System Requirements Specification (SyRS) — ISO/IEC/IEEE 15289 — Specification | IEEE 29148 §6.2–6.4
Generated 2026-03-27 — UHT Journal / universalhex.org
| Standard | Title |
|---|---|
| BS 476 | — |
| BS EN 12601 | — |
| BS EN 15004 | — |
| BS EN 1998-1 | — |
| BS EN 60947-2 | — |
| BS EN 61000 | — |
| BS EN 61513 | — |
| IEC 60034 | — |
| IEC 60034-1 | — |
| IEC 60034-3 | — |
| IEC 60255 | — |
| IEC 60255-151 | — |
| IEC 60780 | — |
| IEC 60980 | — |
| IEC 61000-4 | — |
| IEC 61508 | Functional safety of electrical/electronic/programmable electronic safety-related systems |
| IEC 61511 | Functional safety — Safety instrumented systems for the process industry sector |
| IEC 61513 | Nuclear power plants — Instrumentation and control important to safety |
| IEC 62271-100 | — |
| IEC 62645 | — |
| IEEE 308 | — |
| IEEE 344 | — |
| IEEE 384 | — |
| IEEE 387 | — |
| ISO 16890 | — |
| ISO 4406 | — |
| ISO 8573-1 | — |
| NFPA 2001 | — |
| NFPA 750 | — |
| Acronym | Expansion |
|---|---|
| ARC | Architecture Decisions |
| CCCS | Completeness, Consistency, Correctness, Stability |
| EARS | Easy Approach to Requirements Syntax |
| IFC | Interface Requirements |
| ONR | Office for Nuclear Regulation |
| STK | Stakeholder Requirements |
| SUB | Subsystem Requirements |
| SYS | System Requirements |
| UHT | Universal Hex Taxonomy |
| VER | Verification Plan |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| STK-REQ-001 | The Emergency Diesel Generator system SHALL provide the control room operator with continuous real-time display of EDG operating parameters including output power (kW), frequency (Hz), terminal voltage (V), lubricating oil pressure, and engine coolant temperature. Rationale: Control Room Operator, LOOP Response scenario: operator monitors EDG from desk displays showing kW, frequency, oil pressure, coolant temp to verify EDG is supplying safety loads correctly. | Demonstration | stakeholder, stk-control-room-operator, session-570, idempotency:stk-cro-display-570 |
| STK-REQ-002 | The Emergency Diesel Generator system SHALL enable the control room operator to manually start, stop, and authorise load transfers for each EDG train from the main control room. Rationale: Control Room Operator, LOOP Response scenario: operator initiates fast start and authorises transfer back to grid. Surveillance Test scenario: operator initiates fast start from control room. | Demonstration | stakeholder, stk-control-room-operator, session-570, idempotency:stk-cro-manual-570 |
| STK-REQ-003 | The Emergency Diesel Generator system SHALL annunciate all abnormal EDG conditions as distinct alarms in the main control room within 2 seconds of detection. Rationale: Control Room Operator, EDG Failure to Start scenario: alarm 'EDG-A FAIL TO START' annunciates immediately so operator can verify Train B is carrying loads and initiate LCO entry. | Test | stakeholder, stk-control-room-operator, session-570, idempotency:stk-cro-alarm-570 |
| STK-REQ-004 | The Emergency Diesel Generator system SHALL provide sufficient information to the shift supervisor to support Limiting Condition for Operation entry and exit decisions, including EDG operability status and allowed outage time tracking. Rationale: Shift Supervisor, EDG Failure to Start scenario: supervisor must enter LCO 3.8.1 with 72-hour restoration window. Trip During Operation scenario: supervisor re-evaluates allowed outage time with one EDG lost. | Demonstration | stakeholder, stk-shift-supervisor, session-570, idempotency:stk-ss-lco-570 |
| STK-REQ-005 | The Emergency Diesel Generator system SHALL support implementation of station blackout emergency operating procedures, including load shedding prioritisation and connection of portable backup power sources. Rationale: Shift Supervisor, Station Blackout scenario: shift supervisor implements SBO EOP, deploys portable pump, coordinates mobile diesel generator connection. System must support this response. | Demonstration | stakeholder, stk-shift-supervisor, session-570, idempotency:stk-ss-sbo-570 |
| STK-REQ-006 | The Emergency Diesel Generator system SHALL enable fault diagnosis through locally accessible instrumentation and test points, permitting on-site repair by mechanical maintenance personnel. Rationale: Mechanical Technician, EDG Failure to Start scenario: mechanic dispatched to EDG building, diagnoses stuck fuel rack solenoid, replaces component. Requires accessible instrumentation for diagnosis. | Inspection | stakeholder, stk-mechanical-technician, session-570, idempotency:stk-mech-diag-570 |
| STK-REQ-007 | The Emergency Diesel Generator system SHALL support safe maintenance isolation through lock-out/tag-out provisions on all energy sources including fuel, electrical, compressed air, and cooling water. Rationale: Mechanical Technician, Planned Major Maintenance scenario: formal LOTO applied — fuel isolated, batteries disconnected, start air vented. All energy sources require isolation capability. | Inspection | stakeholder, stk-mechanical-technician, session-570, idempotency:stk-mech-loto-570 |
| STK-REQ-008 | The Emergency Diesel Generator system SHALL support calibration and functional testing of all protection and control instrumentation without requiring EDG operation or compromising safety system availability. Rationale: I&C Technician, Surveillance Test and Maintenance scenarios: I&C technician calibrates sensors and troubleshoots protection systems. Must be possible without taking EDG out of service unnecessarily. | Demonstration | stakeholder, stk-ic-technician, session-570, idempotency:stk-ic-cal-570 |
| STK-REQ-009 | The Emergency Diesel Generator system SHALL provide diagnostic access to control system parameters and protection setpoints for troubleshooting by qualified I&C personnel. Rationale: I&C Technician, EDG Failure to Start and Trip scenarios: technician troubleshoots control/protection system faults. Requires access to parameters, setpoints, and fault history. | Demonstration | stakeholder, stk-ic-technician, session-570, idempotency:stk-ic-diag-570 |
| STK-REQ-010 | The Emergency Diesel Generator system SHALL demonstrate compliance with ONR Safety Assessment Principles (SAPs) for engineered safety features, including diversity, redundancy, and independence requirements. Rationale: ONR, all scenarios: ONR provides regulatory approval of the safety case and inspects compliance with SAPs. The EDG as a Class 1 safety system must meet SAP targets for reliability and independence. | Analysis | stakeholder, stk-onr, session-570, idempotency:stk-onr-sap-570 |
| STK-REQ-011 | The Emergency Diesel Generator system SHALL maintain a deterministic safety case demonstrating that the EDG fulfils its nuclear safety function under all design basis conditions, as required by UK nuclear site licence conditions. Rationale: ONR, all scenarios: site licence conditions require a living safety case. The EDG safety case must cover all design basis events including LOOP, SBO, seismic, and common cause failure. | Analysis | stakeholder, stk-onr, session-570, idempotency:stk-onr-safetycase-570 |
| STK-REQ-012 | The Emergency Diesel Generator system SHALL achieve a start-on-demand reliability of at least 0.975 and a 24-hour mission reliability of at least 0.999, demonstrable through surveillance testing records. Rationale: Licensee, all scenarios: the licensee bears ultimate safety responsibility. Reliability targets from the probabilistic safety assessment define the minimum performance the EDG must demonstrate. | Analysis | stakeholder, stk-licensee, session-570, idempotency:stk-licensee-reliability-570 |
| STK-REQ-013 | The Emergency Diesel Generator system SHALL maintain complete qualification evidence, maintenance records, and modification history traceable to the original design basis throughout the plant operating life. Rationale: Licensee, Planned Maintenance scenario: quality records archived after overhaul. Documentation must demonstrate continued qualification through life — ONR can inspect at any time. | Inspection | stakeholder, stk-licensee, session-570, idempotency:stk-licensee-docs-570 |
| STK-REQ-014 | The Emergency Diesel Generator system SHALL accommodate OEM-specified maintenance regimes and accept qualified replacement parts without invalidating the safety case or equipment qualification. Rationale: EDG OEM, Planned Maintenance scenario: 5-yearly overhaul uses OEM work package (replace injectors, valve adjustment, turbo inspection). Maintenance regime must align with OEM requirements. | Analysis | stakeholder, stk-oem, session-570, idempotency:stk-oem-maint-570 |
| STK-REQ-015 | The Emergency Diesel Generator system SHALL prevent failure of backup power supply from contributing to an uncontrolled release of radioactive material, by providing sufficient redundancy and diversity in standby power sources. Rationale: Local Community: the community's fundamental expectation is that the nuclear site prevents accidents. The EDG is the last line of defence against station blackout leading to core damage and radioactive release. | Analysis | stakeholder, stk-local-community, session-570, idempotency:stk-community-safety-570 |
| STK-REQ-016 | The Emergency Diesel Generator system SHALL remain functional during and after a design basis earthquake of 0.2g peak ground acceleration, as required by Seismic Category I qualification per EUR requirements. Rationale: Operating Environment, Seismic constraint: the EDG must survive the design basis earthquake and start afterward if needed. Seismic qualification is a fundamental safety requirement for UK nuclear sites. | Analysis | stakeholder, stk-environment, session-570, idempotency:stk-env-seismic-570 |
| STK-REQ-017 | The Emergency Diesel Generator system SHALL operate across the full ambient temperature range of -10°C to +40°C and withstand a coastal salt-laden atmosphere without degradation of safety function. Rationale: Operating Environment: UK coastal nuclear sites experience temperature extremes and salt-laden air. EDG must start and run reliably at temperature extremes and resist corrosion from marine atmosphere. | Test | stakeholder, stk-environment, session-570, idempotency:stk-env-climate-570 |
| STK-REQ-018 | The Emergency Diesel Generator system SHALL not produce electromagnetic interference that could cause spurious actuation of co-located safety-related instrumentation and control systems, per IEC 61000-4 (Electromagnetic compatibility — testing and measurement techniques) series requirements. Rationale: Operating Environment, EMC constraint: the EDG shares a site with sensitive nuclear safety I&C. EMI from EDG starting or running must not cause spurious reactor protection system actuation. | Test | stakeholder, stk-environment, session-570, idempotency:stk-env-emc-570 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| SYS-REQ-001 | The Emergency Diesel Generator SHALL start and reach rated voltage (6.6kV ±10%) and rated frequency (50Hz ±2%) within 10 seconds of receiving a loss-of-offsite-power start signal. Rationale: Derived from start-on-demand requirement and LOOP Response scenario. The 10-second target is the maximum time before safety loads lose cooling function. Exceeding 10 seconds risks fuel damage in a LOCA coincident with LOOP. H-001 (failure to start) is SIL 3. | Test | system, sil-3, performance, session-570, idempotency:sys-start-time-570 |
| SYS-REQ-002 | The Emergency Diesel Generator SHALL automatically start upon detection of bus undervoltage below 5.94kV (90% of nominal) without operator action, with LOOP detection completed within 100ms of grid voltage loss. Rationale: Derived from operator alarm and LCO support needs. Automatic start eliminates operator response time from the safety function timeline. The 100ms detection window is standard for nuclear EDG undervoltage relays per IEEE 387 (IEEE Standard for the Design and Application of Diesel Generator Units for Class 1E Nuclear Power Generating Stations). H-001 SIL 3. | Test | system, sil-3, safety, session-570, idempotency:sys-auto-start-570 |
| SYS-REQ-003 | The Emergency Diesel Generator SHALL connect safety loads to the emergency bus via a priority-based load sequencer, with all safety loads energised within 60 seconds of EDG reaching rated output. Rationale: Derived from operator display and LOOP Response scenario: loads sequenced in priority order — charging pumps first, then component cooling, then HVAC. 60-second window ensures reactor cooling is restored before fuel damage threshold. | Test | system, sil-3, performance, session-570, idempotency:sys-load-sequence-570 |
| SYS-REQ-004 | The Emergency Diesel Generator SHALL achieve a start-on-demand reliability of not less than 0.975 per demand, demonstrated through a minimum of 100 valid surveillance demands. Rationale: Derived from licensee reliability target (STK-012). The 0.975 value comes from the probabilistic safety assessment; the 100-demand demonstration requirement provides 95% confidence that the true reliability meets the target. | Analysis | system, reliability, session-570, idempotency:sys-start-reliability-570 |
| SYS-REQ-005 | The Emergency Diesel Generator SHALL sustain continuous operation at rated load for a minimum of 24 hours with a mission reliability of not less than 0.999, without manual intervention beyond monitoring. Rationale: Derived from licensee reliability target and Extended LOOP scenario: Day 2 of extended LOOP requires sustained EDG operation. The 24-hour mission defines the minimum design endurance before fuel replenishment or grid restoration. | Test | system, reliability, session-570, idempotency:sys-mission-reliability-570 |
| SYS-REQ-006 | The Emergency Diesel Generator SHALL maintain output voltage within 6.6kV ±10% and frequency within 50Hz ±2% under all load conditions from no-load to 110% rated load. Rationale: Derived from operator display requirements. Safety loads (motors, transformers, UPS) require stable voltage and frequency. The ±10%/±2% tolerances are per IEEE 387 for Class 1E diesel generators. Voltage excursions outside these limits cause motor thermal damage or relay malfunction. | Test | system, performance, session-570, idempotency:sys-output-quality-570 |
| SYS-REQ-007 | The Emergency Diesel Generator installation SHALL comprise two independent, redundant trains (Train A and Train B) with no shared active components, such that a single failure in one train does not prevent the other from performing its safety function. Rationale: Derived from ONR SAP compliance and community safety expectations. Single failure criterion is fundamental to nuclear safety system design per ONR SAP EKP.3. Common cause failure (H-007, SIL 4) is the highest-risk hazard identified. | Analysis | system, sil-4, safety, session-570, idempotency:sys-redundancy-570 |
| SYS-REQ-008 | The Emergency Diesel Generator fuel storage system SHALL hold a minimum 7-day fuel inventory at 100% rated load, with automatic transfer from bulk storage to engine day tank and continuous level monitoring. Rationale: Derived from fuel constraint and Extended LOOP/SBO scenarios. The 7-day inventory covers the design basis LOOP duration plus margin for fuel delivery delays. H-005 (fuel exhaustion) is SIL 2. | Inspection | system, sil-2, performance, session-570, idempotency:sys-fuel-capacity-570 |
| SYS-REQ-009 | The Emergency Diesel Generator SHALL remain functional during and after a design basis earthquake of 0.2g peak ground acceleration (Seismic Category I), with no loss of ability to start and carry load. Rationale: Derived from seismic environment constraint (STK-016) and H-008 (seismic damage, SIL 2). Seismic qualification per EUR requirements and IEC 60980 (Recommended practices for seismic qualification of electrical equipment of the safety system for nuclear generating stations). Post-earthquake operability is essential if LOOP coincides with seismic event. | Analysis | system, sil-2, safety, session-570, idempotency:sys-seismic-570 |
| SYS-REQ-010 | The Emergency Diesel Generator engine SHALL be protected by independent, hardwired trip circuits for overspeed (>115% rated), high coolant temperature, low lubricating oil pressure, and overcurrent, each capable of shutting down the engine within 2 seconds of trip setpoint. Rationale: Derived from hazards H-003 (overspeed, SIL 2) and H-006 (cooling failure, SIL 2). Hardwired trips ensure protection even with digital control system failure. The 2-second trip time prevents engine mechanical damage at overspeed. | Test | system, sil-2, safety, session-570, idempotency:sys-protection-570 |
| SYS-REQ-011 | The Emergency Diesel Generator building SHALL incorporate automatic fire detection and suppression to extinguish diesel fuel fires without manual intervention, with inter-train fire barriers maintaining operability of the alternate EDG train. Rationale: Derived from H-004 (fire in EDG building, SIL 2). Fire suppression must not damage the alternate EDG train. Train separation or fire barriers are needed to prevent common cause failure from fire propagation. | Test | system, sil-2, safety, session-570, idempotency:sys-fire-protection-570, reqs-eng-session-583 |
| SYS-REQ-012 | The Emergency Diesel Generator safety-related control and protection systems SHALL be isolated from non-safety networks, with safety trip functions implemented through hardwired circuits that cannot be defeated by cyber attack, per IEC 62645 (Nuclear power plants — Instrumentation, control and electrical power systems — Cybersecurity requirements). Rationale: Derived from H-010 (cyber attack, SIL 3) and ONR SAP compliance. Air-gapped hardwired trip circuits provide defence-in-depth against cyber threats to digital control systems. | Analysis | system, sil-3, safety, session-570, idempotency:sys-cyber-security-570 |
| SYS-REQ-013 | The Emergency Diesel Generator SHALL support monthly surveillance testing via simulated LOOP signal initiation, a 2-hour run at 75% rated load, and automated parameter recording, without reducing availability of the alternate EDG train. Rationale: Derived from I&C calibration needs and Surveillance Test scenario: monthly test at 75% load for 2 hours with all parameters recorded. Test must not compromise the other train's availability. | Demonstration | system, testability, session-570, idempotency:sys-surveillance-570, reqs-eng-session-583 |
| SYS-REQ-014 | When one EDG train is inoperable, the remaining train SHALL be capable of supplying 100% of the safety-critical electrical load, with the plant entering a Limiting Condition for Operation allowing no more than 72 hours for restoration before requiring controlled shutdown. Rationale: Derived from shift supervisor LCO needs and EDG Failure to Start scenario: LCO 3.8.1 gives 72 hours. Each train must be sized for full safety load — no load shedding between trains. | Analysis | system, sil-3, safety, session-570, idempotency:sys-single-train-570 |
| SYS-REQ-015 | The Emergency Diesel Generator system SHALL provide a diverse alternate AC power source connection point, capable of accepting a mobile diesel generator of at least 50% safety load capacity within 4 hours of station blackout declaration. Rationale: Derived from H-007 (common cause failure, SIL 4) and Station Blackout scenario: mobile generator connected after 4.5 hours. The 4-hour target aligns with DC battery capacity and provides margin before battery exhaustion. | Demonstration | system, sil-4, safety, session-570, idempotency:sys-diverse-ac-570 |
| Source | Target | Type | Description |
|---|