceeding 863 rpm (115% of rated 750 rpm), and SHALL trip the Diesel Fuel Injection ... | Test |
| SUB-REQ-005 | SIL 3 | The Engine Protection Relay Package SHALL detect engine lubricating oil pressure below 2.0 bar at the main oil gallery, and SHALL initiate an engine t... | Test |
| SUB-REQ-006 | SIL 3 | The Engine Protection Relay Package SHALL detect engine jacket water coolant temperature exceeding 90°C at the cylinder head outlet, and SHALL initiat... | Test |
| SUB-REQ-007 | SIL 3 | The Diesel Fuel Injection System SHALL meter fuel delivery with a maximum cylinder-to-cylinder variation of ±3% of mean fuel quantity per injection ev... | Test |
| SUB-REQ-008 | SIL 3 | The Diesel Engine Assembly, including all sub-components and their mounting interfaces, SHALL be qualified to remain functional during and after a sei... | Analysis |
| SUB-REQ-009 | SIL 3 | When any Engine Protection Relay Package trip setpoint is exceeded, the Diesel Engine Assembly SHALL transition to its safe state (all fuel injection ... | Test |
| SUB-REQ-012 | SIL 3 | The Engine Protection Relay Package SHALL implement a fail-safe de-energise-to-trip relay architecture such that loss of 125VDC control power to any t... | Demonstration |
| SUB-REQ-014 | SIL 3 | The Starting Air System Air Receiver Banks (A and B) SHALL each maintain a minimum stored pressure of 25 bar and a maximum operating pressure of 30 ba... | Test |
| SUB-REQ-015 | SIL 3 | The Starting Air System Air Start Valve and Distribution Manifold SHALL fully open and deliver compressed air to all engine cylinders within 0.5 secon... | Test |
| SUB-REQ-018 | SIL 3 | When Starting Air System receiver pressure drops to 27 bar on either bank, the Pressure Monitoring and Low-Pressure Alarm component SHALL generate a c... | Test |
| SUB-REQ-019 | SIL 3 | The EDG Instrumentation and Control System Automatic Start Logic Controller SHALL detect emergency bus undervoltage below 5.94 kV within 100 ms and is... | Test |
| SUB-REQ-020 | SIL 3 | The EDG Instrumentation and Control System Engine and Generator Protection Logic SHALL generate a de-energise-to-trip relay output within 200 ms of an... | Analysis |
| SUB-REQ-021 | SIL 3 | The EDG Instrumentation and Control System Qualified I/O Module Assembly SHALL provide Class 1E qualified electrical isolation of at least 1.5 kV RMS ... | Test |
| SUB-REQ-022 | SIL 3 | The EDG Instrumentation and Control System Plant Communication Gateway SHALL be implemented as a unidirectional data diode transmitting EDG status dat... | Inspection |
| SUB-REQ-023 | SIL 3 | When the EDG Instrumentation and Control System Automatic Start Logic Controller detects a self-diagnostic fault in any SIL 3 function, the I&C System... | Test |
| SUB-REQ-024 | SIL 3 | The Bus Undervoltage Sensing Relay SHALL detect 6.6kV emergency bus voltage below 4.6kV (70% nominal) sustained for more than 200ms and issue an EDG a... | Test |
| SUB-REQ-025 | SIL 3 | The Generator Circuit Breaker SHALL close onto the 6.6kV emergency bus within 100ms of receiving a close command from the Synchronising Check Relay (l... | Test |
| SUB-REQ-026 | SIL 3 | The Synchronising Check Relay SHALL permit Generator Circuit Breaker closure only when EDG output voltage is within ±10% of 6.6kV, frequency is within... | Test |
| SUB-REQ-027 | SIL 3 | The Generator Electrical Protection Relay Package SHALL provide differential protection (87G) with a minimum operating current of 10% rated generator ... | Test |
| SUB-REQ-028 | SIL 3 | When the Generator Electrical Protection Relay Package detects a protection trip condition or when the Class 1E Switchgear Control Power Supply falls ... | Test |
| SUB-REQ-029 | SIL 2 | The EDG Building and Support Systems SHALL incorporate an automatic gaseous total-flood fire suppression system (HFC-227ea or CO2 with pre-discharge a... | Inspection |
| SUB-REQ-030 | SIL 2 | The Category 1 Building Structure SHALL maintain structural integrity and continue to house and protect all installed EDG equipment during and followi... | Test |
| SUB-REQ-031 | SIL 2 | The Category 1 Building Structure SHALL provide physical separation between EDG trains by a minimum 2-hour rated fire barrier, such that a design basi... | Inspection |
| SUB-REQ-032 | SIL 2 | The Ventilation and Combustion Air System SHALL supply a minimum of 0.55 kg/s of combustion air per MW of rated engine output at an inlet temperature ... | Test |
| SUB-REQ-033 | SIL 2 | When the EDG receives an automatic start signal, the Ventilation and Combustion Air System SHALL initiate fan motor start within 5 seconds and achieve... | Test |
| SUB-REQ-034 | SIL 2 | The Exhaust Silencer and Discharge Stack SHALL limit exhaust gas backpressure to not more than 50 mbar at the turbocharger outlet under all operating ... | Test |
| SUB-REQ-035 | SIL 2 | The Drain and Spill Containment System SHALL provide bunded containment with a minimum capacity of 110% of the largest single fluid inventory within t... | Inspection |
| SUB-REQ-036 | SIL 2 | When a Category 1 Building Structure breach is detected by the structural monitoring system, the EDG Building and Support Systems SHALL automatically ... | Demonstration |
| SUB-REQ-037 | SIL 2 | The Engine Cooling System SHALL maintain engine jacket water outlet temperature within 75°C to 85°C during continuous operation at any load from 25% t... | Test |
| SUB-REQ-038 | SIL 2 | While in standby, the Engine Cooling System SHALL maintain jacket water temperature at not less than 35°C using the Engine Pre-heat System to ensure t... | Demonstration |
| SUB-REQ-039 | SIL 2 | The Engine Cooling System SHALL dissipate engine thermal rejection at not less than 110% of rated thermal load at a maximum ambient temperature of 35°... | Test |
| SUB-REQ-040 | SIL 2 | When jacket water outlet temperature exceeds 95°C or jacket water circuit pressure falls below 0.5 bar gauge, the Engine Cooling System SHALL generate... | Test |
| SUB-REQ-041 | SIL 2 | The Coolant Circulation Pump SHALL maintain a minimum coolant flow rate of 150 L/min at 0.8 bar differential pressure throughout the engine load range... | Test |
| SUB-REQ-042 | SIL 2 | The Thermostatic Control Valve SHALL modulate bypass coolant flow to maintain jacket water temperature within ±3°C of the 80°C setpoint during steady-... | Test |
| SUB-REQ-043 | SIL 2 | The Engine Cooling System pressure boundary, including the Engine Jacket Water Circuit, Coolant Circulation Pump, and Radiator/Heat Exchanger, SHALL r... | Analysis |
| SUB-REQ-044 | SIL 2 | The Fuel Oil System SHALL supply diesel fuel to the engine injection system at a pressure of 0.3 bar to 0.7 bar gauge and a flow rate sufficient for r... | Test |
| SUB-REQ-045 | SIL 2 | The Bulk Storage Tank SHALL maintain a minimum fuel inventory of 110% of the 7-day fuel demand at 100% rated load as specified in SYS-REQ-008, with a ... | Inspection |
| SUB-REQ-046 | SIL 2 | The Day Tank SHALL maintain a working inventory of not less than 4 hours of fuel at rated engine load to provide autonomous operation during a Bulk St... | Test |
| SUB-REQ-047 | SIL 2 | The Fuel Oil Strainer and Filter Assembly SHALL maintain fuel particle contamination downstream of the filter element at ISO 4406 cleanliness code 16/... | Test |
| SUB-REQ-048 | SIL 2 | When Day Tank level falls below the transfer initiation setpoint, the Fuel Transfer Pump SHALL automatically start and transfer fuel from the Bulk Sto... | Demonstration |
| SUB-REQ-049 | SIL 2 | When Day Tank fuel level falls below the engine fuel inlet connection height, the Fuel Oil System SHALL generate a hardwired low-fuel trip signal to t... | Test |
| SUB-REQ-050 | SIL 2 | The Fuel Oil System bulk storage tank, day tank, pipework, and filter assembly SHALL comply with ATEX Directive 2014/34/EU Zone 2 classification, incl... | Inspection |
| SYS-REQ-001 | SIL 3 | The Emergency Diesel Generator SHALL start and reach rated voltage (6.6kV ±10%) and rated frequency (50Hz ±2%) within 10 seconds of receiving a loss-o... | Test |
| SYS-REQ-002 | SIL 3 | The Emergency Diesel Generator SHALL automatically start upon detection of bus undervoltage below 5.94kV (90% of nominal) without operator action, wit... | Test |
| SYS-REQ-003 | SIL 3 | The Emergency Diesel Generator SHALL connect safety loads to the emergency bus via a priority-based load sequencer, with all safety loads energised wi... | Test |
| SYS-REQ-007 | SIL 4 | The Emergency Diesel Generator installation SHALL comprise two independent, redundant trains (Train A and Train B) with no shared active components, s... | Analysis |
| SYS-REQ-008 | SIL 2 | The Emergency Diesel Generator fuel storage system SHALL hold a minimum 7-day fuel inventory at 100% rated load, with automatic transfer from bulk sto... | Inspection |
| SYS-REQ-009 | SIL 2 | The Emergency Diesel Generator SHALL remain functional during and after a design basis earthquake of 0.2g peak ground acceleration (Seismic Category I... | Analysis |
| SYS-REQ-010 | SIL 2 | The Emergency Diesel Generator engine SHALL be protected by independent, hardwired trip circuits for overspeed (>115% rated), high coolant temperature... | Test |
| SYS-REQ-011 | SIL 2 | The Emergency Diesel Generator building SHALL incorporate automatic fire detection and suppression to extinguish diesel fuel fires without manual inte... | Test |
| SYS-REQ-012 | SIL 3 | The Emergency Diesel Generator safety-related control and protection systems SHALL be isolated from non-safety networks, with safety trip functions im... | Analysis |
| SYS-REQ-014 | SIL 3 | When one EDG train is inoperable, the remaining train SHALL be capable of supplying 100% of the safety-critical electrical load, with the plant enteri... | Analysis |
| SYS-REQ-015 | SIL 4 | The Emergency Diesel Generator system SHALL provide a diverse alternate AC power source connection point, capable of accepting a mobile diesel generat... | Demonstration |
| VER-REQ-002 | SIL 3 | The Engine Protection Relay Package functional test SHALL confirm each trip relay (overspeed at 865 rpm, high coolant temperature at 91°C, low oil pre... | Test |
| VER-REQ-003 | SIL 3 | The Diesel Engine Assembly protection trip test SHALL confirm engine standstill (crankshaft speed below 5 rpm) within 5 seconds of manual trip signal ... | Test |
| VER-REQ-005 | SIL 3 | The Starting Air System interface test SHALL confirm air start distributor inlet pressure of 25–30 bar at start signal initiation and engine cranking ... | Test |
| VER-REQ-006 | SIL 3 | The end-to-end EDG start chain acceptance test SHALL confirm bus undervoltage detection within 100 ms, rated voltage and frequency within 10 seconds, ... | Test |
| VER-REQ-018 | SIL 3 | Verify SUB-REQ-019: I&C LOOP detection acceptance test SHALL apply a simulated bus undervoltage to the Qualified I/O Module input, confirm undervoltag... | Test |
| VER-REQ-019 | SIL 3 | Verify SUB-REQ-020: Engine and Generator Protection Logic functional test SHALL inject simulated overspeed, low oil pressure, and high coolant tempera... | Test |
| VER-REQ-020 | SIL 3 | Verify SUB-REQ-023: I&C self-diagnostic safe-state test SHALL inject a simulated SIL 3 logic self-fault and confirm de-energise-to-trip output within ... | Test |
| VER-REQ-023 | SIL 3 | Verify SUB-REQ-024: The Bus Undervoltage Sensing Relay factory acceptance test SHALL inject a simulated 4.5kV signal (sustained for 250ms) on each of ... | Test |
| VER-REQ-024 | SIL 3 | Verify SUB-REQ-026: The Synchronising Check Relay acceptance test SHALL inject voltage, frequency, and phase angle combinations at boundary conditions... | Test |
| VER-REQ-025 | SIL 3 | Verify IFC-REQ-016: Integration test SHALL measure cable loop resistance on the BUVR-to-GCB start circuit at commissioning and confirm it is below 20 ... | Test |
| VER-REQ-026 | SIL 3 | Verify IFC-REQ-018: The trip circuit commissioning test SHALL measure total trip circuit resistance and confirm it does not exceed 10 ohms; SHALL appl... | Test |
| VER-REQ-027 | SIL 3 | Verify IFC-REQ-017: The Synchronising Check Relay to GCB close-permission interface acceptance test SHALL confirm close permission asserts only when b... | Test |
| VER-REQ-040 | SIL 2 | Verify SUB-REQ-030: Perform seismic analysis of the Category 1 Building Structure in accordance with BS EN 1998-1 (Eurocode 8: Design of Structures fo... | Analysis |
| VER-REQ-047 | SIL 2 | Verify IFC-REQ-022: Coolant Circulation Pump performance test at 25%, 50%, 75%, 100%, and 110% rated engine load. Pass criterion: flow ≥150 L/min, del... | Test |
| VER-REQ-055 | SIL 2 | Verify IFC-REQ-023: Pre-heat system functional test during AC blackout simulation. Procedure: disconnect normal AC supply, confirm UPS feed energises ... | Demonstration |
| VER-REQ-056 | SIL 2 | Verify IFC-REQ-024: Thermostatic valve response time and flow characteristic test. Apply 10°C step change from 72°C to 85°C at pump inlet; measure val... | Test |
| VER-REQ-057 | SIL 2 | Verify IFC-REQ-025: Engine Cooling to I&C signal interface inspection and functional test. Perform cable routing inspection for physical segregation; ... | Test |
| VER-REQ-058 | SIL 2 | Verify SUB-REQ-037 and SUB-REQ-039: Endurance test at 110% rated load, 35°C ambient, for 4 hours minimum. Pass criterion: jacket water outlet temperat... | Test |
| VER-REQ-059 | SIL 2 | Verify IFC-REQ-026: Fuel Transfer Pump commissioning test. Simulate low Day Tank level (float switch activation), confirm pump starts automatically an... | Test |
| VER-REQ-060 | SIL 2 | Verify IFC-REQ-027 and SUB-REQ-044: Fuel system endurance and temperature test. Run engine at 100% rated load for 2 hours. Measure fuel inlet pressure... | Test |
| VER-REQ-061 | SIL 2 | Verify IFC-REQ-028 and SUB-REQ-047: Fuel filter differential pressure test. Introduce controlled particulate loading to filter inlet to simulate conta... | Test |
Goal Structuring Notation per GSN Community Standard v3. Top goal decomposes into hazard mitigation sub-goals, each supported by SIL-allocated requirements and verification evidence.
flowchart TD
G0["<b>G0: Top Goal</b><br/>Emergency Diesel Generator for a UK Nuclear Licensed Site is acceptably safe"]
S0{"<b>S0: Strategy</b><br/>Argument by hazard<br/>mitigation per IEC 61508"}
G0 --> S0
G1["<b>G1: H-001</b><br/>Failure to start on demand<br/>SIL 3"]
S0 --> G1
Sn0_0(["<b>SUB-REQ-004</b>"])
G1 --> Sn0_0
Sn0_1(["<b>SUB-REQ-007</b>"])
G1 --> Sn0_1
Sn0_2(["<b>SYS-REQ-001</b>"])
G1 --> Sn0_2
G2["<b>G2: H-002</b><br/>Loss of output during operation<br/>SIL 3"]
S0 --> G2
G3["<b>G3: H-003</b><br/>Engine overspeed<br/>SIL 2"]
S0 --> G3
Sn2_0(["<b>SUB-REQ-005</b>"])
G3 --> Sn2_0
Sn2_1(["<b>SYS-REQ-010</b>"])
G3 --> Sn2_1
G4["<b>G4: H-004</b><br/>Fire in EDG building<br/>SIL 2"]
S0 --> G4
Sn3_0(["<b>SUB-REQ-029</b>"])
G4 --> Sn3_0
Sn3_1(["<b>SYS-REQ-011</b>"])
G4 --> Sn3_1
G5["<b>G5: H-005</b><br/>Fuel contamination or exhaustion<br/>SIL 2"]
S0 --> G5
Sn4_0(["<b>SYS-REQ-008</b>"])
G5 --> Sn4_0
G6["<b>G6: H-006</b><br/>Cooling system failure<br/>SIL 2"]
S0 --> G6
Sn5_0(["<b>SUB-REQ-006</b>"])
G6 --> Sn5_0
Sn5_1(["<b>SYS-REQ-010</b>"])
G6 --> Sn5_1
G7["<b>G7: H-007</b><br/>Common cause failure of multiple EDGs<br/>SIL 4"]
S0 --> G7
Sn6_0(["<b>SYS-REQ-007</b>"])
G7 --> Sn6_0
Sn6_1(["<b>SYS-REQ-015</b>"])
G7 --> Sn6_1
G8["<b>G8: H-008</b><br/>Seismic damage<br/>SIL 2"]
S0 --> G8
Sn7_0(["<b>SYS-REQ-009</b>"])
G8 --> Sn7_0
G9["<b>G9: H-009</b><br/>Spurious start or protection trip<br/>SIL 1"]
S0 --> G9
G10["<b>G10: H-010</b><br/>Cyber attack on control system<br/>SIL 3"]
S0 --> G10
Sn9_0(["<b>SYS-REQ-012</b>"])
G10 --> Sn9_0 Machine-readable safety case structure. Import into GSN tools (Astah GSN, ASCE, NOR-STA).
# GSN Safety Case — Emergency Diesel Generator for a UK Nuclear Licensed Site
# Generated 2026-03-27
# Goal Structuring Notation (GSN) per GSN Community Standard v3
goals:
G0:
text: "Emergency Diesel Generator for a UK Nuclear Licensed Site is acceptably safe"
type: top-goal
supported_by: [S0]
strategies:
S0:
text: "Argument by hazard mitigation per IEC 61508"
supported_by: [G1, G2, G3, G4, G5, G6, G7, G8, G9, G10]
G1:
text: "H-001: Failure to start on demand"
sil: 3
safe_state: "Reactor trip with diverse backup power (gas turbine or batteries) or immediate controlled shutdown"
supported_by: [SUB-REQ-004, SUB-REQ-007, SYS-REQ-001, SYS-REQ-002]
evidence: [VER-REQ-002, VER-REQ-011]
G2:
text: "H-002: Loss of output during operation"
sil: 3
safe_state: "Automatic transfer to alternate EDG or grid restoration with reactor trip if neither available"
supported_by: []
evidence: []
G3:
text: "H-003: Engine overspeed"
sil: 2
safe_state: "Engine stopped via mechanical overspeed trip and fuel cutoff"
supported_by: [SUB-REQ-005, SYS-REQ-010]
evidence: [VER-REQ-002]
G4:
text: "H-004: Fire in EDG building"
sil: 2
safe_state: "Fire suppression activated, EDG isolated, alternate EDG available"
supported_by: [SUB-REQ-029, SYS-REQ-011]
evidence: [VER-REQ-036]
G5:
text: "H-005: Fuel contamination or exhaustion"
sil: 2
safe_state: "Transfer to alternate fuel tank, activate fuel replenishment, alternate EDG available"
supported_by: [SYS-REQ-008]
evidence: []
G6:
text: "H-006: Cooling system failure"
sil: 2
safe_state: "EDG trips on high temperature, alternate EDG takes load"
supported_by: [SUB-REQ-006, SYS-REQ-010]
evidence: [VER-REQ-002]
G7:
text: "H-007: Common cause failure of multiple EDGs"
sil: 4
safe_state: "Diverse alternate AC source (gas turbine, portable generator), DC battery for essential loads, reactor trip and passive cooling"
supported_by: [SYS-REQ-007, SYS-REQ-015]
evidence: []
G8:
text: "H-008: Seismic damage"
sil: 2
safe_state: "Post-seismic inspection before reliance, seismically qualified to design basis"
supported_by: [SYS-REQ-009]
evidence: []
G9:
text: "H-009: Spurious start or protection trip"
sil: 1
safe_state: "Operator verification, manual override with appropriate authorisation"
supported_by: []
evidence: []
G10:
text: "H-010: Cyber attack on control system"
sil: 3
safe_state: "Air-gapped backup controls, hardwired trips, manual local operation capability"
supported_by: [SYS-REQ-012]
evidence: []
solutions:
IFC-REQ-008:
text: "The interface between the Diesel Engine Assembly (Fuel Injection System) and the Fuel Oil System SHALL deliver filtered "
verification: Test
sil: 3
IFC-REQ-009:
text: "The interface between the Diesel Engine Assembly (Engine Block) and the Engine Cooling System SHALL accept coolant flow "
verification: Test
sil: 3
IFC-REQ-010:
text: "The interface between the Diesel Engine Assembly (Engine Block, Turbocharger) and the Lubrication Oil System SHALL provi"
verification: Test
sil: 3
IFC-REQ-011:
text: "The Starting Air System–Engine Assembly interface SHALL supply 25–30 bar compressed air to the air start distributor inl"
verification: Test
sil: 3
IFC-REQ-012:
text: "The interface between the Diesel Engine Assembly and the EDG Instrumentation and Control System SHALL provide continuous"
verification: Inspection
sil: 3
IFC-REQ-013:
text: "The interface between the Diesel Engine Assembly (Crankshaft and Flexible Shaft Coupling) and the Synchronous Generator "
verification: Test
sil: 3
IFC-REQ-014:
text: "The interface between the EDG Instrumentation and Control System and the Starting Air System Air Start Valve SHALL trans"
verification: Test
sil: 3
IFC-REQ-016:
text: "The interface between the Bus Undervoltage Sensing Relay and the Generator Circuit Breaker shall carry a hardwired Class"
verification: Test
sil: 3
IFC-REQ-017:
text: "The interface between the Synchronising Check Relay and the Generator Circuit Breaker SHALL carry a hardwired 125VDC dis"
verification: Test
sil: 3
IFC-REQ-018:
text: "The interface between the Generator Electrical Protection Relay Package and the Generator Circuit Breaker SHALL deliver "
verification: Test
sil: 3
IFC-REQ-022:
text: "The interface between the Coolant Circulation Pump and the Engine Jacket Water Circuit SHALL transmit coolant at a minim"
verification: Test
sil: 2
IFC-REQ-023:
text: "The interface between the Engine Pre-heat System and the Engine Jacket Water Circuit SHALL maintain standby jacket water"
verification: Demonstration
sil: 2
IFC-REQ-024:
text: "The interface between the Thermostatic Control Valve and the Radiator/Heat Exchanger SHALL route hot-side coolant flow t"
verification: Test
sil: 2
IFC-REQ-025:
text: "The interface between the Engine Cooling System and the EDG Instrumentation and Control System SHALL provide two indepen"
verification: Inspection
sil: 2
IFC-REQ-026:
text: "The interface between the Fuel Transfer Pump and the Day Tank SHALL deliver fuel at a minimum transfer rate of 50 L/min "
verification: Test
sil: 2
IFC-REQ-027:
text: "The interface between the Day Tank and the engine fuel injection system SHALL provide a continuous, uninterrupted fuel s"
verification: Test
sil: 2
IFC-REQ-028:
text: "The interface between the Fuel Oil Strainer and Filter Assembly and the engine fuel injection system SHALL provide clean"
verification: Inspection
sil: 2
SUB-REQ-001:
text: "The Diesel Engine Assembly SHALL achieve self-sustaining engine rotation within 3 seconds of receiving a start signal fr"
verification: Test
sil: 3
SUB-REQ-002:
text: "The Diesel Engine Assembly SHALL maintain engine speed within 750 rpm ±1.5 rpm (±0.2%) in steady-state operation under a"
verification: Test
sil: 3
SUB-REQ-003:
text: "The Diesel Engine Assembly SHALL sustain continuous mechanical power output at 100% rated brake mean effective pressure "
verification: Analysis
sil: 3
SUB-REQ-004:
text: "The Engine Protection Relay Package SHALL detect engine overspeed exceeding 863 rpm (115% of rated 750 rpm), and SHALL t"
verification: Test
sil: 3
SUB-REQ-005:
text: "The Engine Protection Relay Package SHALL detect engine lubricating oil pressure below 2.0 bar at the main oil gallery, "
verification: Test
sil: 3
SUB-REQ-006:
text: "The Engine Protection Relay Package SHALL detect engine jacket water coolant temperature exceeding 90°C at the cylinder "
verification: Test
sil: 3
SUB-REQ-007:
text: "The Diesel Fuel Injection System SHALL meter fuel delivery with a maximum cylinder-to-cylinder variation of ±3% of mean "
verification: Test
sil: 3
SUB-REQ-008:
text: "The Diesel Engine Assembly, including all sub-components and their mounting interfaces, SHALL be qualified to remain fun"
verification: Analysis
sil: 3
SUB-REQ-009:
text: "When any Engine Protection Relay Package trip setpoint is exceeded, the Diesel Engine Assembly SHALL transition to its s"
verification: Test
sil: 3
SUB-REQ-012:
text: "The Engine Protection Relay Package SHALL implement a fail-safe de-energise-to-trip relay architecture such that loss of"
verification: Demonstration
sil: 3
SUB-REQ-014:
text: "The Starting Air System Air Receiver Banks (A and B) SHALL each maintain a minimum stored pressure of 25 bar and a maxim"
verification: Test
sil: 3
SUB-REQ-015:
text: "The Starting Air System Air Start Valve and Distribution Manifold SHALL fully open and deliver compressed air to all eng"
verification: Test
sil: 3
SUB-REQ-018:
text: "When Starting Air System receiver pressure drops to 27 bar on either bank, the Pressure Monitoring and Low-Pressure Alar"
verification: Test
sil: 3
SUB-REQ-019:
text: "The EDG Instrumentation and Control System Automatic Start Logic Controller SHALL detect emergency bus undervoltage belo"
verification: Test
sil: 3
SUB-REQ-020:
text: "The EDG Instrumentation and Control System Engine and Generator Protection Logic SHALL generate a de-energise-to-trip re"
verification: Analysis
sil: 3
SUB-REQ-021:
text: "The EDG Instrumentation and Control System Qualified I/O Module Assembly SHALL provide Class 1E qualified electrical iso"
verification: Test
sil: 3
SUB-REQ-022:
text: "The EDG Instrumentation and Control System Plant Communication Gateway SHALL be implemented as a unidirectional data dio"
verification: Inspection
sil: 3
SUB-REQ-023:
text: "When the EDG Instrumentation and Control System Automatic Start Logic Controller detects a self-diagnostic fault in any "
verification: Test
sil: 3
SUB-REQ-024:
text: "The Bus Undervoltage Sensing Relay SHALL detect 6.6kV emergency bus voltage below 4.6kV (70% nominal) sustained for more"
verification: Test
sil: 3
SUB-REQ-025:
text: "The Generator Circuit Breaker SHALL close onto the 6.6kV emergency bus within 100ms of receiving a close command from th"
verification: Test
sil: 3
SUB-REQ-026:
text: "The Synchronising Check Relay SHALL permit Generator Circuit Breaker closure only when EDG output voltage is within ±10%"
verification: Test
sil: 3
SUB-REQ-027:
text: "The Generator Electrical Protection Relay Package SHALL provide differential protection (87G) with a minimum operating c"
verification: Test
sil: 3
SUB-REQ-028:
text: "When the Generator Electrical Protection Relay Package detects a protection trip condition or when the Class 1E Switchge"
verification: Test
sil: 3
SUB-REQ-029:
text: "The EDG Building and Support Systems SHALL incorporate an automatic gaseous total-flood fire suppression system (HFC-227"
verification: Inspection
sil: 2
SUB-REQ-030:
text: "The Category 1 Building Structure SHALL maintain structural integrity and continue to house and protect all installed ED"
verification: Test
sil: 2
SUB-REQ-031:
text: "The Category 1 Building Structure SHALL provide physical separation between EDG trains by a minimum 2-hour rated fire ba"
verification: Inspection
sil: 2
SUB-REQ-032:
text: "The Ventilation and Combustion Air System SHALL supply a minimum of 0.55 kg/s of combustion air per MW of rated engine o"
verification: Test
sil: 2
SUB-REQ-033:
text: "When the EDG receives an automatic start signal, the Ventilation and Combustion Air System SHALL initiate fan motor star"
verification: Test
sil: 2
SUB-REQ-034:
text: "The Exhaust Silencer and Discharge Stack SHALL limit exhaust gas backpressure to not more than 50 mbar at the turbocharg"
verification: Test
sil: 2
SUB-REQ-035:
text: "The Drain and Spill Containment System SHALL provide bunded containment with a minimum capacity of 110% of the largest s"
verification: Inspection
sil: 2
SUB-REQ-036:
text: "When a Category 1 Building Structure breach is detected by the structural monitoring system, the EDG Building and Suppor"
verification: Demonstration
sil: 2
SUB-REQ-037:
text: "The Engine Cooling System SHALL maintain engine jacket water outlet temperature within 75°C to 85°C during continuous op"
verification: Test
sil: 2
SUB-REQ-038:
text: "While in standby, the Engine Cooling System SHALL maintain jacket water temperature at not less than 35°C using the Engi"
verification: Demonstration
sil: 2
SUB-REQ-039:
text: "The Engine Cooling System SHALL dissipate engine thermal rejection at not less than 110% of rated thermal load at a maxi"
verification: Test
sil: 2
SUB-REQ-040:
text: "When jacket water outlet temperature exceeds 95°C or jacket water circuit pressure falls below 0.5 bar gauge, the Engine"
verification: Test
sil: 2
SUB-REQ-041:
text: "The Coolant Circulation Pump SHALL maintain a minimum coolant flow rate of 150 L/min at 0.8 bar differential pressure th"
verification: Test
sil: 2
SUB-REQ-042:
text: "The Thermostatic Control Valve SHALL modulate bypass coolant flow to maintain jacket water temperature within ±3°C of th"
verification: Test
sil: 2
SUB-REQ-043:
text: "The Engine Cooling System pressure boundary, including the Engine Jacket Water Circuit, Coolant Circulation Pump, and Ra"
verification: Analysis
sil: 2
SUB-REQ-044:
text: "The Fuel Oil System SHALL supply diesel fuel to the engine injection system at a pressure of 0.3 bar to 0.7 bar gauge an"
verification: Test
sil: 2
SUB-REQ-045:
text: "The Bulk Storage Tank SHALL maintain a minimum fuel inventory of 110% of the 7-day fuel demand at 100% rated load as spe"
verification: Inspection
sil: 2
SUB-REQ-046:
text: "The Day Tank SHALL maintain a working inventory of not less than 4 hours of fuel at rated engine load to provide autonom"
verification: Test
sil: 2
SUB-REQ-047:
text: "The Fuel Oil Strainer and Filter Assembly SHALL maintain fuel particle contamination downstream of the filter element at"
verification: Test
sil: 2
SUB-REQ-048:
text: "When Day Tank level falls below the transfer initiation setpoint, the Fuel Transfer Pump SHALL automatically start and t"
verification: Demonstration
sil: 2
SUB-REQ-049:
text: "When Day Tank fuel level falls below the engine fuel inlet connection height, the Fuel Oil System SHALL generate a hardw"
verification: Test
sil: 2
SUB-REQ-050:
text: "The Fuel Oil System bulk storage tank, day tank, pipework, and filter assembly SHALL comply with ATEX Directive 2014/34/"
verification: Inspection
sil: 2
SYS-REQ-001:
text: "The Emergency Diesel Generator SHALL start and reach rated voltage (6.6kV ±10%) and rated frequency (50Hz ±2%) within 10"
verification: Test
sil: 3
SYS-REQ-002:
text: "The Emergency Diesel Generator SHALL automatically start upon detection of bus undervoltage below 5.94kV (90% of nominal"
verification: Test
sil: 3
SYS-REQ-003:
text: "The Emergency Diesel Generator SHALL connect safety loads to the emergency bus via a priority-based load sequencer, with"
verification: Test
sil: 3
SYS-REQ-007:
text: "The Emergency Diesel Generator installation SHALL comprise two independent, redundant trains (Train A and Train B) with "
verification: Analysis
sil: 4
SYS-REQ-008:
text: "The Emergency Diesel Generator fuel storage system SHALL hold a minimum 7-day fuel inventory at 100% rated load, with au"
verification: Inspection
sil: 2
SYS-REQ-009:
text: "The Emergency Diesel Generator SHALL remain functional during and after a design basis earthquake of 0.2g peak ground ac"
verification: Analysis
sil: 2
SYS-REQ-010:
text: "The Emergency Diesel Generator engine SHALL be protected by independent, hardwired trip circuits for overspeed (>115% ra"
verification: Test
sil: 2
SYS-REQ-011:
text: "The Emergency Diesel Generator building SHALL incorporate automatic fire detection and suppression to extinguish diesel "
verification: Test
sil: 2
SYS-REQ-012:
text: "The Emergency Diesel Generator safety-related control and protection systems SHALL be isolated from non-safety networks,"
verification: Analysis
sil: 3
SYS-REQ-014:
text: "When one EDG train is inoperable, the remaining train SHALL be capable of supplying 100% of the safety-critical electric"
verification: Analysis
sil: 3
SYS-REQ-015:
text: "The Emergency Diesel Generator system SHALL provide a diverse alternate AC power source connection point, capable of acc"
verification: Demonstration
sil: 4
VER-REQ-002:
text: "The Engine Protection Relay Package functional test SHALL confirm each trip relay (overspeed at 865 rpm, high coolant te"
verification: Test
sil: 3
VER-REQ-003:
text: "The Diesel Engine Assembly protection trip test SHALL confirm engine standstill (crankshaft speed below 5 rpm) within 5 "
verification: Test
sil: 3
VER-REQ-005:
text: "The Starting Air System interface test SHALL confirm air start distributor inlet pressure of 25–30 bar at start signal i"
verification: Test
sil: 3
VER-REQ-006:
text: "The end-to-end EDG start chain acceptance test SHALL confirm bus undervoltage detection within 100 ms, rated voltage and"
verification: Test
sil: 3
VER-REQ-018:
text: "Verify SUB-REQ-019: I&C LOOP detection acceptance test SHALL apply a simulated bus undervoltage to the Qualified I/O Mod"
verification: Test
sil: 3
VER-REQ-019:
text: "Verify SUB-REQ-020: Engine and Generator Protection Logic functional test SHALL inject simulated overspeed, low oil pres"
verification: Test
sil: 3
VER-REQ-020:
text: "Verify SUB-REQ-023: I&C self-diagnostic safe-state test SHALL inject a simulated SIL 3 logic self-fault and confirm de-e"
verification: Test
sil: 3
VER-REQ-023:
text: "Verify SUB-REQ-024: The Bus Undervoltage Sensing Relay factory acceptance test SHALL inject a simulated 4.5kV signal (su"
verification: Test
sil: 3
VER-REQ-024:
text: "Verify SUB-REQ-026: The Synchronising Check Relay acceptance test SHALL inject voltage, frequency, and phase angle combi"
verification: Test
sil: 3
VER-REQ-025:
text: "Verify IFC-REQ-016: Integration test SHALL measure cable loop resistance on the BUVR-to-GCB start circuit at commissioni"
verification: Test
sil: 3
VER-REQ-026:
text: "Verify IFC-REQ-018: The trip circuit commissioning test SHALL measure total trip circuit resistance and confirm it does "
verification: Test
sil: 3
VER-REQ-027:
text: "Verify IFC-REQ-017: The Synchronising Check Relay to GCB close-permission interface acceptance test SHALL confirm close "
verification: Test
sil: 3
VER-REQ-040:
text: "Verify SUB-REQ-030: Perform seismic analysis of the Category 1 Building Structure in accordance with BS EN 1998-1 (Euroc"
verification: Analysis
sil: 2
VER-REQ-047:
text: "Verify IFC-REQ-022: Coolant Circulation Pump performance test at 25%, 50%, 75%, 100%, and 110% rated engine load. Pass c"
verification: Test
sil: 2
VER-REQ-055:
text: "Verify IFC-REQ-023: Pre-heat system functional test during AC blackout simulation. Procedure: disconnect normal AC suppl"
verification: Demonstration
sil: 2
VER-REQ-056:
text: "Verify IFC-REQ-024: Thermostatic valve response time and flow characteristic test. Apply 10°C step change from 72°C to 8"
verification: Test
sil: 2
VER-REQ-057:
text: "Verify IFC-REQ-025: Engine Cooling to I&C signal interface inspection and functional test. Perform cable routing inspect"
verification: Test
sil: 2
VER-REQ-058:
text: "Verify SUB-REQ-037 and SUB-REQ-039: Endurance test at 110% rated load, 35°C ambient, for 4 hours minimum. Pass criterion"
verification: Test
sil: 2
VER-REQ-059:
text: "Verify IFC-REQ-026: Fuel Transfer Pump commissioning test. Simulate low Day Tank level (float switch activation), confir"
verification: Test
sil: 2
VER-REQ-060:
text: "Verify IFC-REQ-027 and SUB-REQ-044: Fuel system endurance and temperature test. Run engine at 100% rated load for 2 hour"
verification: Test
sil: 2
VER-REQ-061:
text: "Verify IFC-REQ-028 and SUB-REQ-047: Fuel filter differential pressure test. Introduce controlled particulate loading to "
verification: Test
sil: 2